X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fimport%2Fimport-raw.c;h=8d99f1085cb1111519dcd0db29b4fa8760c9543e;hb=1433efd219a6df414a1821b3d3d70d86201ed3e4;hp=67c805ed47e3b85df13d1db1f322a148ecbd37f6;hpb=3576d6315f3b6b686cdcf9f280d5e829e3d3daa0;p=elogind.git

diff --git a/src/import/import-raw.c b/src/import/import-raw.c
index 67c805ed4..8d99f1085 100644
--- a/src/import/import-raw.c
+++ b/src/import/import-raw.c
@@ -21,10 +21,9 @@
 
 #include <sys/xattr.h>
 #include <linux/fs.h>
-#include <sys/prctl.h>
 #include <curl/curl.h>
-#include <gcrypt.h>
 
+#include "sd-daemon.h"
 #include "utf8.h"
 #include "strv.h"
 #include "copy.h"
@@ -32,13 +31,20 @@
 #include "util.h"
 #include "macro.h"
 #include "mkdir.h"
+#include "import-util.h"
 #include "curl-util.h"
 #include "qcow2-util.h"
 #include "import-job.h"
-#include "import-util.h"
+#include "import-common.h"
 #include "import-raw.h"
 
-typedef struct RawImportFile RawImportFile;
+typedef enum RawProgress {
+        RAW_DOWNLOADING,
+        RAW_VERIFYING,
+        RAW_UNPACKING,
+        RAW_FINALIZING,
+        RAW_COPYING,
+} RawProgress;
 
 struct RawImport {
         sd_event *event;
@@ -47,7 +53,7 @@ struct RawImport {
         char *image_root;
 
         ImportJob *raw_job;
-        ImportJob *sha256sums_job;
+        ImportJob *checksum_job;
         ImportJob *signature_job;
 
         RawImportFinished on_finished;
@@ -67,7 +73,7 @@ RawImport* raw_import_unref(RawImport *i) {
                 return NULL;
 
         import_job_unref(i->raw_job);
-        import_job_unref(i->sha256sums_job);
+        import_job_unref(i->checksum_job);
         import_job_unref(i->signature_job);
 
         curl_glue_unref(i->glue);
@@ -86,7 +92,13 @@ RawImport* raw_import_unref(RawImport *i) {
         return NULL;
 }
 
-int raw_import_new(RawImport **ret, sd_event *event, const char *image_root, RawImportFinished on_finished, void *userdata) {
+int raw_import_new(
+                RawImport **ret,
+                sd_event *event,
+                const char *image_root,
+                RawImportFinished on_finished,
+                void *userdata) {
+
         _cleanup_(raw_import_unrefp) RawImport *i = NULL;
         int r;
 
@@ -124,6 +136,57 @@ int raw_import_new(RawImport **ret, sd_event *event, const char *image_root, Raw
         return 0;
 }
 
+static void raw_import_report_progress(RawImport *i, RawProgress p) {
+        unsigned percent;
+
+        assert(i);
+
+        switch (p) {
+
+        case RAW_DOWNLOADING: {
+                unsigned remain = 80;
+
+                percent = 0;
+
+                if (i->checksum_job) {
+                        percent += i->checksum_job->progress_percent * 5 / 100;
+                        remain -= 5;
+                }
+
+                if (i->signature_job) {
+                        percent += i->signature_job->progress_percent * 5 / 100;
+                        remain -= 5;
+                }
+
+                if (i->raw_job)
+                        percent += i->raw_job->progress_percent * remain / 100;
+                break;
+        }
+
+        case RAW_VERIFYING:
+                percent = 80;
+                break;
+
+        case RAW_UNPACKING:
+                percent = 85;
+                break;
+
+        case RAW_FINALIZING:
+                percent = 90;
+                break;
+
+        case RAW_COPYING:
+                percent = 95;
+                break;
+
+        default:
+                assert_not_reached("Unknown progress state");
+        }
+
+        sd_notifyf(false, "X_IMPORT_PROGRESS=%u", percent);
+        log_debug("Combined progress %u%%", percent);
+}
+
 static int raw_import_maybe_convert_qcow2(RawImport *i) {
         _cleanup_close_ int converted_fd = -1;
         _cleanup_free_ char *t = NULL;
@@ -207,7 +270,7 @@ static int raw_import_make_local_copy(RawImport *i) {
                         return log_error_errno(errno, "Failed to seek to beginning of vendor image: %m");
         }
 
-        p = strappenda(i->image_root, "/", i->local, ".raw");
+        p = strjoina(i->image_root, "/", i->local, ".raw");
 
         if (i->force_local) {
                 (void) btrfs_subvol_remove(p);
@@ -251,168 +314,18 @@ static int raw_import_make_local_copy(RawImport *i) {
         return 0;
 }
 
-static int raw_import_verify_sha256sum(RawImport *i) {
-        _cleanup_close_pair_ int gpg_pipe[2] = { -1, -1 };
-        _cleanup_free_ char *fn = NULL;
-        _cleanup_close_ int sig_file = -1;
-        const char *p, *line;
-        char sig_file_path[] = "/tmp/sigXXXXXX";
-        _cleanup_sigkill_wait_ pid_t pid = 0;
-        int r;
-
+static bool raw_import_is_done(RawImport *i) {
         assert(i);
-
         assert(i->raw_job);
 
-        if (!i->sha256sums_job)
-                return 0;
-
-        assert(i->raw_job->state == IMPORT_JOB_DONE);
-        assert(i->raw_job->sha256);
-
-        assert(i->sha256sums_job->state == IMPORT_JOB_DONE);
-        assert(i->sha256sums_job->payload);
-        assert(i->sha256sums_job->payload_size > 0);
-
-        r = import_url_last_component(i->raw_job->url, &fn);
-        if (r < 0)
-                return log_oom();
-
-        if (!filename_is_valid(fn)) {
-                log_error("Cannot verify checksum, could not determine valid server-side file name.");
-                return -EBADMSG;
-        }
-
-        line = strappenda(i->raw_job->sha256, " *", fn, "\n");
-
-        p = memmem(i->sha256sums_job->payload,
-                   i->sha256sums_job->payload_size,
-                   line,
-                   strlen(line));
-
-        if (!p || (p != (char*) i->sha256sums_job->payload && p[-1] != '\n')) {
-                log_error("Checksum did not check out, payload has been tempered with.");
-                return -EBADMSG;
-        }
-
-        log_info("SHA256 checksum of %s is valid.", i->raw_job->url);
-
-        if (!i->signature_job)
-                return 0;
-
-        assert(i->signature_job->state == IMPORT_JOB_DONE);
-        assert(i->signature_job->payload);
-        assert(i->signature_job->payload_size > 0);
-
-        r = pipe2(gpg_pipe, O_CLOEXEC);
-        if (r < 0)
-                return log_error_errno(errno, "Failed to create pipe: %m");
-
-        sig_file = mkostemp(sig_file_path, O_RDWR);
-        if (sig_file < 0)
-                return log_error_errno(errno, "Failed to create temporary file: %m");
-
-        r = loop_write(sig_file, i->signature_job->payload, i->signature_job->payload_size, false);
-        if (r < 0) {
-                log_error_errno(r, "Failed to write to temporary file: %m");
-                goto finish;
-        }
-
-        pid = fork();
-        if (pid < 0)
-                return log_error_errno(errno, "Failed to fork off gpg: %m");
-        if (pid == 0) {
-                const char *cmd[] = {
-                        "gpg",
-                        "--no-options",
-                        "--no-default-keyring",
-                        "--no-auto-key-locate",
-                        "--no-auto-check-trustdb",
-                        "--batch",
-                        "--trust-model=always",
-                        "--keyring=" VENDOR_KEYRING_PATH,
-                        NULL, /* maybe user keyring */
-                        NULL, /* --verify */
-                        NULL, /* signature file */
-                        NULL, /* dash */
-                        NULL  /* trailing NULL */
-                };
-                unsigned k = ELEMENTSOF(cmd) - 5;
-                int null_fd;
-
-                /* Child */
-
-                reset_all_signal_handlers();
-                reset_signal_mask();
-                assert_se(prctl(PR_SET_PDEATHSIG, SIGTERM) == 0);
-
-                gpg_pipe[1] = safe_close(gpg_pipe[1]);
-
-                if (dup2(gpg_pipe[0], STDIN_FILENO) != STDIN_FILENO) {
-                        log_error_errno(errno, "Failed to dup2() fd: %m");
-                        _exit(EXIT_FAILURE);
-                }
-
-                if (gpg_pipe[0] != STDIN_FILENO)
-                        gpg_pipe[0] = safe_close(gpg_pipe[0]);
-
-                null_fd = open("/dev/null", O_WRONLY|O_NOCTTY);
-                if (null_fd < 0) {
-                        log_error_errno(errno, "Failed to open /dev/null: %m");
-                        _exit(EXIT_FAILURE);
-                }
-
-                if (dup2(null_fd, STDOUT_FILENO) != STDOUT_FILENO) {
-                        log_error_errno(errno, "Failed to dup2() fd: %m");
-                        _exit(EXIT_FAILURE);
-                }
-
-                if (null_fd != STDOUT_FILENO)
-                        null_fd = safe_close(null_fd);
-
-                /* We add the user keyring only to the command line
-                 * arguments, if it's around since gpg fails
-                 * otherwise. */
-                if (access(USER_KEYRING_PATH, F_OK) >= 0)
-                        cmd[k++] = "--keyring=" USER_KEYRING_PATH;
+        if (i->raw_job->state != IMPORT_JOB_DONE)
+                return false;
+        if (i->checksum_job && i->checksum_job->state != IMPORT_JOB_DONE)
+                return false;
+        if (i->signature_job && i->signature_job->state != IMPORT_JOB_DONE)
+                return false;
 
-                cmd[k++] = "--verify";
-                cmd[k++] = sig_file_path;
-                cmd[k++] = "-";
-                cmd[k++] = NULL;
-
-                execvp("gpg", (char * const *) cmd);
-                log_error_errno(errno, "Failed to execute gpg: %m");
-                _exit(EXIT_FAILURE);
-        }
-
-        gpg_pipe[0] = safe_close(gpg_pipe[0]);
-
-        r = loop_write(gpg_pipe[1], i->sha256sums_job->payload, i->sha256sums_job->payload_size, false);
-        if (r < 0) {
-                log_error_errno(r, "Failed to write to pipe: %m");
-                goto finish;
-        }
-
-        gpg_pipe[1] = safe_close(gpg_pipe[1]);
-
-        r = wait_for_terminate_and_warn("gpg", pid, true);
-        pid = 0;
-        if (r < 0)
-                goto finish;
-        if (r > 0) {
-                log_error("Signature verification failed.");
-                r = -EBADMSG;
-        } else {
-                log_info("Signature verification succeeded.");
-                r = 0;
-        }
-
-finish:
-        if (sig_file >= 0)
-                unlink(sig_file_path);
-
-        return r;
+        return true;
 }
 
 static void raw_import_job_on_finished(ImportJob *j) {
@@ -424,7 +337,7 @@ static void raw_import_job_on_finished(ImportJob *j) {
 
         i = j->userdata;
         if (j->error != 0) {
-                if (j == i->sha256sums_job)
+                if (j == i->checksum_job)
                         log_error_errno(j->error, "Failed to retrieve SHA256 checksum, cannot verify. (Try --verify=no?)");
                 else if (j == i->signature_job)
                         log_error_errno(j->error, "Failed to retrieve signature file, cannot verify. (Try --verify=no?)");
@@ -442,24 +355,27 @@ static void raw_import_job_on_finished(ImportJob *j) {
          *
          * We only do something when we got all three files */
 
-        if (!IMPORT_JOB_STATE_IS_COMPLETE(i->raw_job))
-                return;
-        if (i->sha256sums_job && !IMPORT_JOB_STATE_IS_COMPLETE(i->sha256sums_job))
-                return;
-        if (i->signature_job && !IMPORT_JOB_STATE_IS_COMPLETE(i->signature_job))
+        if (!raw_import_is_done(i))
                 return;
 
         if (!i->raw_job->etag_exists) {
+                /* This is a new download, verify it, and move it into place */
                 assert(i->raw_job->disk_fd >= 0);
 
-                r = raw_import_verify_sha256sum(i);
+                raw_import_report_progress(i, RAW_VERIFYING);
+
+                r = import_verify(i->raw_job, i->checksum_job, i->signature_job);
                 if (r < 0)
                         goto finish;
 
+                raw_import_report_progress(i, RAW_UNPACKING);
+
                 r = raw_import_maybe_convert_qcow2(i);
                 if (r < 0)
                         goto finish;
 
+                raw_import_report_progress(i, RAW_FINALIZING);
+
                 r = import_make_read_only_fd(i->raw_job->disk_fd);
                 if (r < 0)
                         goto finish;
@@ -474,6 +390,8 @@ static void raw_import_job_on_finished(ImportJob *j) {
                 i->temp_path = NULL;
         }
 
+        raw_import_report_progress(i, RAW_COPYING);
+
         r = raw_import_make_local_copy(i);
         if (r < 0)
                 goto finish;
@@ -495,6 +413,9 @@ static int raw_import_job_on_open_disk(ImportJob *j) {
         assert(j->userdata);
 
         i = j->userdata;
+        assert(i->raw_job == j);
+        assert(!i->final_path);
+        assert(!i->temp_path);
 
         r = import_make_path(j->url, j->etag, i->image_root, ".raw-", ".raw", &i->final_path);
         if (r < 0)
@@ -517,6 +438,17 @@ static int raw_import_job_on_open_disk(ImportJob *j) {
         return 0;
 }
 
+static void raw_import_job_on_progress(ImportJob *j) {
+        RawImport *i;
+
+        assert(j);
+        assert(j->userdata);
+
+        i = j->userdata;
+
+        raw_import_report_progress(i, RAW_DOWNLOADING);
+}
+
 int raw_import_pull(RawImport *i, const char *url, const char *local, bool force_local, ImportVerify verify) {
         int r;
 
@@ -524,15 +456,15 @@ int raw_import_pull(RawImport *i, const char *url, const char *local, bool force
         assert(verify < _IMPORT_VERIFY_MAX);
         assert(verify >= 0);
 
-        if (i->raw_job)
-                return -EBUSY;
-
         if (!http_url_is_valid(url))
                 return -EINVAL;
 
         if (local && !machine_name_is_valid(local))
                 return -EINVAL;
 
+        if (i->raw_job)
+                return -EBUSY;
+
         r = free_and_strdup(&i->local, local);
         if (r < 0)
                 return r;
@@ -546,55 +478,32 @@ int raw_import_pull(RawImport *i, const char *url, const char *local, bool force
 
         i->raw_job->on_finished = raw_import_job_on_finished;
         i->raw_job->on_open_disk = raw_import_job_on_open_disk;
-        i->raw_job->calc_hash = true;
+        i->raw_job->on_progress = raw_import_job_on_progress;
+        i->raw_job->calc_checksum = verify != IMPORT_VERIFY_NO;
 
         r = import_find_old_etags(url, i->image_root, DT_REG, ".raw-", ".raw", &i->raw_job->old_etags);
         if (r < 0)
                 return r;
 
-        if (verify != IMPORT_VERIFY_NO) {
-                _cleanup_free_ char *sha256sums_url = NULL;
-
-                /* Queue job for the SHA256SUMS file for the image */
-                r = import_url_change_last_component(url, "SHA256SUMS", &sha256sums_url);
-                if (r < 0)
-                        return r;
-
-                r = import_job_new(&i->sha256sums_job, sha256sums_url, i->glue, i);
-                if (r < 0)
-                        return r;
-
-                i->sha256sums_job->on_finished = raw_import_job_on_finished;
-                i->sha256sums_job->uncompressed_max = i->sha256sums_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
-        }
-
-        if (verify == IMPORT_VERIFY_SIGNATURE) {
-                _cleanup_free_ char *sha256sums_sig_url = NULL;
-
-                /* Queue job for the SHA256SUMS.gpg file for the image. */
-                r = import_url_change_last_component(url, "SHA256SUMS.gpg", &sha256sums_sig_url);
-                if (r < 0)
-                        return r;
-
-                r = import_job_new(&i->signature_job, sha256sums_sig_url, i->glue, i);
-                if (r < 0)
-                        return r;
-
-                i->signature_job->on_finished = raw_import_job_on_finished;
-                i->signature_job->uncompressed_max = i->signature_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
-        }
+        r = import_make_verification_jobs(&i->checksum_job, &i->signature_job, verify, url, i->glue, raw_import_job_on_finished, i);
+        if (r < 0)
+                return r;
 
         r = import_job_begin(i->raw_job);
         if (r < 0)
                 return r;
 
-        if (i->sha256sums_job) {
-                r = import_job_begin(i->sha256sums_job);
+        if (i->checksum_job) {
+                i->checksum_job->on_progress = raw_import_job_on_progress;
+
+                r = import_job_begin(i->checksum_job);
                 if (r < 0)
                         return r;
         }
 
         if (i->signature_job) {
+                i->signature_job->on_progress = raw_import_job_on_progress;
+
                 r = import_job_begin(i->signature_job);
                 if (r < 0)
                         return r;