Commit Graph

55 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
af182c4fd1
backup: fixup restore options just before restoring VMs
When user included/excluded some VMs for restoration, it may be
neceesarry to fix dependencies between them (for example when default
template is no longer going to be restored).
Also fix handling conflicting names.
2016-10-28 11:53:34 +02:00
Marek Marczykowski-Górecki
043d20c05d
backup: fix handling non-ascii characters in backup passphrase
Fixes QubesOS/qubes-issues#2398
2016-10-28 11:53:33 +02:00
Marek Marczykowski-Górecki
49e718cf57
backup: mark 'encryption' option as deprecated - all backups are encrypted
QubesOS/qubes-issues#971
2016-10-28 11:53:33 +02:00
Marek Marczykowski-Górecki
51b66208f3
backup: verify if archive chunks are not reordered
Now, when file name is also integrity protected (prefixed to the
passphrase), we can make sure that input files are given in the same
order. And are parts of the same VM.

QubesOS/qubes-issues#971
2016-10-28 11:53:33 +02:00
Marek Marczykowski-Górecki
4ad15c082b
backup: add 'backup_id' to integrity protection
This prevent switching parts of backup of the same VM between different
backups made by the same user (or actually: with the same passphrase).

QubesOS/qubes-issues#971
2016-10-28 11:53:32 +02:00
Marek Marczykowski-Górecki
418d749680
backup: use 'scrypt' tool for backup encryption and integrity protection
`openssl dgst` and `openssl enc` used previously poorly handle key
stretching - in case of `openssl enc` encryption key is derived using
single MD5 iteration, without even any salt. This hardly prevent
brute force or even rainbow tables attacks. To make things worse, the
same key is used for encryption and integrity protection which ease
brute force even further.
All this is still about brute force attacks, so when using long, high
entropy passphrase, it should be still relatively safe. But lets do
better.
According to discussion in QubesOS/qubes-issues#971, scrypt algorithm is
a good choice for key stretching (it isn't the best of all existing, but
a good one and widely adopted). At the same time, lets switch away from
`openssl` tool, as it is very limited and apparently not designed for
production use. Use `scrypt` tool, which is very simple and does exactly
what we need - encrypt the data and integrity protect it. Its archive
format have own (simple) header with data required by the `scrypt`
algorithm, including salt. Internally data is encrypted with AES256-CTR
and integrity protected with HMAC-SHA256. For details see:
https://github.com/tarsnap/scrypt/blob/master/FORMAT

This means change of backup format. Mainly:

1. HMAC is stored in scrypt header, so don't use separate file for it.
Instead have data in files with `.enc` extension.
2. For compatibility leave `backup-header` and `backup-header.hmac`. But
`backup-header.hmac` is really scrypt-encrypted version of `backup-header`.
3. For each file, prepend its identifier to the passphrase, to
authenticate filename itself too. Having this we can guard against
reordering archive files within a single backup and across backups. This
identifier is built as:

        backup ID (from backup-header)!filename!

For backup-header itself, there is no backup ID (just 'backup-header!').

Fixes QubesOS/qubes-issues#971
2016-10-28 11:53:32 +02:00
Marek Marczykowski-Górecki
d7c355eadb
backup: make wait_backup_feedback/handle_streams less ugly
Have a generic function `handle_streams`, instead of
`wait_backup_feedback` with open coded process names and manual
iteration over them.

No functional change, besides minor logging change.
2016-10-28 11:53:32 +02:00
Marek Marczykowski-Górecki
33fecd90c1
qubes/backup: misc fixes
Fix restoring ProxyVM and NetVM from core2. Use correct VM class.
2016-10-05 01:58:11 +02:00
Marek Marczykowski-Górecki
339c47480e
qubes/backup: include LVM volumes content in backup
Use just introduced tar writer to archive content of LVM volumes (or
more generally: block devices). Place them as 'private.img' and
'root.img' files in the backup - just like in old format. This require
support for replacing file name in tar header - another thing trivially
supported with tar writer.
2016-10-05 01:55:30 +02:00
Marek Marczykowski-Górecki
278a5340dc
qubes/backup: fix relative path calculation
os.path.relpath strip trailing '/.' from the path, but it is important
to distinguish whole-directory archive (which is tar of '.').
2016-10-04 21:38:59 +02:00
Marek Marczykowski-Górecki
ab69fdd7f4
qubes/backup: reduce code duplication
Move inner tar process cleanup to a separate function
2016-10-03 13:43:36 +02:00
Marek Marczykowski-Górecki
20590bff57
backup: adjust LVM volume size when restoring its content.
Old backup metadata (old qubes.xml) does not contain info about
individual volume sizes. So, extract it from tar header (using verbose
output during restore) and resize volume accordingly.
Without this, restoring volumes larger than default would be impossible.
2016-09-29 02:08:29 +02:00
Marek Marczykowski-Górecki
0a35bd06aa
backup: support relocating files to different storage pool
To ease all this, rework restore workflow: first create QubesVM objects,
and all their files (as for fresh VM), then override them with data
from backup - possibly redirecting some files to new location. This
allows generic code to create LVM volumes and then only restore its
content.
2016-09-29 02:08:29 +02:00
Marek Marczykowski-Górecki
bbbe045b62
qubes/backup: better handle restoring kernel=None case
It makes sense for HVM domains, so allow such configuration.
2016-08-17 01:18:11 +02:00
Marek Marczykowski-Górecki
2f977ff4f5
backup: open backup collection in offline mode
Otherwise it may try to manipulate live libvirt objects with the same
names (and probably different UUIDs, which would fail).
2016-08-16 00:00:14 +02:00
Marek Marczykowski-Górecki
4e022382a5
Merge remote-tracking branch 'origin/master' into core3-devel 2016-08-08 00:11:46 +02:00
Bahtiar `kalkin-` Gadimov
61feb0ced7
Migrate backup to new storage api 2016-07-13 22:34:37 +02:00
Bahtiar `kalkin-` Gadimov
bb8b58b04c
qubes.backup fix verify_files 2016-07-13 22:34:36 +02:00
Bahtiar `kalkin-` Gadimov
b584d1a4bb
Remove QubesVM.is_netvm() and is_disposablevm() 2016-06-23 14:23:33 +02:00
Bahtiar `kalkin-` Gadimov
4a0b7585d1
Remove QubesVM.is_proxyvm() 2016-06-23 14:23:32 +02:00
Bahtiar `kalkin-` Gadimov
e08ca1ff57
Remove QubesVM.is_template() 2016-06-23 14:23:31 +02:00
Bahtiar `kalkin-` Gadimov
0a471e719b
qubes.backup fix access to volume paths 2016-06-21 14:58:09 +02:00
Marek Marczykowski-Górecki
98effef606
backup: add option to use default kernel for restored VMs 2016-06-16 17:06:42 +02:00
Marek Marczykowski-Górecki
91404cc647
backup: collect files to backup once 2016-06-16 17:06:41 +02:00
Marek Marczykowski-Górecki
2dacb3a542
backup: drop/resolve minor "TODO" comments 2016-06-16 17:06:41 +02:00
Marek Marczykowski-Górecki
2909d252d6 backup: get_fisk_usage is now in storage.file 2016-06-02 12:41:59 +02:00
Marek Marczykowski-Górecki
8c6fe7ed90
Merge remote-tracking branch 'origin/master' into core3-devel-mm 2016-04-11 13:03:12 +02:00
Marek Marczykowski-Górecki
d9a8cd5d68
backup: minor code style fixes 2016-04-11 00:13:13 +02:00
Marek Marczykowski-Górecki
c28f50f6fe backup: minor fixes 2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
2261e6a4c7 backup: simplify auto-renaming handling
Don't try to track names in restore_info_verify, instead resolve them at
actual restore time.
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
71a7730168 backup: simplify ordering of restoring VMs
No other change than reducing two nested loops into one.
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
98c8b7cd22 backup: use simple classes for data storage on restore too 2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
424d3054f3 backup: use vm.features to store backup-specific metadata
Do not keep them in system qubes.xml.
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
ed88b5a9a3 backup: use vm.run_service instead of vm.run
This should be the only way used to call services.
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
e8f21929ad backup: by default include all the VMs with vm.include_in_backups
If there is a need for more robust default, it should be handled at that
property.
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
a3051b956b backup: docstrings, don't expose internal attributes
processes_to_kill_on_cancel shouldn't be initialized by user, so move
below applying user settings.
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
b4227f7581 backup: use simple classes instead of hashes, use events for appmenus
This makes typo errors much easier to find (also using pylint or so).
While at it, also removed explicit appmenus backup, as it should be
provided by appmenus extension.
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
c01f43a5d3 backup: unify handling of template and non-template VMs
Handle them the same way - individual files, not the whole directory for
templates.
Also don't backup obsolete 'kernels' subdir - it isn't supported in
core3.
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
d9cf64a41d backup: minor code structure changes
- initialize internal objects object in constructor
- use 'with'
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
78dbadab57 backup: minor: compile regex once 2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
e9b8b6428c backup: remove duplicated get_disk_usage function 2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
c08f5986a9 backup: use constants for queue control strings 2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
ad1f1738fa qubes: make 'store' property public (R/O)
It makes sense to see from what Qubes object was loaded.
2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
8c5d42a095 backup: add support for restoring pre-core3 backups 2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
304d2b10bc backup: fix handline "None" kernel 2016-04-07 13:21:00 +02:00
Marek Marczykowski-Górecki
412bcfa88b backup: fix hadling netvm property 2016-04-07 13:20:59 +02:00
Marek Marczykowski-Górecki
d72d8f8445 backup: code inspection annotations 2016-04-07 13:20:59 +02:00
Marek Marczykowski-Górecki
3fb0754398 backup: formatting 2016-04-07 13:20:59 +02:00
Marek Marczykowski-Górecki
697a26c8da backup: update license header
Use link instead of address, as recommended by FSF.
2016-04-07 13:20:59 +02:00
Marek Marczykowski-Górecki
e04ea7512c backup: minor code style
- Don't use catch-all except statement.
- Use str.format instead of "%" operator.
- Use static methods where applicable.
- Remove unused local variables.
- Don't shadow variables from outer scope
2016-04-07 13:20:59 +02:00