[PATCH v2 0/3] qapi & doc: deprecate drive-backup
by Vladimir Sementsov-Ogievskiy
Hi all!
See 03 commit message for details. 01-02 are preparation docs update.
v2: add a lot of documentation changes
v1 was "[PATCH] qapi: deprecate drive-backup"
Supersedes: <20210423125900.3640-1-vsementsov(a)virtuozzo.com>
Vladimir Sementsov-Ogievskiy (3):
docs/block-replication: use blockdev-backup
docs/interop/bitmaps: use blockdev-backup
qapi: deprecate drive-backup
docs/block-replication.txt | 4 +-
docs/interop/bitmaps.rst | 285 +++++++++++++++++++------
docs/interop/live-block-operations.rst | 47 ++--
docs/system/deprecated.rst | 11 +
qapi/block-core.json | 5 +-
5 files changed, 263 insertions(+), 89 deletions(-)
--
2.29.2
3 years, 1 month
[PATCH v4 for v7.6.0 00/14] Introduce virtio-mem <memory/> model
by Michal Privoznik
v4 of:
https://listman.redhat.com/archives/libvir-list/2021-April/msg01138.html
diff to v3:
- Rebased code on the top of master
- Tried to work in all Peter's review suggestions
- Fixed a bug where adjusting <requested/> was viewed as hotplug of new
<memory/> by XML validator and thus if <maxMemory/> was close enough to
<currentMemory/> the validator reported an error (this was reported by
David).
You can also find these patches on my branch:
https://gitlab.com/MichalPrivoznik/libvirt/-/tree/virtio_mem_v4
Michal Prívozník (14):
virhostmem: Introduce virHostMemGetTHPSize()
qemu_capabilities: Introduce QEMU_CAPS_DEVICE_VIRTIO_MEM_PCI
conf: Introduce virtio-mem <memory/> model
qemu: Build command line for virtio-mem
qemu: Wire up <memory/> live update
Introduce <actual/> property to virtio-mem
conf: Introduce virDomainMemoryFindByDeviceAlias()
qemu: Wire up MEMORY_DEVICE_SIZE_CHANGE event
qemu: Refresh the actual size of virtio-mem on monitor reconnect
qemu: Account for both memballoon and virtio-mem
qemuDomainSetMemoryFlags: Take virtio-mem into consideration
virsh: Introduce update-memory-device command
news: document recent virtio memory addition
kbase: Document virtio-mem
NEWS.rst | 12 +
docs/formatdomain.rst | 45 +++-
docs/kbase/index.rst | 4 +
docs/kbase/memorydevices.rst | 150 +++++++++++
docs/kbase/meson.build | 1 +
docs/manpages/virsh.rst | 30 +++
docs/schemas/domaincommon.rng | 16 ++
examples/c/misc/event-test.c | 17 ++
include/libvirt/libvirt-domain.h | 23 ++
src/conf/domain_conf.c | 118 ++++++++-
src/conf/domain_conf.h | 15 ++
src/conf/domain_event.c | 84 ++++++
src/conf/domain_event.h | 10 +
src/conf/domain_validate.c | 39 +++
src/libvirt_private.syms | 5 +
src/qemu/qemu_alias.c | 10 +-
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 13 +-
src/qemu/qemu_domain.c | 33 ++-
src/qemu/qemu_domain.h | 1 +
src/qemu/qemu_domain_address.c | 38 ++-
src/qemu/qemu_driver.c | 240 +++++++++++++++++-
src/qemu/qemu_hotplug.c | 18 ++
src/qemu/qemu_hotplug.h | 5 +
src/qemu/qemu_monitor.c | 37 +++
src/qemu/qemu_monitor.h | 28 ++
src/qemu/qemu_monitor_json.c | 97 +++++--
src/qemu/qemu_monitor_json.h | 5 +
src/qemu/qemu_process.c | 72 ++++++
src/qemu/qemu_validate.c | 8 +
src/remote/remote_daemon_dispatch.c | 30 +++
src/remote/remote_driver.c | 32 +++
src/remote/remote_protocol.x | 14 +-
src/remote_protocol-structs | 7 +
src/security/security_apparmor.c | 1 +
src/security/security_dac.c | 2 +
src/security/security_selinux.c | 2 +
src/util/virhostmem.c | 54 ++++
src/util/virhostmem.h | 3 +
tests/domaincapsmock.c | 9 +
.../caps_5.1.0.x86_64.xml | 1 +
.../caps_5.2.0.x86_64.xml | 1 +
.../caps_6.0.0.x86_64.xml | 1 +
.../caps_6.1.0.x86_64.xml | 1 +
...mory-hotplug-virtio-mem.x86_64-latest.args | 41 +++
.../memory-hotplug-virtio-mem.xml | 67 +++++
tests/qemuxml2argvtest.c | 1 +
...emory-hotplug-virtio-mem.x86_64-latest.xml | 1 +
tests/qemuxml2xmltest.c | 1 +
tools/virsh-domain.c | 169 ++++++++++++
51 files changed, 1562 insertions(+), 53 deletions(-)
create mode 100644 docs/kbase/memorydevices.rst
create mode 100644 tests/qemuxml2argvdata/memory-hotplug-virtio-mem.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/memory-hotplug-virtio-mem.xml
create mode 120000 tests/qemuxml2xmloutdata/memory-hotplug-virtio-mem.x86_64-latest.xml
--
2.31.1
3 years, 1 month
[PATCH v3 0/4] Dirty Ring support (Libvirt)
by huangy81@chinatelecom.cn
From: Hyman Huang(黄勇) <huangy81(a)chinatelecom.cn>
v3
- rebase master and fix the confilict when apply
"conf: introduce dirty_ring_size in struct "_virDomainDef" to current
master.
v2
- split patchset into 4 patches
- leave out the tcg case when building commandline.
- handle the VIR_DOMAIN_KVM_DIRTY_RING case independently in ,
virDomainFeatureDefParse and virDomainDefFeaturesCheckABIStability,
do not integrate it with other cases...
- add dirty ring size check in virDomainDefFeaturesCheckABIStability
- modify zero checks on integers of dirty ring size in a explicit way.
- set the default value of dirty ring size in a post-parser callback.
- check the absence of kvm_feature in a explicit way.
- code clean of virTristateSwitchTypeToString function.
this version's modification base on Peter's advices mostly, thanks
a lot, please review !
Best Regards !
Hyman Huang(黄勇)
v1
since qemu has introduced a dirty ring feature in 6.1.0, may be it's
the right time to introduce dirty ring in libvirt meanwhile.
this patch add feature named 'dirty-ring', which enable dirty ring
feature when starting vm. to try this out, three things has done
in this patchset:
- introduce QEMU_CAPS_ACCEL so the the libvirt can use it to select
the right option when specifying the accelerator type.
- switch the option "-machine accel=xxx" to "-accel xxx" when specifying
accelerator type once libvirt build QEMU command line, so that
dirty-ring-size property can be passed to qemu when start vm.
- introduce dirty_ring_size to hold the ring size configured by user
and pass dirty_ring_size when building qemu commandline if dirty
ring feature enabled.
though dirty ring is per-cpu logically, the size of dirty ring is
registered by 'struct kvm' in QEMU. so we would like to place the
dirty_ring_size as a property of vm in Libvirt as the QEMU do.
the dirty ring feature is disabled by default, and if enabled, the
default value of ring size if 4096 if size not configured.
for more details about dirty ring and "-accel" option, please refer to:
https://lore.kernel.org/qemu-devel/20210108165050.406906-10-peterx@redhat...
https://lore.kernel.org/qemu-devel/3aa73987-40e8-3619-0723-9f17f73850bd@r...
please review, Thanks!
Best Regards !
Hyman Huang(黄勇) (4):
qemu_capabilities: introduce QEMU_CAPS_ACCEL
qemu_command: switch accelerator option to new style
conf: introduce dirty_ring_size in struct "_virDomainDef"
qemu: support dirty ring feature
docs/formatdomain.rst | 16 +++--
docs/schemas/domaincommon.rng | 10 +++
src/conf/domain_conf.c | 74 +++++++++++++++++++++-
src/conf/domain_conf.h | 4 ++
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 40 +++++++++++-
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.1.0.sparc.xml | 1 +
tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_6.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_6.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 +
...64-default-cpu-kvm-virt-4.2.aarch64-latest.args | 3 +-
.../aarch64-features-sve.aarch64-latest.args | 3 +-
.../channel-unix-guestfwd.x86_64-latest.args | 3 +-
.../clock-timer-armvtimer.aarch64-latest.args | 3 +-
.../console-virtio-unix.x86_64-latest.args | 3 +-
.../cpu-Icelake-Server-pconfig.x86_64-3.1.0.args | 3 +-
.../cpu-Icelake-Server-pconfig.x86_64-latest.args | 3 +-
.../cpu-tsc-frequency.x86_64-4.0.0.args | 3 +-
.../cpu-tsc-high-frequency.x86_64-latest.args | 3 +-
.../default-video-type-aarch64.aarch64-latest.args | 3 +-
.../default-video-type-ppc64.ppc64-latest.args | 3 +-
.../default-video-type-s390x.s390x-latest.args | 3 +-
.../disk-cdrom-network.x86_64-2.12.0.args | 3 +-
.../disk-cdrom-network.x86_64-latest.args | 3 +-
.../disk-network-http.x86_64-latest.args | 3 +-
.../hugepages-memaccess3.x86_64-latest.args | 3 +-
.../intel-iommu-aw-bits.x86_64-latest.args | 3 +-
.../intel-iommu-caching-mode.x86_64-latest.args | 3 +-
.../intel-iommu-device-iotlb.x86_64-latest.args | 3 +-
.../intel-iommu-eim.x86_64-latest.args | 3 +-
...ty-sev-missing-platform-info.x86_64-2.12.0.args | 3 +-
.../launch-security-sev.x86_64-2.12.0.args | 3 +-
.../launch-security-sev.x86_64-6.0.0.args | 3 +-
...emfd-memory-default-hugepage.x86_64-latest.args | 3 +-
.../memfd-memory-numa.x86_64-latest.args | 3 +-
.../memory-hotplug-virtio-pmem.x86_64-5.2.0.args | 3 +-
.../memory-hotplug-virtio-pmem.x86_64-latest.args | 3 +-
.../os-firmware-bios.x86_64-latest.args | 3 +-
...irmware-efi-no-enrolled-keys.x86_64-latest.args | 3 +-
.../os-firmware-efi-secboot.x86_64-latest.args | 3 +-
.../os-firmware-efi.x86_64-latest.args | 3 +-
.../parallel-unix-chardev.x86_64-latest.args | 3 +-
...4-default-cpu-kvm-pseries-2.7.ppc64-latest.args | 3 +-
...4-default-cpu-kvm-pseries-3.1.ppc64-latest.args | 3 +-
...4-default-cpu-kvm-pseries-4.2.ppc64-latest.args | 3 +-
...efault-cpu-kvm-ccw-virtio-2.7.s390x-latest.args | 3 +-
...efault-cpu-kvm-ccw-virtio-4.2.s390x-latest.args | 3 +-
.../smartcard-passthrough-unix.x86_64-latest.args | 3 +-
.../usb-redir-unix.x86_64-latest.args | 3 +-
.../vhost-user-fs-fd-memory.x86_64-latest.args | 3 +-
.../virtio-rng-builtin.x86_64-5.2.0.args | 3 +-
.../virtio-rng-builtin.x86_64-latest.args | 3 +-
.../virtio-rng-egd-unix.x86_64-5.2.0.args | 3 +-
.../virtio-rng-egd-unix.x86_64-latest.args | 3 +-
...86_64-default-cpu-kvm-pc-4.2.x86_64-latest.args | 3 +-
...6_64-default-cpu-kvm-q35-4.2.x86_64-latest.args | 3 +-
91 files changed, 268 insertions(+), 55 deletions(-)
--
1.8.3.1
3 years, 2 months
[libvirt PATCH 0/4] RFC: tests: introduce lavocado
by Beraldo Leal
lavocado aims to be an alternative test framework for the libvirt
project using Python, python-libvirt and Avocado. This can be used to
write unit, functional and integration tests and it is inspired by the
libvirt-tck framework.
This series introduces the basic framework along with some basic test
examples that I got from libvirt-tck. I would appreciate your comments
on this RFC, to see if this fits this project's needs. Also, names and
locations are just a proposal and can be changed.
For now, this framework assumes that you are going to run the tests in a
fresh clean environment, i.e. a VM. If you decide to use your local
system, beware that execution of the tests may affect your system.
One of the future goals of this framework is to utilize nested
virtualization technologies and hence make sure an L1 guest is
provisioned automatically for the tests to be executed in this
environment and not tamper with your main system.
I'm adding more information with some details inside the README file.
Beraldo Leal (4):
tests: introduce lavocado: initial code structure
tests.lavocado: adding basic transient domain tests
tests.lavocado: adding a .gitignore
tests.lavocado: adding a README and Makefile for convenience
tests/lavocado/.gitignore | 3 +
tests/lavocado/Makefile | 2 +
tests/lavocado/README.md | 124 +++++++++++++++++
tests/lavocado/lavocado/__init__.py | 0
tests/lavocado/lavocado/defaults.py | 11 ++
tests/lavocado/lavocado/exceptions.py | 20 +++
tests/lavocado/lavocado/helpers/__init__.py | 0
tests/lavocado/lavocado/helpers/domains.py | 75 ++++++++++
tests/lavocado/lavocado/test.py | 144 ++++++++++++++++++++
tests/lavocado/requirements.txt | 3 +
tests/lavocado/templates/domain.xml.jinja | 20 +++
tests/lavocado/tests/domain/transient.py | 102 ++++++++++++++
12 files changed, 504 insertions(+)
create mode 100644 tests/lavocado/.gitignore
create mode 100644 tests/lavocado/Makefile
create mode 100644 tests/lavocado/README.md
create mode 100644 tests/lavocado/lavocado/__init__.py
create mode 100644 tests/lavocado/lavocado/defaults.py
create mode 100644 tests/lavocado/lavocado/exceptions.py
create mode 100644 tests/lavocado/lavocado/helpers/__init__.py
create mode 100644 tests/lavocado/lavocado/helpers/domains.py
create mode 100644 tests/lavocado/lavocado/test.py
create mode 100644 tests/lavocado/requirements.txt
create mode 100644 tests/lavocado/templates/domain.xml.jinja
create mode 100644 tests/lavocado/tests/domain/transient.py
--
2.26.3
3 years, 3 months
[PATCH 00/10] ch: Add Console support
by William Douglas
This series enables console support in the cloud-hypervisor driver.
Cloud-hypervisor only supports a single console or serial device at a
time, hence the checks to ensure the domain configuration is only
passing one or the other.
I wasn't sure if the controller device should have some additonal
validation handling so I just did the minimal to get the console open
functioning.
William Douglas (10):
ch_monitor: Make unused function static
ch_monitor: Update virCHMonitorGet to handle accept a response
ch_monitor: Use virCHMonitorGet to access cloud-hypervisor API
ch_monitor: Add pty json builder function
ch_monitor: Make use of the PTY json builder
ch_process: Handle enabled console devices
ch_process: Update the domain with console path information
ch_domain: Allow controller and chr devices
ch_driver: Add handler for console API
ch_driver: Turn on the domainOpenConsole API
src/ch/ch_domain.c | 4 +-
src/ch/ch_driver.c | 78 +++++++++++++++++++++++++++++
src/ch/ch_monitor.c | 117 ++++++++++++++++++++++++++++++++++++++++++--
src/ch/ch_monitor.h | 3 ++
src/ch/ch_process.c | 67 +++++++++++++++++++++++++
5 files changed, 263 insertions(+), 6 deletions(-)
--
2.31.1
3 years, 3 months
[PATCH v3 0/3] Implement virDomainGetMessages for test driver
by Luke Yue
v3:
- Squash tests commit
- Extract the same code in test driver and qemu driver to a function
Luke Yue (3):
test_driver: Implement virDomainGetMessages
test_driver: Introduce testDomainObjCheckTaint
conf: domain: Introduce and use virDomainObjGetMessages()
src/conf/domain_conf.c | 53 +++++++++++++++++++++++++++
src/conf/domain_conf.h | 5 +++
src/libvirt_private.syms | 1 +
src/qemu/qemu_driver.c | 34 +-----------------
src/test/test_driver.c | 78 ++++++++++++++++++++++++++++++++++++++++
tests/virshtest.c | 2 ++
6 files changed, 140 insertions(+), 33 deletions(-)
--
2.32.0
3 years, 3 months
[PATCH] lib: Specify domain redefinition requirements
by Roman Bolshakov
There might be misunderstanding [1] when libvirt permits domain
redefinition and if it's a valid case at all.
1. https://github.com/ansible-collections/community.libvirt/blob/b973d7c4b40...
Signed-off-by: Roman Bolshakov <r.bolshakov(a)yadro.com>
---
src/libvirt-domain.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index 750e32f0ca..e48f3cdb02 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -6290,8 +6290,8 @@ virDomainGetBlockInfo(virDomainPtr domain, const char *disk,
*
* Define a domain, but does not start it.
* This definition is persistent, until explicitly undefined with
- * virDomainUndefine(). A previous definition for this domain would be
- * overridden if it already exists.
+ * virDomainUndefine(). A previous definition for this domain with the same
+ * UUID and name would be overridden if it already exists.
*
* virDomainFree should be used to free the resources after the
* domain object is no longer needed.
@@ -6333,8 +6333,8 @@ virDomainDefineXML(virConnectPtr conn, const char *xml)
*
* Defines a domain, but does not start it.
* This definition is persistent, until explicitly undefined with
- * virDomainUndefine(). A previous definition for this domain would be
- * overridden if it already exists.
+ * virDomainUndefine(). A previous definition for this domain with the same
+ * UUID and name would be overridden if it already exists.
*
* virDomainFree should be used to free the resources after the
* domain object is no longer needed.
--
2.32.0
3 years, 3 months
Add SELinux policy for Virt
by Nikola Knazekova
Hi,
I created SELinux policy for Libvirt drivers, as part of Decentralized SELinux Policy (DSP) project.
DSP guidelines is available: https://fedoraproject.org/wiki/SELinux/IndependentPolicy
Discussion about the first version of SELinux policy for Libvirt is available on gitlab:
https://gitlab.com/libvirt/libvirt/-/merge_requests/65
SELinux policy was created for:
Hypervisor drivers:
- virtqemud (QEMU/KVM)
- virtlxcd (LXC)
- virtvboxd (VirtualBox)
Secondary drivers:
- virtstoraged (host storage mgmt)
- virtnetworkd (virtual network mgmt)
- virtinterface (network interface mgmt)
- virtnodedevd (physical device mgmt)
- virtsecretd (security credential mgmt)
- virtnwfilterd (ip[6]tables/ebtables mgmt)
- virtproxyd (proxy daemon)
SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages.
These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made.
Can you please look at it?
Thanks
Nikola
3 years, 3 months
[PATCH 2/2] qemu-img: Require -F with -b backing image
by Eric Blake
Back in commit d9f059aa6c (qemu-img: Deprecate use of -b without -F),
we deprecated the ability to create a file with a backing image that
requires qemu to perform format probing. Qemu can still probe older
files for backwards compatibility, but it is time to finish off the
ability to create such images, due to the potential security risk they
present. Update a couple of iotests affected by the change.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
docs/system/deprecated.rst | 20 -----------------
docs/system/removed-features.rst | 19 ++++++++++++++++
block.c | 37 ++++++++++----------------------
qemu-img.c | 6 ++++--
tests/qemu-iotests/114 | 18 ++++++++--------
tests/qemu-iotests/114.out | 11 ++++------
tests/qemu-iotests/301 | 4 +---
tests/qemu-iotests/301.out | 16 ++------------
8 files changed, 50 insertions(+), 81 deletions(-)
diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index 9ec1a9d0e03e..aa6f7d84e583 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -315,26 +315,6 @@ this CPU is also deprecated.
Related binaries
----------------
-qemu-img backing file without format (since 5.1)
-''''''''''''''''''''''''''''''''''''''''''''''''
-
-The use of ``qemu-img create``, ``qemu-img rebase``, or ``qemu-img
-convert`` to create or modify an image that depends on a backing file
-now recommends that an explicit backing format be provided. This is
-for safety: if QEMU probes a different format than what you thought,
-the data presented to the guest will be corrupt; similarly, presenting
-a raw image to a guest allows a potential security exploit if a future
-probe sees a non-raw image based on guest writes.
-
-To avoid the warning message, or even future refusal to create an
-unsafe image, you must pass ``-o backing_fmt=`` (or the shorthand
-``-F`` during create) to specify the intended backing format. You may
-use ``qemu-img rebase -u`` to retroactively add a backing format to an
-existing image. However, be aware that there are already potential
-security risks to blindly using ``qemu-img info`` to probe the format
-of an untrusted backing image, when deciding what format to add into
-an existing image.
-
Backwards compatibility
-----------------------
diff --git a/docs/system/removed-features.rst b/docs/system/removed-features.rst
index 28b5df757d35..1928d8a483c0 100644
--- a/docs/system/removed-features.rst
+++ b/docs/system/removed-features.rst
@@ -466,6 +466,25 @@ backing chain should be performed with ``qemu-img rebase -u`` either
before or after the remaining changes being performed by amend, as
appropriate.
+qemu-img backing file without format (removed in 6.1)
+'''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+The use of ``qemu-img create``, ``qemu-img rebase``, or ``qemu-img
+convert`` to create or modify an image that depends on a backing file
+now requires that an explicit backing format be provided. This is
+for safety: if QEMU probes a different format than what you thought,
+the data presented to the guest will be corrupt; similarly, presenting
+a raw image to a guest allows a potential security exploit if a future
+probe sees a non-raw image based on guest writes.
+
+To avoid creating unsafe backing chains, you must pass ``-o
+backing_fmt=`` (or the shorthand ``-F`` during create) to specify the
+intended backing format. You may use ``qemu-img rebase -u`` to
+retroactively add a backing format to an existing image. However, be
+aware that there are already potential security risks to blindly using
+``qemu-img info`` to probe the format of an untrusted backing image,
+when deciding what format to add into an existing image.
+
Block devices
-------------
diff --git a/block.c b/block.c
index 874c22c43e3d..931e37a8499b 100644
--- a/block.c
+++ b/block.c
@@ -5033,7 +5033,7 @@ int coroutine_fn bdrv_co_check(BlockDriverState *bs,
* -ENOTSUP - format driver doesn't support changing the backing file
*/
int bdrv_change_backing_file(BlockDriverState *bs, const char *backing_file,
- const char *backing_fmt, bool warn)
+ const char *backing_fmt, bool require)
{
BlockDriver *drv = bs->drv;
int ret;
@@ -5047,10 +5047,8 @@ int bdrv_change_backing_file(BlockDriverState *bs, const char *backing_file,
return -EINVAL;
}
- if (warn && backing_file && !backing_fmt) {
- warn_report("Deprecated use of backing file without explicit "
- "backing format, use of this image requires "
- "potentially unsafe format probing");
+ if (require && backing_file && !backing_fmt) {
+ return -EINVAL;
}
if (drv->bdrv_change_backing_file != NULL) {
@@ -6556,24 +6554,11 @@ void bdrv_img_create(const char *filename, const char *fmt,
goto out;
} else {
if (!backing_fmt) {
- warn_report("Deprecated use of backing file without explicit "
- "backing format (detected format of %s)",
- bs->drv->format_name);
- if (bs->drv != &bdrv_raw) {
- /*
- * A probe of raw deserves the most attention:
- * leaving the backing format out of the image
- * will ensure bs->probed is set (ensuring we
- * don't accidentally commit into the backing
- * file), and allow more spots to warn the users
- * to fix their toolchain when opening this image
- * later. For other images, we can safely record
- * the format that we probed.
- */
- backing_fmt = bs->drv->format_name;
- qemu_opt_set(opts, BLOCK_OPT_BACKING_FMT, backing_fmt,
- NULL);
- }
+ error_setg(&local_err,
+ "Backing file specified without backing format");
+ error_append_hint(&local_err, "Detected format of %s.",
+ bs->drv->format_name);
+ goto out;
}
if (size == -1) {
/* Opened BS, have no size */
@@ -6590,9 +6575,9 @@ void bdrv_img_create(const char *filename, const char *fmt,
}
/* (backing_file && !(flags & BDRV_O_NO_BACKING)) */
} else if (backing_file && !backing_fmt) {
- warn_report("Deprecated use of unopened backing file without "
- "explicit backing format, use of this image requires "
- "potentially unsafe format probing");
+ error_setg(&local_err,
+ "Backing file specified without backing format");
+ goto out;
}
if (size == -1) {
diff --git a/qemu-img.c b/qemu-img.c
index a5993682aad4..3cdfcaa23f6b 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -2505,8 +2505,10 @@ static int img_convert(int argc, char **argv)
if (out_baseimg_param) {
if (!qemu_opt_get(opts, BLOCK_OPT_BACKING_FMT)) {
- warn_report("Deprecated use of backing file without explicit "
- "backing format");
+ error_report("Use of backing file requires explicit "
+ "backing format");
+ ret = -1;
+ goto out;
}
}
diff --git a/tests/qemu-iotests/114 b/tests/qemu-iotests/114
index 43cb0bc6c344..3e30b402bc4c 100755
--- a/tests/qemu-iotests/114
+++ b/tests/qemu-iotests/114
@@ -44,16 +44,16 @@ _supported_os Linux
# qcow2.py does not work too well with external data files
_unsupported_imgopts data_file
-# Intentionally specify backing file without backing format; demonstrate
-# the difference in warning messages when backing file could be probed.
-# Note that only a non-raw probe result will affect the resulting image.
+# Older qemu-img could set up backing file without backing format; modern
+# qemu can't but we can use qcow2.py to simulate older files.
truncate -s $((64 * 1024 * 1024)) "$TEST_IMG.orig"
-_make_test_img -b "$TEST_IMG.orig" 64M
+_make_test_img -b "$TEST_IMG.orig" -F raw 64M
+$PYTHON qcow2.py "$TEST_IMG" del-header-ext 0xE2792ACA
TEST_IMG="$TEST_IMG.base" _make_test_img 64M
$QEMU_IMG convert -O qcow2 -B "$TEST_IMG.orig" "$TEST_IMG.orig" "$TEST_IMG"
-_make_test_img -b "$TEST_IMG.base" 64M
-_make_test_img -u -b "$TEST_IMG.base" 64M
+_make_test_img -b "$TEST_IMG.base" -F $IMGFMT 64M
+_make_test_img -u -b "$TEST_IMG.base" -F $IMGFMT 64M
# Set an invalid backing file format
$PYTHON qcow2.py "$TEST_IMG" add-header-ext 0xE2792ACA "foo"
@@ -64,9 +64,9 @@ _img_info
$QEMU_IO -c "open $TEST_IMG" -c "read 0 4k" 2>&1 | _filter_qemu_io | _filter_testdir
$QEMU_IO -c "open -o backing.driver=$IMGFMT $TEST_IMG" -c "read 0 4k" | _filter_qemu_io
-# Rebase the image, to show that omitting backing format triggers a warning,
-# but probing now lets us use the backing file.
-$QEMU_IMG rebase -u -b "$TEST_IMG.base" "$TEST_IMG"
+# Rebase the image, to show that backing format is required.
+$QEMU_IMG rebase -u -b "$TEST_IMG.base" "$TEST_IMG" && echo "unexpected pass"
+$QEMU_IMG rebase -u -b "$TEST_IMG.base" -F $IMGFMT "$TEST_IMG"
$QEMU_IO -c "open $TEST_IMG" -c "read 0 4k" 2>&1 | _filter_qemu_io | _filter_testdir
# success, all done
diff --git a/tests/qemu-iotests/114.out b/tests/qemu-iotests/114.out
index 0a37d20c82a9..172454401257 100644
--- a/tests/qemu-iotests/114.out
+++ b/tests/qemu-iotests/114.out
@@ -1,12 +1,9 @@
QA output created by 114
-qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of raw)
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.orig
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.orig backing_fmt=raw
Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=67108864
-qemu-img: warning: Deprecated use of backing file without explicit backing format
-qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of IMGFMT)
+qemu-img: Use of backing file requires explicit backing format
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
-qemu-img: warning: Deprecated use of unopened backing file without explicit backing format, use of this image requires potentially unsafe format probing
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.base
image: TEST_DIR/t.IMGFMT
file format: IMGFMT
virtual size: 64 MiB (67108864 bytes)
@@ -17,7 +14,7 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Could not open backing file: Unknow
no file open, try 'help open'
read 4096/4096 bytes at offset 0
4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-qemu-img: warning: Deprecated use of backing file without explicit backing format, use of this image requires potentially unsafe format probing
+qemu-img: Could not change the backing file to '/home/eblake/qemu/build/tests/qemu-iotests/scratch/t.qcow2.base': Invalid argument
read 4096/4096 bytes at offset 0
4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
*** done
diff --git a/tests/qemu-iotests/301 b/tests/qemu-iotests/301
index 9f943cadbe24..220de1043fa5 100755
--- a/tests/qemu-iotests/301
+++ b/tests/qemu-iotests/301
@@ -3,7 +3,7 @@
#
# Test qcow backing file warnings
#
-# Copyright (C) 2020 Red Hat, Inc.
+# Copyright (C) 2020-2021 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -46,7 +46,6 @@ echo "== qcow backed by qcow =="
TEST_IMG="$TEST_IMG.base" _make_test_img $size
_make_test_img -b "$TEST_IMG.base" $size
-_img_info
_make_test_img -b "$TEST_IMG.base" -F $IMGFMT $size
_img_info
@@ -71,7 +70,6 @@ echo "== qcow backed by raw =="
rm "$TEST_IMG.base"
truncate --size=$size "$TEST_IMG.base"
_make_test_img -b "$TEST_IMG.base" $size
-_img_info
_make_test_img -b "$TEST_IMG.base" -F raw $size
_img_info
diff --git a/tests/qemu-iotests/301.out b/tests/qemu-iotests/301.out
index 9004dad6392f..e280658191e1 100644
--- a/tests/qemu-iotests/301.out
+++ b/tests/qemu-iotests/301.out
@@ -2,13 +2,7 @@ QA output created by 301
== qcow backed by qcow ==
Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=33554432
-qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of IMGFMT)
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
-image: TEST_DIR/t.IMGFMT
-file format: IMGFMT
-virtual size: 32 MiB (33554432 bytes)
-cluster_size: 512
-backing file: TEST_DIR/t.IMGFMT.base
+qemu-img: TEST_DIR/t.IMGFMT: Backing file specified without backing format
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
image: TEST_DIR/t.IMGFMT
file format: IMGFMT
@@ -36,13 +30,7 @@ cluster_size: 512
backing file: TEST_DIR/t.IMGFMT.base
== qcow backed by raw ==
-qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of raw)
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base
-image: TEST_DIR/t.IMGFMT
-file format: IMGFMT
-virtual size: 32 MiB (33554432 bytes)
-cluster_size: 512
-backing file: TEST_DIR/t.IMGFMT.base
+qemu-img: TEST_DIR/t.IMGFMT: Backing file specified without backing format
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=raw
image: TEST_DIR/t.IMGFMT
file format: IMGFMT
--
2.31.1
3 years, 3 months