Re: [libvirt] [PATCH 2/4] doc: add storage format entries
Hello Eric,
Am Mittwoch 27 Februar 2013, 02:00:07 schrieb Eric Blake:
On 02/26/2013 05:42 AM, Philipp Hahn wrote:
> Add format/@type entries to examples to show what the text is talking
> about.
>
> Signed-off-by: Philipp Hahn <hahn(a)univention.de>
> ---
>
> docs/storage.html.in | 4 ++++
> 1 file changed, 4 insertions(+)
>
> +++ b/docs/storage.html.in
> @@ -185,6 +185,7 @@
>
> <name>virtimages</name>
> <source>
>
> <device path="/dev/VolGroup00/VirtImages"/>
>
> + <format type="auto"/>
>
> </source>
Question - is type="auto" safe, or does it risk the CVE where a raw
image can be abused by a guest in a manner to make libvirt mis-detect
the storage as some other type, and potentially causing libvirt to
follow a backing chain outside of the guest's permitted reach?
Good question!
I just re-checked the three additions of <format type="auto"/> which all
happen for storage pool, not storage volumes. So they are not accessible by
VMs.
Depending on the answer, either this is safe to push as-is into
1.0.3,
or we should revisit all mention of type="auto" to clarify the danger of
relying on probing.
The "auto" are also the default from src/conf/storage_conf.c:
$ grep -n "defaultFormat = VIR_STORAGE_POOL_" src/conf/storage_conf.c
152: .defaultFormat = VIR_STORAGE_POOL_LOGICAL_LVM2,
167: .defaultFormat = VIR_STORAGE_POOL_FS_AUTO,
181: .defaultFormat = VIR_STORAGE_POOL_NETFS_AUTO,
239: .defaultFormat = VIR_STORAGE_POOL_DISK_UNKNOWN,
I chose "auto" because that looked like a safe default, before any admin
accidentally wipes his pools.
For the disk pool I chose "gpt" because "unknown" somehow looked
strange and
"msdos" is limited to 2 TB, so the seconds recommendation looked best to me.
To me "auto" looks safe.
Sincerely
Philipp
--
Philipp Hahn Open Source Software Engineer hahn(a)univention.de
Univention GmbH be open. fon: +49 421 22 232- 0
Mary-Somerville-Str.1 D-28359 Bremen fax: +49 421 22 232-99
http://www.univention.de/