On Wed, Feb 19, 2020 at 17:40:34 +0100, Peter Krempa wrote:
On Wed, Feb 19, 2020 at 10:21:00 -0600, Eric Blake wrote:
> On 2/17/20 11:13 AM, Peter Krempa wrote:
[...]
> > With pre-blockdev configurations this will restore the
previous
> > behaviour for the images mentioned above as qemu would probe the format
> > anyways. It also improves error reporting compared to the old state as
> > we now report that the backing chain will be broken in case when there
> > is a backing file.
>
> Improved error reporting because the probe returned qcow2 that would have
> required us to chase a backing file is fine; but while blindly accepting a
> qcow2 probe result when there is no backing file might avoid the security
> issue of chasing a backing file under guest control, it does not solve the
As said, we allowed that before and it's fixed with blockdev.
> data corruption issue of interpreting data as qcow2 that should
have been
> interpreted as raw.
Also don't forget that there's the issue of mis-detecting qcow2 as raw.
That results in worse as the other way around as qemu will object if an
image is not really qcow2 if being told that it is. If we declare it as
raw, the guests starts and sees garbage. [1]
This means that if we don't want to allow probing of 'qcow2 without
backing' as working in the above scenario, we are better of just always
requiring users to pass the format in the overlay as It's not worth just
doing it for 'raw' images with all the potential drawbacks of
mis-detecting qcow2 as raw.
[1] That's what happened when blockdev was introduced and it resulted in
the logic which I'm wanting to relax. We didn't refuse it before.