On Mon, Feb 24, 2020 at 14:24:15 +0000, Daniel Berrange wrote:
On Mon, Feb 24, 2020 at 02:34:16PM +0100, Peter Krempa wrote:
> On Wed, Feb 19, 2020 at 13:12:53 -0600, Eric Blake wrote:
[...]
> I'll reiterate the historical state of the problem because I
think it's
> important:
>
> Pre-blockdev:
> - we internally assumed that if the image format of an backing image
> was not present in the overlay it is 'raw'
> - this influenced security labelling but not actually how qemu viewed
> or probed the file. If it was qcow2 probed as qcow2 qemu opened it
> as qcow2 possibly even including the backing file if selinux or
> other mechanism didn't prevent it.
>
> post-blockdev:
> - the assumption of 'raw' would now be expressed into the qemu
> configuration. This assumption turned into data corruption since we
> no longer allowed qemu to probe the format and forced it as raw.
> - fix was to always require the format to be recorded in the overlay
> - this made users unhappy who neglected to record the format into the
> overlay when creating it manually
So the key problem we have is that with -blockdev we are always explicitly
telling QEMU what the backing file is for every image.
Can we fix this to have the exact same behaviour as before by *not* telling
QEMU anything about the backing file when using -blockdev, if there is no
well defined backing format present. ie, use -blockdev, but let QEMU probe
just as it did in non-blockdev days.
Would there be any downsides to this that did not already exist in the
non-blockdev days ?
We can, but the price is that:
1) we won't allow blockjobs and anything blockdev-related because node
name would be out of our control. This was possible in pre-blockdev era.
2) we will lose control of actually telling qemu to NOT open the backing
file in that case. Distros using only unix permission still have
arbitrary file access under permissions of the qemu process.
3) weird special-case code, because we need to keep some metadata about
the image to do security labelling
I don't think we can solve the regressions in behaviour of
backing files
by doing probing of the backing files in libvirt, because that only works
for the case where libvirt can actually open the file. ie a local file on
disk. We don't have logic for opening backing files on RBD, GlusterFS,
iSCSI, HTTP, SSH, etc, and nor do we want todo that.
Now we are back in the teritory where we actually do match what would
happen with previously. We don't specify these on the command line with
ehaviour matching what's described above, with the caveats as above.
I kept this behaviour because we couldn't do better. This is in place
even now if the last introspectable image has valid format specified.
We can reconsider how to approach this but ideally separately.
So to me it looks like the only viable option is to not specify the
backing file info to QEMU at all.
> Now this adds an interresting dimension to this problem. If libvirt
> forces the users to specify the image format, and the users don't know
> it they will probe. So we are basically making this a problem of
> somebody else. [2] As you can see in that patch, it uses 'qemu-img'
> anyways and also additionally actually allows the chain to continue
> deeper! [3]
Yeah, this is a really bad situation given the difficulty in safely
using qemu-img, without also breaking valid usage.
We don't want to push this off to apps
> This boils down to whether we want to accept some possibility of image
> corruption in trade for avoiding regression of behaviour in the secure
> cases as well as management apps and users not having to re-invent when
> probing an image is actually safe.
I feel like the risk of image corruption is pretty minor. Our probing
handles all normal cases the same way as QEMU and newly introduced
image formats are rare.
Well, in this case I'm actually for re-considering the original patch
discussed here. It uses image-format-probing code from libvirt, to allow
the most common cases which were forbidden in a safe way. This means
that as long as we can probe the image and the probed image does not
have a backing file we allow the startup.
It restores previous behaviour for valid cases including blockjobs,
correctly revokes invalid cases (existing chain after image wihtout
format, images impossible to introspect), is limited to the backing
store walking code so can be contained and the price is doing the image
format detection using libvirt's code.