From: "Daniel P. Berrange" <berrange@redhat.com>
To: Ashish Mittal <ashmit602@gmail.com>
Cc: qemu-devel@nongnu.org, pbonzini@redhat.com, kwolf@redhat.com,
armbru@redhat.com, jcody@redhat.com, famz@redhat.com,
ashish.mittal@veritas.com, stefanha@gmail.com,
Rakesh.Ranjan@veritas.com, Buddhi.Madhav@veritas.com,
Ketan.Nilangekar@veritas.com, Abhijit.Dey@veritas.com,
Venkatesha.Mg@veritas.com
Subject: Re: [Qemu-devel] [PATCH v6 1/2] block/vxhs.c: Add support for a new block device type called "vxhs"
Date: Thu, 17 Nov 2016 16:01:24 +0000 [thread overview]
Message-ID: <20161117160124.GI28482@redhat.com> (raw)
In-Reply-To: <1478566785-4002-2-git-send-email-ashish.mittal@veritas.com>
On Mon, Nov 07, 2016 at 04:59:44PM -0800, Ashish Mittal wrote:
> Source code for the qnio library that this code loads can be downloaded from:
> https://github.com/MittalAshish/libqnio.git
>
> Sample command line using the JSON syntax:
> ./qemu-system-x86_64 -name instance-00000008 -S -vnc 0.0.0.0:0 -k en-us
> -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
> -msg timestamp=on
> 'json:{"driver":"vxhs","vdisk-id":"c3e9095a-a5ee-4dce-afeb-2a59fb387410",
> "server":{"host":"172.172.17.4","port":"9999"}}'
>
> Sample command line using the URI syntax:
> qemu-img convert -f raw -O raw -n
> /var/lib/nova/instances/_base/0c5eacd5ebea5ed914b6a3e7b18f1ce734c386ad
> vxhs://192.168.0.1:9999/c6718f6b-0401-441d-a8c3-1f0064d75ee0
I'm wondering what the security story is here. QEMU is connecting to a
remote TCP server but apparently not providing any username or password
or other form of credentials to authenticate itself with.
This seems to imply that the network server accepts connections to access
disks from any client anywhere. Surely this isn't correct, and there must
be some authentication scheme in there, to prevent the server being wide
open to any malicious attacker, whether on the network, or via a compromised
QEMU process accessing volumes it shouldn't ?
If there is authentication, then how is QEMU providing the credentials ?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
next prev parent reply other threads:[~2016-11-17 16:01 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-08 0:59 [Qemu-devel] [PATCH v6 0/2] block/vxhs: Add Veritas HyperScale VxHS block device support Ashish Mittal
2016-11-08 0:59 ` [Qemu-devel] [PATCH v6 1/2] block/vxhs.c: Add support for a new block device type called "vxhs" Ashish Mittal
2016-11-14 15:07 ` Stefan Hajnoczi
2016-11-14 15:49 ` Fam Zheng
2016-11-14 16:50 ` Stefan Hajnoczi
2016-11-14 18:03 ` Fam Zheng
2016-11-14 19:06 ` Eric Blake
2016-11-15 2:04 ` Fam Zheng
2016-11-15 10:18 ` Stefan Hajnoczi
2016-11-15 12:44 ` Fam Zheng
2016-11-15 14:45 ` Stefan Hajnoczi
2016-11-15 15:00 ` Fam Zheng
2016-11-15 19:20 ` Stefan Hajnoczi
2016-11-15 20:39 ` ashish mittal
2016-11-15 20:40 ` Stefan Hajnoczi
2016-11-16 9:04 ` Markus Armbruster
2016-11-16 9:49 ` Fam Zheng
2016-11-16 11:27 ` Stefan Hajnoczi
2016-11-16 17:05 ` ashish mittal
2017-02-01 1:55 ` ashish mittal
2017-02-02 10:08 ` Stefan Hajnoczi
2017-02-08 21:23 ` ashish mittal
2016-11-15 15:52 ` Eric Blake
2016-11-15 7:49 ` Markus Armbruster
2016-11-15 20:49 ` ashish mittal
2016-11-17 16:01 ` Daniel P. Berrange [this message]
2016-11-08 0:59 ` [Qemu-devel] [PATCH v6 2/2] block/vxhs.c: Add qemu-iotests for new block device type "vxhs" Ashish Mittal
2016-11-08 20:44 ` Jeff Cody
2017-02-07 23:12 ` ashish mittal
2017-02-13 13:37 ` Stefan Hajnoczi
2017-02-13 16:32 ` Jeff Cody
2017-02-13 22:36 ` Ketan Nilangekar
2017-02-13 23:23 ` Jeff Cody
2017-02-14 3:02 ` Ketan Nilangekar
2017-02-14 7:43 ` ashish mittal
2017-02-14 16:35 ` Jeff Cody
2017-02-14 16:51 ` Daniel P. Berrange
2017-02-14 17:05 ` Jeff Cody
2017-02-14 18:12 ` Jeff Cody
2017-02-14 18:28 ` ashish mittal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161117160124.GI28482@redhat.com \
--to=berrange@redhat.com \
--cc=Abhijit.Dey@veritas.com \
--cc=Buddhi.Madhav@veritas.com \
--cc=Ketan.Nilangekar@veritas.com \
--cc=Rakesh.Ranjan@veritas.com \
--cc=Venkatesha.Mg@veritas.com \
--cc=armbru@redhat.com \
--cc=ashish.mittal@veritas.com \
--cc=ashmit602@gmail.com \
--cc=famz@redhat.com \
--cc=jcody@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.