From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34167)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bO4tP-0001n1-CP
	for qemu-devel@nongnu.org; Fri, 15 Jul 2016 11:19:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bO4tN-0002u2-1X
	for qemu-devel@nongnu.org; Fri, 15 Jul 2016 11:19:06 -0400
References: <1468502894-18098-1-git-send-email-kwolf@redhat.com>
	<1468502894-18098-12-git-send-email-kwolf@redhat.com>
	<578805C8.2070904@redhat.com>
	<f11a2371-3eb6-159b-630b-63580d5ea381@redhat.com>
From: Eric Blake <eblake@redhat.com>
Message-ID: <5788FEDC.9090501@redhat.com>
Date: Fri, 15 Jul 2016 09:18:52 -0600
MIME-Version: 1.0
In-Reply-To: <f11a2371-3eb6-159b-630b-63580d5ea381@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="mFCKEEv1qsnLqFcMpLKTUTjtoQFIlaISD"
Subject: Re: [Qemu-devel] [PATCH v4 11/11] nbd-server: Allow node name for
 nbd-server-add
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Max Reitz <mreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>, qemu-block@nongnu.org
Cc: berto@igalia.com, qemu-devel@nongnu.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--mFCKEEv1qsnLqFcMpLKTUTjtoQFIlaISD
From: Eric Blake <eblake@redhat.com>
To: Max Reitz <mreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>,
 qemu-block@nongnu.org
Cc: berto@igalia.com, qemu-devel@nongnu.org
Message-ID: <5788FEDC.9090501@redhat.com>
Subject: Re: [PATCH v4 11/11] nbd-server: Allow node name for nbd-server-add
References: <1468502894-18098-1-git-send-email-kwolf@redhat.com>
 <1468502894-18098-12-git-send-email-kwolf@redhat.com>
 <578805C8.2070904@redhat.com>
 <f11a2371-3eb6-159b-630b-63580d5ea381@redhat.com>
In-Reply-To: <f11a2371-3eb6-159b-630b-63580d5ea381@redhat.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 07/15/2016 07:36 AM, Max Reitz wrote:
> On 14.07.2016 23:36, Eric Blake wrote:
>> On 07/14/2016 07:28 AM, Kevin Wolf wrote:
>>> There is no reason why an NBD server couldn't be started for any node=
,
>>> even if it's not on the top level. This converts nbd-server-add to
>>> accept a node-name.
>>>

>> Do we want to do any sanity checking that writing should only be
>> permitted on a root, and that when using a node name that is not a roo=
t
>> that writable must be false so as not to negatively change the BDS out=

>> of under the feet of the other root?  Do op-blockers already cover tha=
t?
>=20
> Well, one could argue that it's possible to create an NBD server on a
> non-root node today anyway, since creating BBs is not restricted to roo=
t
> nodes:
>=20
> blockdev-add(id=3Dfoo, other arguments...)
> blockdev-add(id=3Dbar, backing=3Dfoo, other arguments...)
>=20
> And then you can create an NBD server on bar. I agree that this is not
> how it should be, though. However, I think that the fact that you need
> to specify a BB name for now deters people from doing stuff like that.
> If you can specify a node name, people will think it's completely fine
> to do so.

Creating a server on bar doesn't change the contents of foo, so I see
that as safe (foo can still be in use by other chains, and the server on
bar won't invalidate those chains).

>=20
> Also note that only allowing NBD servers to be created on a root node
> doesn't really help you:
>=20
> blockdev-add(node-name=3Dfoo, ...)
> nbd-server-add(device=3Dfoo)
> blockdev-add(id=3Dbar, backing=3Dfoo, ...)

But THAT is indeed unsafe, if the server allows writes, because now the
contents of bar are at risk of being silently changed by any edits made
to foo.

So the real restriction we want is that if foo is owned by a read-write
BB (the NBD server in this case), then creating another BDS bar that
uses foo as a backing is undesirable.

>=20
> So, yeah, I think we just need the new op-blockers for this, I don't
> think the current op blockers cover this.

I'm not sure either, which is why we're discussing it on list to make
sure we think about the restrictions and their implications.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--mFCKEEv1qsnLqFcMpLKTUTjtoQFIlaISD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJXiP7cAAoJEKeha0olJ0Nqf8AH/0ZGTsWaOE5THTByebN4aDAw
VGzdFgpsFSRflQD+PS39bmUsXcG81fBPbORIDQba9h1Cfa2luJTSFsBO8byjRdiI
zoIZKld0OYVImbtDrDyOApSw2uC4KegKIpCFHxEL9uadgtsWfZA/UTmYk84nNJHT
qpKFTP4g3N2lHeO7jUYQbg8Arg90f2ggzRQoSUMZPuoaaWcoS6Fr9Fg9LWHbzk+P
c3HrBoo4E1BRnT5V9MH5uGjBxDg0otTy/1IzfcayClfEgEXjuYp9an7XbcZjG/Yz
ezqkD4hP72uxsf+CXuhj18ZkNylmgM7lN39Puhfz9DUevofyszKfpgMyJ/v4b3Y=
=9zua
-----END PGP SIGNATURE-----

--mFCKEEv1qsnLqFcMpLKTUTjtoQFIlaISD--