From: Jeff Cody <jcody@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Ketan Nilangekar <Ketan.Nilangekar@veritas.com>,
Stefan Hajnoczi <stefanha@gmail.com>,
ashish mittal <ashmit602@gmail.com>,
qemu-devel <qemu-devel@nongnu.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Kevin Wolf <kwolf@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
Fam Zheng <famz@redhat.com>,
Ashish Mittal <Ashish.Mittal@veritas.com>,
John Ferlan <jferlan@redhat.com>,
Buddhi Madhav <Buddhi.Madhav@veritas.com>,
Suraj Singh <Suraj.Singh@veritas.com>,
Nitin Jerath <Nitin.Jerath@veritas.com>,
Peter Maydell <peter.maydell@linaro.org>,
Abhijit Dey <Abhijit.Dey@veritas.com>,
"Venkatesha M.G." <Venkatesha.Mg@veritas.com>,
Rakesh Ranjan <Rakesh.Ranjan@veritas.com>
Subject: Re: [Qemu-devel] [PATCH v8 1/2] block/vxhs.c: Add support for a new block device type called "vxhs"
Date: Tue, 21 Feb 2017 13:06:58 -0500 [thread overview]
Message-ID: <20170221180658.GO19045@localhost.localdomain> (raw)
In-Reply-To: <20170221173912.GO17041@redhat.com>
On Tue, Feb 21, 2017 at 05:39:12PM +0000, Daniel P. Berrange wrote:
> On Tue, Feb 21, 2017 at 05:21:46PM +0000, Ketan Nilangekar wrote:
> >
> >
> > On 2/21/17, 5:59 AM, "Stefan Hajnoczi" <stefanha@gmail.com> wrote:
> >
> > On Mon, Feb 20, 2017 at 03:34:57AM -0800, ashish mittal wrote:
> > > On Mon, Feb 20, 2017 at 3:02 AM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> > > > On Sat, Feb 18, 2017 at 12:30:31AM +0000, Ketan Nilangekar wrote:
> > > >> On 2/17/17, 1:42 PM, "Jeff Cody" <jcody@redhat.com> wrote:
> > > >>
> > > >> On Thu, Feb 16, 2017 at 02:24:19PM -0800, ashish mittal wrote:
> > > >> > Hi,
> > > >> >
> > > >> > I am getting the following error with checkpatch.pl
> > > >> >
> > > >> > ERROR: externs should be avoided in .c files
> > > >> > #78: FILE: block/vxhs.c:28:
> > > >> > +QemuUUID qemu_uuid __attribute__ ((weak));
> > > >> >
> > > >> > Is there any way to get around this, or does it mean that I would have
> > > >> > to add a vxhs.h just for this one entry?
> > > >> >
> > > >>
> > > >> I remain skeptical on the use of the qemu_uuid as a way to select the TLS
> > > >> cert.
> > > >>
> > > >> [ketan]
> > > >> Is there another identity that can be used for uniquely identifying instances?
> > > >> The requirement was to enforce vdisk access to owner instances.
> > > >
> > > > The qemu_uuid weak attribute looks suspect. What is going to provide a
> > > > strong qemu_uuid symbol?
> > > >
> > > > Why aren't configuration parameters like the UUID coming from the QEMU
> > > > command-line?
> > > >
> > > > Stefan
> > >
> > > UUID will in fact come from the QEMU command line. VxHS is not doing
> > > anything special here. It will just use the value already available to
> > > qemu-kvm process.
> > >
> > > QemuUUID qemu_uuid;
> > > bool qemu_uuid_set;
> > >
> > > Both the above are defined in vl.c. vl.c will provide the strong
> > > symbol when available. There are certain binaries that do not get
> > > linked with vl.c (e.g. qemu-img). The weak symbol will come into
> > > affect for such binaries, and in this case, the default VXHS UUID will
> > > get picked up. I had, in a previous email, explained how we plan to
> > > use the default UUID. In the regular case, the VxHS controller will
> > > not allow access to the default UUID (non qemu-kvm) binaries, but it
> > > may choose to grant temporary access to specific vdisks for these
> > > binaries depending on the workflow.
> >
> > That idea sounds like a security problem. During this time window
> > anyone could use the default UUID to access the data?
> >
> > Just make the UUID (or TLS client certificate file) a command-line
> > parameter that qemu-system, qemu-img, and other tools accept (e.g.
> > qemu-img via the --image-opts/--object syntax).
> >
> > [Ketan]
> > Sounds fair. Would it be ok to take this up after the driver is
> > merged for the upcoming QEMU release?
>
> I don't think we can merge code with known security flaws, particularly
> if fixing these flaws will involve adding and/or changing command line
> parameters for the block driver.
>
We do support some protocols, such as gluster, that do not have robust
authentication frameworks over tcp/ip. Of course, these protocols have been
in as a driver for several years (and, gluster does support unix sockets).
We seem to be establishing a rule for QEMU, that is "no new protocol drivers
without secure authentication". That is a good thing. The existence of
current protocol drivers that don't meet that criteria is potentially
confusing for new contributors, however. (As a side note to myself -- this
is probably a good thing to add to the wiki, if it is not there already).
I think a non-secure scheme is worse than no scheme at all, because it
becomes relied upon and promises something it cannot deliver. In that vein,
would you object to a vxhs protocol driver that did no authentication at all
(similar to gluster), or do you think the above rule is a new hard rule for
protocol drivers?
Jeff
next prev parent reply other threads:[~2017-02-21 18:07 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 22:24 [Qemu-devel] [PATCH v8 1/2] block/vxhs.c: Add support for a new block device type called "vxhs" ashish mittal
2017-02-17 21:42 ` Jeff Cody
2017-02-18 0:30 ` Ketan Nilangekar
2017-02-20 9:50 ` Daniel P. Berrange
2017-02-20 11:02 ` Stefan Hajnoczi
2017-02-20 11:34 ` ashish mittal
2017-02-21 10:59 ` Stefan Hajnoczi
2017-02-21 11:33 ` Daniel P. Berrange
2017-02-22 14:09 ` Stefan Hajnoczi
2017-02-22 14:22 ` Daniel P. Berrange
2017-02-22 14:44 ` Jeff Cody
2017-02-24 4:19 ` ashish mittal
2017-02-24 9:19 ` Daniel P. Berrange
2017-02-24 23:30 ` ashish mittal
2017-02-27 9:22 ` Daniel P. Berrange
2017-02-28 22:51 ` ashish mittal
2017-03-01 9:18 ` Daniel P. Berrange
2017-03-06 0:26 ` ashish mittal
2017-03-06 9:23 ` Daniel P. Berrange
2017-03-08 1:27 ` ashish mittal
2017-03-08 9:13 ` Daniel P. Berrange
2017-03-08 13:04 ` Ketan Nilangekar
2017-03-08 17:59 ` ashish mittal
2017-03-08 18:11 ` Daniel P. Berrange
2017-03-11 3:04 ` ashish mittal
2017-03-13 9:56 ` Daniel P. Berrange
2017-03-13 9:57 ` Daniel P. Berrange
2017-03-17 0:29 ` ashish mittal
2017-03-18 1:44 ` ashish mittal
2017-03-20 12:55 ` Daniel P. Berrange
2017-03-23 0:03 ` ashish mittal
2017-03-27 3:07 ` ashish mittal
2017-02-21 17:21 ` Ketan Nilangekar
2017-02-21 17:39 ` Daniel P. Berrange
2017-02-21 18:06 ` Jeff Cody [this message]
2017-02-21 18:56 ` Daniel P. Berrange
2017-02-21 19:25 ` Jeff Cody
2017-02-22 10:12 ` Daniel P. Berrange
2017-02-22 14:25 ` Stefan Hajnoczi
2017-02-20 9:44 ` Daniel P. Berrange
-- strict thread matches above, loose matches on Subject: below --
2017-02-09 5:23 Ashish Mittal
2017-02-09 6:29 ` Jeff Cody
2017-02-09 9:24 ` ashish mittal
2017-02-09 14:32 ` Jeff Cody
2017-02-09 16:14 ` ashish mittal
2017-02-09 16:50 ` Jeff Cody
2017-02-09 18:08 ` ashish mittal
2017-02-09 18:45 ` ashish mittal
2017-02-10 0:27 ` ashish mittal
2017-02-10 2:18 ` Jeff Cody
2017-02-14 20:51 ` Jeff Cody
2017-02-14 22:34 ` ashish mittal
2017-02-15 3:02 ` ashish mittal
2017-02-15 3:54 ` Jeff Cody
2017-02-15 20:34 ` ashish mittal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170221180658.GO19045@localhost.localdomain \
--to=jcody@redhat.com \
--cc=Abhijit.Dey@veritas.com \
--cc=Ashish.Mittal@veritas.com \
--cc=Buddhi.Madhav@veritas.com \
--cc=Ketan.Nilangekar@veritas.com \
--cc=Nitin.Jerath@veritas.com \
--cc=Rakesh.Ranjan@veritas.com \
--cc=Suraj.Singh@veritas.com \
--cc=Venkatesha.Mg@veritas.com \
--cc=armbru@redhat.com \
--cc=ashmit602@gmail.com \
--cc=berrange@redhat.com \
--cc=famz@redhat.com \
--cc=jferlan@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).