Re: [Qemu-devel] [PATCH] Make default invocation of block drivers safer

[Kevin Wolf <kwolf@redhat.com>]

Am 15.07.2010 19:51, schrieb Anthony Liguori:
> On 07/15/2010 12:10 PM, Kevin Wolf wrote:
>> Am 15.07.2010 18:20, schrieb Anthony Liguori:
>>    
>>> I have another idea that I hope will solve the problem in a more
>>> complete way.  The fundamental issue is that it's impossible to probe
>>> raw images reliably.  We can probe qcow2, vmdk, etc but not raw.
>>>
>>> So, let's do the following: have raw_probe() always fail.  Probing
>>> shouldn't be a heuristic, it should be an absolute.  We can't prove it's
>>> a raw image, so we should always fail.
>>>
>>> To accomodate current use-cases with raw, let's introduce a new format
>>> called "probed_raw".  probed_raw's semantics will be the following:
>>>
>>> The signature of a probed_raw will be ~{'QFI\xfb', 'VMDK', 'COWD',
>>> 'OOOM', ...}.  If the signature is 'QRAW', then instead of reading the
>>> first sector at offset 0, we read the first sector at offset LENGTH.  If
>>> the signature is 'QRAW', LENGTH is computed by calculating FILE_SIZE - 512.
>>>
>>> For probed_raw, write requests to sector 0 are checked.  If the first
>>> four bytes is an invalid probed_raw signature or QRAW, we write a QRAW
>>> signature to file offset 0 and copy the first sector to the end of the
>>> file redirecting reads and writes to the end of file.
>>>
>>> An approach like this has the following properties:
>>>
>>> 1) We can make the bdrv_probe check 100% reliable and return a boolean.
>>> 2) In the cases where we known format=raw, none of this code is ever
>>> invoked.
>>> 3) probed_raw images usually look exactly like raw images in most cases
>>> 4) In the degenerate cases, probe_raw images are still mountable in the
>>> normal way.
>>> 5) Even after the QRAW signature is applied, if the guest writes a valid
>>> signature, we can truncate the file and make it appear as a normal raw
>>> image.
>>>
>>> Christoph/Markus/Stefan, does this seem like a more reasonable approach?
>>>      
>> I hope I may answer even though you didn't ask me. ;-)
>>    
> 
> Heh, you just seemed more agreeable to the overall concept but obviously 
> I value your input :-)
> 
>> This qraw format you introduce is a weird thing, mainly because
>> depending on a signature the first sectors moves to somewhere completely
>> else.
>>
>> If we want to introduce something, that's _almost_ raw and that we can
>> use by default, what about doing something similar to what statically
>> sized VHD images look like: take a raw image and attach a footer?
> 
> I guess this could work provided that the image size was not a multiple 
> of 512 and that all other image formats guaranteed that they were a 
> multiple of 512 or they also had a footer.
> 
> Makes me a little nervous though because it's easy to confuse an image 
> with a magic id and data at the end from an image with a special footer.

Yeah, I guess you're right. It would be hard to tell apart a qcow2 image
with a qraw footer in its data and a qraw image with a qcow2 header in
it's data.

Was just a thought...

Kevin