Re: [Qemu-devel] [PATCH] Make default invocation of block drivers safer

[Kevin Wolf <kwolf@redhat.com>]

Am 16.07.2010 18:16, schrieb Anthony Liguori:
> On 07/16/2010 11:06 AM, Markus Armbruster wrote:
>> Anthony Liguori<anthony@codemonkey.ws>  writes:
>>> To accomodate current use-cases with raw, let's introduce a new format
>>> called "probed_raw".  probed_raw's semantics will be the following:
>>>
>>> The signature of a probed_raw will be ~{'QFI\xfb', 'VMDK', 'COWD',
>>> OOOM', ...}.  If the signature is 'QRAW', then instead of reading the
>>> first sector at offset 0, we read the first sector at offset LENGTH.
>>> If the signature is 'QRAW', LENGTH is computed by calculating
>>> FILE_SIZE - 512.
>>>
>>> For probed_raw, write requests to sector 0 are checked.  If the first
>>> four bytes is an invalid probed_raw signature or QRAW, we write a QRAW
>>> signature to file offset 0 and copy the first sector to the end of the
>>> file redirecting reads and writes to the end of file.
>>>      
>> Doesn't this require an image that can grow?  What about host block
>> devices?
>>    
> 
> I don't believe we probe host block devices.  We assume they're raw 
> which means they would never be probed_raw.

We do probe them. And yes, I know you love qcow2 on block devices. ;-)

>>> An approach like this has the following properties:
>>>
>>> 1) We can make the bdrv_probe check 100% reliable and return a boolean.
>>> 2) In the cases where we known format=raw, none of this code is ever
>>> invoked.
>>> 3) probed_raw images usually look exactly like raw images in most cases
>>> 4) In the degenerate cases, probe_raw images are still mountable in
>>> the normal way.
>>> 5) Even after the QRAW signature is applied, if the guest writes a
>>> valid signature, we can truncate the file and make it appear as a
>>> normal raw image.
>>>
>>> Christoph/Markus/Stefan, does this seem like a more reasonable approach?
>>>      
>> I'm not convinced it's a good idea.  It's clearly a less bad idea,
>> though :)
>>
>> It avoids guest-visible lossage, and that's good.
>>
>> There's still host-visible lossage: as soon as we redirect sector 0, the
>> image isn't raw anymore, and accessing it with non-qemu tools (say
>> losetup + kpartx) no longer works.  You need to know what QEMU did to
>> your no-longer-raw image to work around the lossage (say losetup -o
>> 512).
>>    
> 
> Yeah, but as previously discussed, we can't probe raw.  So probed_raw 
> ends up being a compromise.
> 
>>>>     That they get an unsafe
>>>> default that way is a big surprise to them.  And I can't blame them!
>>>> Users can reasonably expect programs not to trap them.
>>>>
>>>> If we want to let users define drives without having to specify the
>>>> format, we can guess the format from the file name.
>>>>        
>> I still think guessing the format from the file name is a better
>> way to spare users from having to specify formats.
>>    
> I think that would be true if we did it from day 1 but it would be a 
> huge impact to users if we did it today.

I think I agree.

Kevin