From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:52913)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1QkA1e-0001jm-Tb
	for qemu-devel@nongnu.org; Fri, 22 Jul 2011 03:19:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1QkA1d-0002ZO-Tm
	for qemu-devel@nongnu.org; Fri, 22 Jul 2011 03:19:58 -0400
Received: from mx1.redhat.com ([209.132.183.28]:57789)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1QkA1d-0002ZK-Is
	for qemu-devel@nongnu.org; Fri, 22 Jul 2011 03:19:57 -0400
Message-ID: <4E292543.5060305@redhat.com>
Date: Fri, 22 Jul 2011 09:22:43 +0200
From: Kevin Wolf <kwolf@redhat.com>
MIME-Version: 1.0
References: <4E253136.4080509@redhat.com>	<CAJSP0QVaDnxZZgbg5FSYVEafoNnWVseirTNGBM8x7KF4=hr3_Q@mail.gmail.com>	<4E258635.2040108@redhat.com>
	<4E258D70.6000205@redhat.com>	<4E25902D.2000403@redhat.com>
	<4E2593B0.1030508@redhat.com>	<4E2594FB.4050203@redhat.com>	<CAJSP0QVdX4sRroJ1E_46ggPcxB8tSC52mJ+fFFNV83cTjzgD4g@mail.gmail.com>	<20110719164613.GE12026@redhat.com>
	<4E269070.8050101@redhat.com>	<20110720093609.GA5015@redhat.com>
	<4E27E5A2.2030208@redhat.com>	<4E28317D.9020502@redhat.com>
	<CAJSP0QXc5rBb4bHHPW5YUPx=pfFWiPqbdme3FY5Oy7eN3E03Yg@mail.gmail.com>
In-Reply-To: <CAJSP0QXc5rBb4bHHPW5YUPx=pfFWiPqbdme3FY5Oy7eN3E03Yg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] live snapshot wiki updated
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: "libvir-list@redhat.com" <libvir-list@redhat.com>, Jes Sorensen <Jes.Sorensen@redhat.com>, Eric Blake <eblake@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>, Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Am 21.07.2011 17:01, schrieb Stefan Hajnoczi:
> On Thu, Jul 21, 2011 at 3:02 PM, Eric Blake <eblake@redhat.com> wrote:
>> Thank you for persisting - you've found another hole that needs to be
>> plugged.  It sounds like you are proposing that after a qemu process dies,
>> that libvirt re-reads the qcow2 metadata headers, and validates that the
>> backing file information has not changed in a manner unexpected by libvirt.
>>  If it has, then the qemu process that just died was compromised to the
>> point that restarting a new qemu process from the old image is now a
>> security risk.  So this is _yet another_ security aspect that needs to be
>> coded into libvirt as part of hardening sVirt.
> 
> The backing file information changes when image streaming completes.
> 
> Before: fedora.img <- my_vm.qed
> After: my_vm.qed (fedora.img is no longer referenced)
> 
> The image streaming operation copies data out of fedora.img and
> populates my_vm.qed.  When image streaming completes, the backing file
> is no longer needed and my_vm.qed is updated to drop the backing file.
> 
> I think we need to design carefully to prevent QEMU and libvirt making
> incorrect assumptions about who does what.  I really wish that all
> this image file business was outside QEMU and libvirt - that we had a
> separate storage management service which handled the details.  QEMU
> would only do block device operations (no image format manipulation),
> and libvirt would only delegate to the storage management service.

And how do you implement that in a way that works on all platforms, and
without root privileges? I can't see this happen unless it stays
completely optional.

Kevin