From: Peter Krempa <pkrempa@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
"libvirt-list@redhat.com" <libvirt-list@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: Let's remove some deprecated stuff
Date: Tue, 4 May 2021 15:59:44 +0200 [thread overview]
Message-ID: <YJFTUEEfPOPPnC01@angien.pipo.sk> (raw)
In-Reply-To: <ccc48bde-3e8f-3abb-f062-77bd04d6cc93@redhat.com>
On Mon, May 03, 2021 at 13:21:47 -0500, Eric Blake wrote:
> On 4/29/21 4:59 AM, Markus Armbruster wrote:
[...]
> > qemu-img backing file without format (since 5.1)
> > ''''''''''''''''''''''''''''''''''''''''''''''''
> >
> > The use of ``qemu-img create``, ``qemu-img rebase``, or ``qemu-img
> > convert`` to create or modify an image that depends on a backing file
> > now recommends that an explicit backing format be provided. This is
> > for safety: if QEMU probes a different format than what you thought,
> > the data presented to the guest will be corrupt; similarly, presenting
> > a raw image to a guest allows a potential security exploit if a future
> > probe sees a non-raw image based on guest writes.
> >
> > To avoid the warning message, or even future refusal to create an
> > unsafe image, you must pass ``-o backing_fmt=`` (or the shorthand
> > ``-F`` during create) to specify the intended backing format. You may
> > use ``qemu-img rebase -u`` to retroactively add a backing format to an
> > existing image. However, be aware that there are already potential
> > security risks to blindly using ``qemu-img info`` to probe the format
> > of an untrusted backing image, when deciding what format to add into
> > an existing image.
>
> I'm not sure how widely used these were, but I'm game for writing a
> patch to drop them. I'm fairly certain libvirt is not using them.
This is certainly seeing some upstream "use" from random scripts and
possibly also libguestfs.
There are few limited scenarios when probing format is still safe if you
are not 100% sure what the original format of the image was.
I'm afraid that removing this will (at least when used with libvirt)
remove the potential detection of the unsafe scenarios and prompt people
to modify their code to do plainly:
1) probe format of backing file
2) use it in the new overlay without considering the implications
This is IMO less-safe because libvirt will consider the backing chain
without questioning security.
> > Kevin Wolf:
> >
> > ``nbd-server-add`` and ``nbd-server-remove`` (since 5.2)
> > ''''''''''''''''''''''''''''''''''''''''''''''''''''''''
> >
> > Use the more generic commands ``block-export-add`` and ``block-export-del``
> > instead. As part of this deprecation, where ``nbd-server-add`` used a
> > single ``bitmap``, the new ``block-export-add`` uses a list of ``bitmaps``.
>
> Peter, is libvirt good for this one to go?
Yes, libvirt added support for block-export-add usage in favor of
nbd-server-add in:
https://gitlab.com/libvirt/libvirt/-/commit/8c67e389d6367af2ef6dbe2f578c585e2150558d
6.8.0-379-g8c67e389d6
It was briefly disabled since qemu decided to change the design of
block-export-add-before it was really released since the change happened
around a libvirt release:
https://gitlab.com/libvirt/libvirt/-/commit/b87cfc957f57c1d9f7e5bf828ee4b23972085991
v6.9.0-rc1-7-gb87cfc957f
and then re-enabled in
https://gitlab.com/libvirt/libvirt/-/commit/42558a43f87f5a3e73bacb88baf425648415a06f
v6.9.0-8-g42558a43f8
prev parent reply other threads:[~2021-05-04 14:01 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-29 9:59 Let's remove some deprecated stuff Markus Armbruster
2021-04-29 10:18 ` Gerd Hoffmann
2021-04-29 10:24 ` Daniel P. Berrangé
2021-04-29 10:29 ` Peter Maydell
2021-04-29 10:35 ` Daniel P. Berrangé
2021-04-29 10:55 ` Gerd Hoffmann
2021-04-30 10:47 ` Markus Armbruster
2021-04-29 11:07 ` Paolo Bonzini
2021-04-29 10:25 ` Peter Maydell
2021-04-29 10:32 ` Daniel P. Berrangé
2021-04-30 6:47 ` Markus Armbruster
2021-04-29 11:06 ` Paolo Bonzini
2021-04-29 12:40 ` Gerd Hoffmann
2021-04-29 13:12 ` Kevin Wolf
2021-04-29 13:46 ` Gerd Hoffmann
2021-04-29 15:05 ` Philippe Mathieu-Daudé
2021-04-30 7:01 ` Markus Armbruster
2021-04-30 7:01 ` Gerd Hoffmann
2021-05-03 15:10 ` Paolo Bonzini
2021-04-29 11:17 ` Thomas Huth
2021-04-29 11:24 ` Peter Maydell
2021-05-03 10:39 ` Markus Armbruster
2021-04-29 14:49 ` Stefan Hajnoczi
2021-04-29 16:32 ` Eduardo Habkost
2021-04-30 3:22 ` Robert Hoo
2021-05-03 1:41 ` Alistair Francis
2021-05-03 4:49 ` Thomas Huth
2021-05-03 7:12 ` Alistair Francis
2021-05-03 15:13 ` Paolo Bonzini
2021-05-03 22:57 ` Alistair Francis
2021-05-03 13:14 ` Philippe Mathieu-Daudé
2021-05-03 18:21 ` Eric Blake
2021-05-04 13:59 ` Peter Krempa [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YJFTUEEfPOPPnC01@angien.pipo.sk \
--to=pkrempa@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=libvirt-list@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).