[libvirt] [PATCHv2 0/2] qemu: add new disk device='lun' for bus='virtio' & type='block'

Paolo Bonzini pbonzini at redhat.com
Thu Jan 5 08:02:11 UTC 2012


On 01/05/2012 06:49 AM, KAMEZAWA Hiroyuki wrote:
> Hmm, won't this force admins to rewrite their domain definitions ?
> Some admin may need to reflesh 100s of domain defintions when he upgrade
> distro...
>
> How about
>
> <disk type='block' device='disk' dev='/dev/sda'>  <!-- SG_IO on -->
> <disk type='block' device='sdisk' dev='/dev/sda'>  <!-- SG_IO off -->
> (sdisk = secure disk)
>
> and make 'sdisk' as default ?

We believe that most sites are not passing entire disks, and thus cannot 
anyway use SG_IO.  That is because you need special precautions when 
passing entire disks (for example to avoid that LVM scans them for 
volume groups).  If you're not passing an entire disk to the VM, 
disabling SG_IO by default will protect you against CVE-2011-4127.

Even if you *are* passing an entire disk (for example an iSCSI share), 
it's relatively rare that you need SG_IO access.

Making your proposed 'sdisk' the default does not help, because usually 
the .xml files that libvirt stores include all attributes even when they 
have a default value.  See also the ideas I posted recently for extended 
SCSI support to see why it is important to distinguish 'lun' on one side 
from 'disk' and 'cdrom' on the other: in the SCSI case you can have a 
passthrough disk, an emulated hard disk or an emulated CD-ROM. 
Something like 'sdisk' would not extend easily to the SCSI case.

This is why we are explicitly requiring administrators to opt into the 
SG_IO feature.  We know that this can be a nuisance in some scenarios, 
but those are the minority and it is better if everybody enjoys more 
security by default.

Paolo




More information about the libvir-list mailing list