[PATCH v3 4/4] qemu-img: Deprecate use of -b without -F
Eric Blake
eblake at redhat.com
Mon Mar 9 15:42:25 UTC 2020
On 3/9/20 10:31 AM, Kashyap Chamarthy wrote:
> After (with the patch series applied to QEMU Git):
>
> $> git describe
> v4.2.0-2204-gd6c7830114
>
> # Create; *without* specifying "-F raw"
> $> ~/build/qemu/qemu-img create -f qcow2 -b ./base.raw ./overlay2.qcow2
> qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of raw)
> Formatting './overlay2.qcow2', fmt=qcow2 size=4294967296 backing_file=./base.raw backing_fmt=raw cluster_size=65536 lazy_refcounts=off refcount_bits=16
If you'll note, this case _did_ write an implied backing_fmt=raw into
the image. Constrast that with creating an image on a qcow2 backing
file, which tells you it detected a format of qcow2, but does NOT write
backing_fmt=qcow2 into the image (this was a change from v2, at Peter's
request). Thus, when the backing is raw, we warn but future use of the
image is now safe where it previously was not; when the backing file is
non-raw, we warn but do not change our behavior, but because the backing
file is non-raw any future probes will not be any less safe than before.
>
> # Rebase; *without* specifying "-F raw"
> $> ~/build/qemu/qemu-img rebase -b base.raw overlay1.qcow2
> qemu-img: warning: Deprecated use of backing file without explicit backing format, use of this image requires potentially unsafe format probing
>
>
> However, for the "Convert" case, is it correct that no warning is thrown
> for the below?
>
> $> ~/build/qemu/qemu-img info overlay1.qcow2
> image: overlay1.qcow2
> file format: qcow2
> virtual size: 4 GiB (4294967296 bytes)
> disk size: 196 KiB
> cluster_size: 65536
> backing file: base.raw
> Format specific information:
> compat: 1.1
> lazy refcounts: false
> refcount bits: 16
> corrupt: false
We have an image with no backing format, so we had to probe. This patch
series did not change the behavior of opening an existing image, only
for creating a new image (or amending an image in-place). So the lack
of a warning on opening the unsafe image may be desirable, but it would
be via even more patches.
>
>
> $> ~/build/qemu/qemu-img convert -f qcow2 -O qcow2 overlay1.qcow2 flattened.raw
Ouch - you are creating a qcow2 destination file named 'flattened.raw',
which is rather confusing on your part.
However, as your destination file is being created without a backing
image, it is to be expected that there is no warning (when there is no
backing file, -F makes no sense). To provoke the warning during
convert, you'll have to also pass -B (or -o backing_file), without -o
backing_fmt (since convert lacks the -F shorthand).
>
> $> echo $?
> 0
>
>> diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
>> index 6c1d9034d9e3..a8ffacf54a52 100644
>> --- a/docs/system/deprecated.rst
>> +++ b/docs/system/deprecated.rst
>> @@ -376,6 +376,25 @@ The above, converted to the current supported format::
>> Related binaries
>> ----------------
>>
>> +qemu-img backing file without format (since 5.0.0)
>> +''''''''''''''''''''''''''''''''''''''''''''''''''
>> +
>> +The use of ``qemu-img create``, ``qemu-img rebase``, ``qemu-img
>> +convert``, or ``qemu-img amend`` to create or modify an image that
>> +depends on a backing file now recommends that an explicit backing
>> +format be provided. This is for safety: if qemu probes a different
>> +format than what you thought, the data presented to the guest will be
>> +corrupt; similarly, presenting a raw image to a guest allows a
>> +potential security exploit if a future probe sees a non-raw image
>> +based on guest writes. To avoid the warning message, or even future
>> +refusal to create an unsafe image, you must pass ``-o backing_fmt=``
>> +(or the shorthand ``-F`` during create) to specify the intended
>> +backing format. You may use ``qemu-img rebase -u`` to retroactively
>> +add a backing format to an existing image. However, be aware that
>> +there are already potential security risks to blindly using ``qemu-img
>> +info`` to probe the format of an untrusted backing image, when
>> +deciding what format to add into an existing image.
>
> Nit: s/qemu/QEMU/g/
>
> Ultra Nit: should this paragraph be broken down into two? Experience
> tells people usually feel deterred read "substantial paragraphs" :-)
Could do, right before 'To avoid the warning'.
>
> I'll report back the Amend case. (And once I get clarification on the
> Convert scenario, I'll be happy to give Tested-by.)
>
> [...]
>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
More information about the libvir-list
mailing list