[libvirt-users] Change in treatment of qcow2 with chained backing files in v5.10.0?

Jens John lists at 2ion.de
Tue Dec 17 11:16:37 UTC 2019 

Hello Peter,

thank you for replying in such detail.

On Tue, Dec 17, 2019 at 11:22:52AM +0100, Peter Krempa wrote:
> So this output was obtained by 'file'. That unfortunately doesn't give
> enough information. Please run 'qemu-img info' on those files and look
> for the 'backing file format:'field.
>
> That field is important, because otherwise we'd fall back to image
> format detection which was deemed unsafe and libvirt no longer allows
> it.

You're right. My backing files are missing the 'backing file format' field:

  image: windows7-base.qcow2
  file format: qcow2
  virtual size: 50 GiB (53687091200 bytes)
  disk size: 7.37 GiB
  cluster_size: 65536
  Format specific information:
      compat: 1.1
      lazy refcounts: false
      refcount bits: 16
      corrupt: false

  image: windows7-Office2013.qcow2
  file format: qcow2
  virtual size: 75 GiB (80530636800 bytes)
  disk size: 50.4 GiB
  cluster_size: 65536
  backing file: windows7-taintable.qcow2
  Format specific information:
      compat: 1.1
      lazy refcounts: false
      refcount bits: 16
      corrupt: false

  image: windows7-taintable.qcow2
  file format: qcow2
  virtual size: 50 GiB (53687091200 bytes)
  disk size: 7.88 GiB
  cluster_size: 65536
  backing file: windows7-base.qcow2
  Format specific information:
      compat: 1.1
      lazy refcounts: false
      refcount bits: 16
      corrupt: false

> The root of the problem is that the images mentioned above will not
> have the format section because -F argument for qemu-img was not used
> when creating them. This would force libvirt to use format detection
> which is insecure and thus libvirt does not do that and assumes the
> image is raw.

Understood. So in order to load an image or backing file, qemu/libvirt
expects the format to be explicitly defined whenever a 'next image' is
being referenced.

> This in normal circumstances causes problems right away, because when
> running any more advanced security model than unix permissions (selinux
> apparmor) libvirt would not allow qemu to access the backing file. You
> don't seem to be running it so it was accidentally working for you until
> now.

Correct. I'm using neither selinux nor apparmor.

> (...) So as a first thing you should create the images properly.  that when
> you are creating the overlay image, you have to use the '-F' parameter
> of qemu-img create. (...)

Fixed the issue successfully using qemu-img rebase.

> (...) (Note that snapshots/overlays created by libvirt always do
> this). (...)

It's probably clear by now but these images were created manually, many
years ago.

> Lastly this is more-or-less tracked in:
> https://bugzilla.redhat.com/show_bug.cgi?id=1588373
>
> I think I should finally fix it and report a proper error rather than
> silently assuming it might work. With -blockdev it will never work
> properly anyways.

I agree that failing in a clear way would indeed help the user, though
now that I know what I'm looking for, it's also clear from the -blockdev
argument what's going on.

Thanks, again, for your time,
Jens.

More information about the libvirt-users mailing list