[adding qemu]

On 2/19/20 12:57 PM, Peter Krempa wrote:

Namely a user creates an overlay on top of single raw/qcow2 image and
expects it to work. And it's not just random users, libguestfs and
openstack also neglected to set the backing format.


Yes, and they are getting patched.  Belatedly, but better late than never.

In that case, qemu-img should also be fixed to forbid 'create' without
-F. Otherwise it's hard to argue that it's a wrong thing to do.

Allowing -b without -F when the backing file probes as raw is safe, but yes, I agree qemu-img create should start a deprecation period of warning if -F is omitted, and turn it into a hard error when enough time elapses.


The price for this is that libvirt will need to keep the image format
detector still current and working or replace it by invocation of
qemu-img.

Maybe.  Any format that qemu recognizes but libvirt does not risks a case
where libvirt probes the image as raw but lets qemu re-probe the image and

That doesn't happen with blockdev. We dont' let qemu probe.

We are just shifting the burden on who causes the data corruption when a
probe goes wrong - it used to be qemu, now it is libvirt.



I disagree with the logic here.  What we really need is:

If the backing format was not specified, we probe to see what is there. If
the result of that probe is raw, it is safe to treat the image as raw.  If
the result is anything else, we must report an error stating that what we
probed could not be trusted unless the user adds an explicit backing format
(either confirming that our probe was correct, or with the correct format
overriding what we mis-probed).

As noted above, using this logic would be pointless. We are better off
just reporting the error always if we also don't allow qcow2 without
backing file to be used as it was previously used.

Then report the error always.

Well that's what we do right now. It seems kind of tempting to call this
a right thing but let me summarize the semantics:

- The "true" detection cases are not problematic
     - advantage is that existing (arguably suboptimal) configurations
       will keep working if we detect
- For the "false" detection cases:
   - misdetection does not breach security (given that sVirt is used)
   - data corruption can occur if libvirt detects something else than
     qemu
     - this is true both directions (qcow2->raw, raw->qcow2)

and the tradeoff:

1) If we allow detection, we trade compatibility for the (small)
possibility of having to deal with corruption.

2) If we disallow detection we trade regression of behaviour for data
corruption not being our problem.

I started this trhead because I feel that the value of 1) is more than
2). Especially short term since qemu-img's default behaviour is allowing
creation of images which would break with libvirt and the fact that
we've tolerated the wrong behaviour for years.

Additionally I think that we could just get rid of the copy of the image
detection copy in libvirt and replace it by invocation of qemu-img. That
way we could avoid any discrepancies in the detection process in the
first place.

Now there's an interesting thought. Since data corruption occurs when there is disagreement about which mode to use, getting libvirt out of the probing business by deferring all decisions to qemu-img info is a smart move - if qemu says an image probes as qcow2 (in an environment where probing is safe), then libvirt passing an explicit qcow2 to qemu for guest usage (in an environment where probing is not safe) will at least see the same guest-visible data. Less code to maintain in libvirt, and no chance for a mismatch between the two projects on which format a probe should result in.

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Reply via email to