Avi Kivity wrote:
Anthony Liguori wrote:
I think it is a bad idea from a security POV to automatically
extract & use command line args from a disk image like this without
the admin explicitly requesting this capability.
eg If I grabbed a demo disk image from a vendors' or community
website I would
certainly not trust whatever args may happen to be embedded in the
disk image
and thus do not want QEMU to be automatically running using them.
I'd recommend having some command line flag to turn this capability
on. For
example a '--args PATH-TO-DISK' flag,
qemu --args $HOME/fedora.qcow
That's pretty nasty. How do you specify which disk this is then? I
do agree with you that allowing arbitrary command line arguments in
an image file is probably a bad idea. I think the general idea of
being able to launch a single image is useful but I suspect this is
not the right way to do it.
What are some people thinking would want to be stored in the file?
Most of the command line options are more host specific than guest
specific I think. Maybe we can store a pseudo-config instead that
only contains a subset of parameters (and therefore, wouldn't pose a
security risk)?
Memory size, -hdb and -cdrom, processor count, networking setup. The
sort of things people push into ad-hoc scripts.
I expect this to be the low-end solution; with high end management
applications storing configuration options in a database.
If you're looking for a low-end solution, another possibility would be
having a "new" file format which consisted of:
#!/path/to/qemu [<args> ...] <nl>
<standard disk image>
And then make the appropriate changes to QEMU such that it can skip the
first line in a disk image file. This has a few nice side effects. The
disk image is directly executable and it makes it very clear to the user
that they have to trust the disk image. The other nice thing is that it
would work with file formats other than qcow2.
Regards,
Anthony Liguori
