The virStorageVolUpload/Download APIs currently require that you upload
the physical disk image content, rather than the virtual disk image
content. ie the entire qcow2 file, not just its payload.
While this is certainly useful in some scenarios, it is rather unhelpful,
if not dangerous, in others.
For example, a qcow2 file can contain a backing file that points to
anything on the host filesystem and libvirt happily accepts it. The
best you can do is to query the volume XML again after upload and see
if it now reports a backing file. It would be highly desirable to
block this kind of thing before upload, because you don't want the
act of uploading to cause libvirt to open these arbitrary files.
In fact no matter what format you're storage volume currently is,
when you're uploading new content at a physical level, it can change
to any other format.
If uploading non-raw files, there's also no way to restrict the size
of the files uploaded. ie you can upload a 256 KB sized qcow2 file
whose logical disk size is 4 exabytes. Again you can only detect
this after you've uploaded it, unless you're willing to run qemu-img
manually before upload, or write your own parser to validate upfront.
I would probably ok to just ignore this problem - checking after the
fact doesn't cause security problems, as the large logical size is
an issue until the disk is given to a guest for use.
Finally, you might not even have the file in the desired format. For
example, someone might have given you a raw file,but you want to store
everything as qcow2 files. Currently you would have to create a new
volume, upload the content to a new volume, delete the existing volume
and use virStorageVolCreateFrom to re-create it again with a forkmat
conversion, before finally deleting the temporary upload. It would be
very nice to be able to upload straight into the payload of an existing
file in one go - even if libvirt has to do a qemu-img conversion in the
process.
Some of these problems can be fixed with adding flags. For example I
would suggest
- VIR_STORAGE_VOL_UPLOAD_VIRTUAL => the stream provides the
virtual disk image payload, not a physical disk image container
- VIR_STORAGE_VOL_UPLOAD_FIXED_FORMAT => when VIRTUAL is not set,
this indicates that the physical source format, must match the
current storage vol format. ie don't allow the upload to change
the image format by uploading a raw file into a qcow2 file or
vica-verca
- VIR_STORAGE_VOL_UPLOAD_NO_BACKING_FILE => when VIRUTAL is not
set this indicates that the uploaded content must not be
permitted to have any backing file set.
To allow on the fly conversion of data when using the VIRTUAL flag
though, we need a new API to expose the stream data format, otherwise
libvirt would have to probe stream format to know what to convert
from, and that is unsafe from a security POV:
virStorageVolUploadConvert(virStorageVolPtr vol,
virStreamPtr stream,
int srcFormat,
unsigned long long offset,
unsigned long long length,
unsigned int flags);
The srcFormat parameter would map to virStorageFileFormat enum, which
would need to become public. It says what format the stream is providing
data in. In terms of implementation we would have to write the data into
a temporary file, and then use qemu-img convert to get it into the actual
file we want. We can't feed straight into qemu-img convert, since it
needs a seekable file as input & output.
If we had this functionality, then I think it would be possible for apps
to deal with storage uploads from end users, without having to run
qemu-img manually to validate data outside libvirt.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
