qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] PATCH: Control over drive open modes for backing file


From: Jamie Lokier
Subject: Re: [Qemu-devel] PATCH: Control over drive open modes for backing file
Date: Fri, 1 Aug 2008 18:10:53 +0100
User-agent: Mutt/1.5.13 (2006-08-11)

Ian Jackson wrote:
> > Right, but my point is that ,mode=ro does not have to force QEMU to open 
> > the file O_RDONLY.  It simply needs to prevent writes from happening.
> 
> Well, yes, but actually it's probably most reliable to do it that way.
> Given that this is a security feature we want to avoid accidentally
> `missing' a case.  So we should definitely open the underlying file(s)
> O_RDONLY.

Also, the point about qcow2 metadata.  If you have multiple QEMU
instances using the same qcow2 image, it is not acceptable to have
them both trying to write qcow2 metadata - unless they are interlocked
in some way (as fas as I know they're not).

Personally I use 'chattr +i' on such files.  But it's not very
userspace friendy, e.g. for VM management scripts run by other people.
You need root access to do 'chattr +i'.

> If we do that then the guest definitely won't be able to write as if
> it manages to persuade qemu to try qemu will just get an error.  This
> is fine I think, if we can expose the read-only status to the guest.
> 
> > But it's important to be able to expose this property to the guest, so 
> > ,mode=ro should not be allowed for disks that do not support exposing 
> > their read-only-ness to the guest.
> 
> I agree that it would be an unusual thing to do, to expose a ro disk
> in a way that doesn't support advertising the ro flag.  But I think it
> should still be possible perhaps with some kind of force option.

I would think for environments where a single image is launched many
times, e.g. 'start OS foo and tell it to run my test program', it's
important that the *file* be open read-only regardless of what the
guest can see.

In that usage, -snapshot or creating an explicit qcow2 derived file
would be appropriate.  But it's still important that the base file is
opened read-only, and that 'commit' to it is forbidden.

-- Jamie




reply via email to

[Prev in Thread] Current Thread [Next in Thread]