[Qemu-devel] RFC v3: blockdev_add & friends, brief rationale, QMP docs

[Qemu-devel] RFC v3: blockdev_add & friends, brief rationale, QMP docs

[Markus Armbruster]

v3: We don't agree on what "protocol" and "format" mean, even less on
    how they stack, dumb down accordingly
    Human monitor syntax

v2: Cover protocols
    Split blockdev_change into media_insert and media_remove
    Option syntax
    list TODOs


Rationale: Why new commands for block devices?
==============================================

We want a clean separation between host part and guest part.  Existing
-drive and drive_add don't provide that; they were designed to specify
both parts together.  Moreover, drive_add is limited to adding virtio
drives (with pci_add's help) and SCSI drives.

We already have commands to specify the guest part: -device and
device_add.

Support for defining just a host part for use with -device and
device_add was grafted onto -drive and drive_add (if=none), but it's a
mess.  Some parts are redundant, other parts are broken.

For instance, unit, bus, index, addr are redundant: -device/device_add
don't use them.  They provide their own parameters to specify bus and
bus-specific address.

The checks whether rerror, werror, readonly, cyls, heads, secs are sane
for a particular guest device model are broken.  The checks are in the
-drive code, which used to know what the guest device model supports,
but can't with if=none.

Moreover, -drive/drive_add have several flaws:

* Many parameters set with -drive/drive_add silently revert to defaults
  on media change.

* There are two ways to specify protocol, and both are flawed: you
  either use parameter format (then you can neither specify a
  non-default format, nor supply protocol options), or encode it in
  parameter file (yet another ad hoc mini-language, breaks filenames
  with ':').

* Behavior when format= is missing is insecure.

My proposed solution is a new option -blockdev and monitor command
blockdev_add.  These specify only the host drive.  Guest drive
properties are left to -device/device_add.  We keep -drive for backwards
compatibility and command line convenience.  Except we get rid of
if=none (may need a grace period).

New monitor command blockdev_del works regardless of how the host block
device was created.

New monitor commands media_insert, media_remove provide full control
over the host part, unlike the existing change command.

Unfortunately, there's a thorny problem: format and protocol.  Right
now, our code is consistent with the following structure:

* Format + protocols form a tree.

* The tree root is the format, and it has exactly one child.

* All the other tree nodes are protocols, with a variable number of
  children.  No current protocol has more than one child, though.

However, the code has changed quite a bit recently, and it may well
change some more.  It's not just -drive that is confused about format
and protocol, even our block hackers can't quite agree on what they are
and how they should play together.  Designing a stable, general
interface to something we don't understand is hopeless.

Instead, we codify existing usage in the simplest imaginable way.
Generality has to wait for understanding.

If we come up with a more general interface later, that interface will
probably do format and protocol differently.  We either ditch the
current interface then, or keep it as syntactic sugar.

Summary of the host / guest split:

-drive options                  host or guest?
bus, unit, if, index, addr      guest, already covered by qdev
cyls, heads, secs, trans        guest, new qdev properties
                                  (but defaults depend on image)
media                           guest FIXME
snapshot, cache, aio            host, blockdev_add options
file, format                    host, blockdev_add options
                                  separate options for protocol
                                  format is just that, not protocol
                                  file is just a filename, no protocol
rerror, werror                  host, guest device models will
                                  reject values they don't support
serial                          guest, new qdev properties
readonly                        both host & guest, qdev will refuse to
                                  connect readonly host to read/write
                                  guest


QMP command docs
================

blockdev_add
------------

Add host block device.

Arguments:

- "id": the host block device's ID, must be unique (json-string)
- "format": image format (json-string, optional)
    - Possible values: "raw", "qcow2", ...
- "protocol": image access protocol (json-string, optional)
    - Possible values: "auto", "file", "nbd", ...
- Additional members depending on "protocol"
    - For "protocol": "file", [...]
      - "file": name of image file (json-string)
    - For "protocol": "nbd":
      - "domain": address family (json-string, optional)
          - Possible values: "inet" (default), "unix"
      - "file": name of socket file (json-string), only with "domain":
        "unix"
      - "host": host name (json-string), only with "domain": "inet"
      - "port": port (json-int), only with "domain": "inet"
    [...]
- "blkdebug": name of blkdebug config file (json-string, optional)
- "aio": host AIO (json-string, optional)
    - Possible values: "threads" (default), "native"
- "cache": host cache usage (json-string, optional)
    - Possible values: "writethrough" (default), "writeback", "unsafe",
                       "none"
- "readonly": open image read-only (json-bool, optional, default false)
- "rerror": what to do on read error (json-string, optional)
    - Possible values: "report" (default), "ignore", "stop"
- "werror": what to do on write error (json-string, optional)
    - Possible values: "enospc" (default), "report", "ignore", "stop"
- "snapshot": enable snapshot (json-bool, optional, default false)

Example:

-> { "execute": "blockdev_add",
     "arguments": { "id": "blk1", "format": "raw", "protocol": "file",
                    "file": "fedora.img" } }
<- { "return": {} }

-> { "execute": "blockdev_add",
     "arguments": { "id": "blk2", "format": "qcow2",
                    "blkdebug": "test.blkdebug",
                    "protocol": "file", "file": "test.qcow2" } }
<- { "return": {} }

-> { "execute": "blockdev_add",
     "arguments": { "id": "blk3" } }
<- { "return": {} }

Notes:

(1) If argument "protocol" is missing, all other optional arguments must
    be missing as well.  This defines a block device with no media
    inserted.

(2) It's possible to list supported disk formats and protocols by
    running QEMU with arguments "-blockdev_add \?".


blockdev_del
------------

Remove a host block device.

Arguments:

- "id": the host block device's ID (json-string)

Example:

-> { "execute": "blockdev_del", "arguments": { "id": "blk1" } }
<- { "return": {} }


media_insert
------------

Insert media into an empty host block device.

Arguments are exactly like blockdev_add, except "protocol" is mandatory.


media_remove
------------

Remove media from a host block device.

Arguments:

- "id": the host block device's ID (json-string)

Example:

-> { "execute": "media_remove", "arguments": { "id": "blk1" } }
<- { "return": {} }


Command line syntax
===================

-blockdev syntax corresponds 1:1 to QMP blockdev_add: the members of
QMP's argument object become -blockdev's QemuOpts options.

Example:

    -blockdev id=blk1,format=raw,protocol=file,file=fedora.img

    -blockdev id=blk2,format=qcow2,blkdebug=test.blkdebug,\
    protocol=file,file=test.qcow2

    -blockdev id=blk3

Sensible defaults are important for usability:

* The default format is derived from the image file name: if it ends
  with .F, where F is a format name, that format is the default, else
  "raw".

* The default protocol depends on the image file type: if it is a
  special file, it defaults to the protocol appropriate for that special
  file ("host_cdrom" for CD-ROM, ...).  Else it defaults to "file".

This permits shortening the first two examples:

    -blockdev id=blk1,file=fedora.img

    -blockdev id=blk2,blkdebug=test.blkdebug,file=test.qcow2


Human monitor syntax
====================

blockdev_add
------------

Single argument, which is exactly like -blockdev's argument (args_type
is "blockdev:O", where "blockdev" is the name of -blockdev's
QemuOptsList).

blockdev_del
------------

blockdev_del ID

media_insert
------------

Argument are exactly like blockdev_add, except either "protocol" or
"file" must be given.

media_remove
------------

media_remove ID

Re: [Qemu-devel] RFC v3: blockdev_add & friends, brief rationale, QMP docs

[Stefan Hajnoczi]

On Wed, Jun 16, 2010 at 6:27 PM, Markus Armbruster <armbru@redhat.com> wrote:
> blockdev_add
> ------------
>
> Add host block device.
>
> Arguments:
>
> - "id": the host block device's ID, must be unique (json-string)
> - "format": image format (json-string, optional)
>    - Possible values: "raw", "qcow2", ...

What is the default when unset?  (I expect we'll auto-detect the
format but this should be documented.)

> - "protocol": image access protocol (json-string, optional)
>    - Possible values: "auto", "file", "nbd", ...

The semantics of "auto" are not documented here.

> Notes:
>
> (1) If argument "protocol" is missing, all other optional arguments must
>    be missing as well.  This defines a block device with no media
>    inserted.

Perhaps this is what "auto" means?

> (2) It's possible to list supported disk formats and protocols by
>    running QEMU with arguments "-blockdev_add \?".

Is there an query-block-driver command or something in QMP to
enumerate supported formats and protocols?  Not sure how useful this
would be to the management stack - blockdev_add will probably return
an error if an attempt is made to open an unsupported file.

> blockdev_del
> ------------
>
> Remove a host block device.
>
> Arguments:
>
> - "id": the host block device's ID (json-string)
>
> Example:
>
> -> { "execute": "blockdev_del", "arguments": { "id": "blk1" } }
> <- { "return": {} }

What about an attached guest device?  Will this fail if the virtio-blk
PCI device is still present?  For SCSI I imagine we can usually just
remove the host block device.  For IDE there isn't hotplug support
AFAIK, what happens?

Stefan

Re: [Qemu-devel] RFC v3: blockdev_add & friends, brief rationale, QMP docs

[Markus Armbruster]

Stefan Hajnoczi <stefanha@gmail.com> writes:

> On Wed, Jun 16, 2010 at 6:27 PM, Markus Armbruster <armbru@redhat.com> wrote:
>> blockdev_add
>> ------------
>>
>> Add host block device.
>>
>> Arguments:
>>
>> - "id": the host block device's ID, must be unique (json-string)
>> - "format": image format (json-string, optional)
>>    - Possible values: "raw", "qcow2", ...
>
> What is the default when unset?  (I expect we'll auto-detect the
> format but this should be documented.)

For command line and human monitor, we definitely want a sensible
default.  I sketched one in section "Command line syntax".  I'll quote
it for your convenience a few lines down.

>> - "protocol": image access protocol (json-string, optional)
>>    - Possible values: "auto", "file", "nbd", ...
>
> The semantics of "auto" are not documented here.

Uh, that slipped in here.  It means "guess protocol from image file
type".

Again, for command line and human monitor, we definitely want a sensible
default, and I sketched one in section "Command line syntax".

We may want the same defaults in QMP, although more for consistency than
for usability.  But I didn't want to complicate the QMP section with all
that defaults business, so I moved discussion of defaults down to the
command line section.  Hope I didn't cause even more confusion that way.

Anyway, here's what I wrote on default format:

   * The default format is derived from the image file name: if it ends
     with .F, where F is a format name, that format is the default, else
     "raw".

To let users ask for this explicitely, we could have pseudo-format
"auto".

We also need a pseudo-format "probe", which guesses the format from the
image contents.  Can't be made the default, because it's insecure.

On protocol "auto":

   * The default protocol depends on the image file type: if it is a
     special file, it defaults to the protocol appropriate for that special
     file ("host_cdrom" for CD-ROM, ...).  Else it defaults to "file".

   This permits shortening the first two examples:

       -blockdev id=blk1,file=fedora.img

       -blockdev id=blk2,blkdebug=test.blkdebug,file=test.qcow2

And for completeness, let me quote the unshortened examples, too:

       -blockdev id=blk1,format=raw,protocol=file,file=fedora.img

       -blockdev id=blk2,format=qcow2,blkdebug=test.blkdebug,\
       protocol=file,file=test.qcow2

>> Notes:
>>
>> (1) If argument "protocol" is missing, all other optional arguments must
>>    be missing as well.  This defines a block device with no media
>>    inserted.
>
> Perhaps this is what "auto" means?
>
>> (2) It's possible to list supported disk formats and protocols by
>>    running QEMU with arguments "-blockdev_add \?".
>
> Is there an query-block-driver command or something in QMP to
> enumerate supported formats and protocols?  Not sure how useful this
> would be to the management stack - blockdev_add will probably return
> an error if an attempt is made to open an unsupported file.

QMP should be "self-documenting": a client should be able to list
commands, their arguments, and possible argument values.  Listing
supported formats then becomes "list possible values of command
blockdev_add's argument format".

>> blockdev_del
>> ------------
>>
>> Remove a host block device.
>>
>> Arguments:
>>
>> - "id": the host block device's ID (json-string)
>>
>> Example:
>>
>> -> { "execute": "blockdev_del", "arguments": { "id": "blk1" } }
>> <- { "return": {} }
>
> What about an attached guest device?  Will this fail if the virtio-blk
> PCI device is still present?  For SCSI I imagine we can usually just
> remove the host block device.  For IDE there isn't hotplug support
> AFAIK, what happens?

Command fails.  You have to device_del the device first.  Which is only
possible if its bus supports hot-plug.

Thanks!

Re: [Qemu-devel] RFC v3: blockdev_add & friends, brief rationale, QMP docs

[Stefan Hajnoczi]

On Thu, Jun 17, 2010 at 1:49 PM, Markus Armbruster <armbru@redhat.com> wrote:
> Stefan Hajnoczi <stefanha@gmail.com> writes:
>
>> On Wed, Jun 16, 2010 at 6:27 PM, Markus Armbruster <armbru@redhat.com> wrote:
>>> blockdev_add
>>> ------------
>>>
>>> Add host block device.
>>>
>>> Arguments:
>>>
>>> - "id": the host block device's ID, must be unique (json-string)
>>> - "format": image format (json-string, optional)
>>>    - Possible values: "raw", "qcow2", ...
>>
>> What is the default when unset?  (I expect we'll auto-detect the
>> format but this should be documented.)
>
> For command line and human monitor, we definitely want a sensible
> default.  I sketched one in section "Command line syntax".  I'll quote
> it for your convenience a few lines down.

Ahem...the part that I skipped over ;).  I should have read your
entire email, thanks for pointing it out.

> To let users ask for this explicitely, we could have pseudo-format
> "auto".
>
> We also need a pseudo-format "probe", which guesses the format from the
> image contents.  Can't be made the default, because it's insecure.

In which scenario is probing the image format a security issue?  I'm
trying to think up scenarios where a cloud user modifies the guest
disk image and gets QEMU to re-open the image file as another format,
perhaps this would make the cloud owner/admin unhappy.  I don't see a
threat except for image format drivers have security bugs (corrupt
images leading to arbitrary code execution).

>>> (2) It's possible to list supported disk formats and protocols by
>>>    running QEMU with arguments "-blockdev_add \?".
>>
>> Is there an query-block-driver command or something in QMP to
>> enumerate supported formats and protocols?  Not sure how useful this
>> would be to the management stack - blockdev_add will probably return
>> an error if an attempt is made to open an unsupported file.
>
> QMP should be "self-documenting": a client should be able to list
> commands, their arguments, and possible argument values.  Listing
> supported formats then becomes "list possible values of command
> blockdev_add's argument format".

Nice :).

>>> blockdev_del
>>> ------------
>>>
>>> Remove a host block device.
>>>
>>> Arguments:
>>>
>>> - "id": the host block device's ID (json-string)
>>>
>>> Example:
>>>
>>> -> { "execute": "blockdev_del", "arguments": { "id": "blk1" } }
>>> <- { "return": {} }
>>
>> What about an attached guest device?  Will this fail if the virtio-blk
>> PCI device is still present?  For SCSI I imagine we can usually just
>> remove the host block device.  For IDE there isn't hotplug support
>> AFAIK, what happens?
>
> Command fails.  You have to device_del the device first.  Which is only
> possible if its bus supports hot-plug.

I think this deserves to be in the documentation.

Stefan

Re: [Qemu-devel] RFC v3: blockdev_add & friends, brief rationale, QMP docs

[Markus Armbruster]

Stefan Hajnoczi <stefanha@gmail.com> writes:

> On Thu, Jun 17, 2010 at 1:49 PM, Markus Armbruster <armbru@redhat.com> wrote:
>> Stefan Hajnoczi <stefanha@gmail.com> writes:
>>
>>> On Wed, Jun 16, 2010 at 6:27 PM, Markus Armbruster <armbru@redhat.com> wrote:
>>>> blockdev_add
>>>> ------------
>>>>
>>>> Add host block device.
>>>>
>>>> Arguments:
>>>>
>>>> - "id": the host block device's ID, must be unique (json-string)
>>>> - "format": image format (json-string, optional)
>>>>    - Possible values: "raw", "qcow2", ...
>>>
>>> What is the default when unset?  (I expect we'll auto-detect the
>>> format but this should be documented.)
>>
>> For command line and human monitor, we definitely want a sensible
>> default.  I sketched one in section "Command line syntax".  I'll quote
>> it for your convenience a few lines down.
>
> Ahem...the part that I skipped over ;).  I should have read your
> entire email, thanks for pointing it out.

:)

>> To let users ask for this explicitely, we could have pseudo-format
>> "auto".
>>
>> We also need a pseudo-format "probe", which guesses the format from the
>> image contents.  Can't be made the default, because it's insecure.
>
> In which scenario is probing the image format a security issue?  I'm
> trying to think up scenarios where a cloud user modifies the guest
> disk image and gets QEMU to re-open the image file as another format,
> perhaps this would make the cloud owner/admin unhappy.  I don't see a
> threat except for image format drivers have security bugs (corrupt
> images leading to arbitrary code execution).

User creates a raw image file.

VM starts.  Image file gets probed, it's raw.  Guest has access to the
complete file.

Guest writes a valid QCOW2 image to it, chosen to include the full
backing file in the resulting image contents.  Set the backing file to
/secret/treasure.

Reboot VM.  Image file gets probed, it's qcow2.  Backing file gets
probed, it's raw.  Guest has access to the contents of QCOW2 image.
This includes the backing file.  Oops.

>>>> (2) It's possible to list supported disk formats and protocols by
>>>>    running QEMU with arguments "-blockdev_add \?".
>>>
>>> Is there an query-block-driver command or something in QMP to
>>> enumerate supported formats and protocols?  Not sure how useful this
>>> would be to the management stack - blockdev_add will probably return
>>> an error if an attempt is made to open an unsupported file.
>>
>> QMP should be "self-documenting": a client should be able to list
>> commands, their arguments, and possible argument values.  Listing
>> supported formats then becomes "list possible values of command
>> blockdev_add's argument format".
>
> Nice :).

We still need to deliver the niceties...

>>>> blockdev_del
>>>> ------------
>>>>
>>>> Remove a host block device.
>>>>
>>>> Arguments:
>>>>
>>>> - "id": the host block device's ID (json-string)
>>>>
>>>> Example:
>>>>
>>>> -> { "execute": "blockdev_del", "arguments": { "id": "blk1" } }
>>>> <- { "return": {} }
>>>
>>> What about an attached guest device?  Will this fail if the virtio-blk
>>> PCI device is still present?  For SCSI I imagine we can usually just
>>> remove the host block device.  For IDE there isn't hotplug support
>>> AFAIK, what happens?
>>
>> Command fails.  You have to device_del the device first.  Which is only
>> possible if its bus supports hot-plug.
>
> I think this deserves to be in the documentation.

Yes, QMP documentation should cover errors.  It generally doesn't so far.

Re: [Qemu-devel] RFC v3: blockdev_add & friends, brief rationale, QMP docs

[Stefan Hajnoczi]

On Fri, Jun 18, 2010 at 8:27 AM, Markus Armbruster <armbru@redhat.com> wrote:
> Stefan Hajnoczi <stefanha@gmail.com> writes:
>> On Thu, Jun 17, 2010 at 1:49 PM, Markus Armbruster <armbru@redhat.com> wrote:
>>> Stefan Hajnoczi <stefanha@gmail.com> writes:
>>>> On Wed, Jun 16, 2010 at 6:27 PM, Markus Armbruster <armbru@redhat.com> wrote:
>>> To let users ask for this explicitely, we could have pseudo-format
>>> "auto".
>>>
>>> We also need a pseudo-format "probe", which guesses the format from the
>>> image contents.  Can't be made the default, because it's insecure.
>>
>> In which scenario is probing the image format a security issue?  I'm
>> trying to think up scenarios where a cloud user modifies the guest
>> disk image and gets QEMU to re-open the image file as another format,
>> perhaps this would make the cloud owner/admin unhappy.  I don't see a
>> threat except for image format drivers have security bugs (corrupt
>> images leading to arbitrary code execution).
>
> User creates a raw image file.
>
> VM starts.  Image file gets probed, it's raw.  Guest has access to the
> complete file.
>
> Guest writes a valid QCOW2 image to it, chosen to include the full
> backing file in the resulting image contents.  Set the backing file to
> /secret/treasure.
>
> Reboot VM.  Image file gets probed, it's qcow2.  Backing file gets
> probed, it's raw.  Guest has access to the contents of QCOW2 image.
> This includes the backing file.  Oops.

I thought selinux/svirt was supposed to secure QEMU processes and
ensure they only have access to the resources they need?  If the
backing file doesn't belong to me then my QEMU process shouldn't be
able to open it.

Stefan

Re: [Qemu-devel] RFC v3: blockdev_add & friends, brief rationale, QMP docs

[Markus Armbruster]

Stefan Hajnoczi <stefanha@gmail.com> writes:

> On Fri, Jun 18, 2010 at 8:27 AM, Markus Armbruster <armbru@redhat.com> wrote:
>> Stefan Hajnoczi <stefanha@gmail.com> writes:
>>> On Thu, Jun 17, 2010 at 1:49 PM, Markus Armbruster <armbru@redhat.com> wrote:
>>>> Stefan Hajnoczi <stefanha@gmail.com> writes:
>>>>> On Wed, Jun 16, 2010 at 6:27 PM, Markus Armbruster <armbru@redhat.com> wrote:
>>>> To let users ask for this explicitely, we could have pseudo-format
>>>> "auto".
>>>>
>>>> We also need a pseudo-format "probe", which guesses the format from the
>>>> image contents.  Can't be made the default, because it's insecure.
>>>
>>> In which scenario is probing the image format a security issue?  I'm
>>> trying to think up scenarios where a cloud user modifies the guest
>>> disk image and gets QEMU to re-open the image file as another format,
>>> perhaps this would make the cloud owner/admin unhappy.  I don't see a
>>> threat except for image format drivers have security bugs (corrupt
>>> images leading to arbitrary code execution).
>>
>> User creates a raw image file.
>>
>> VM starts.  Image file gets probed, it's raw.  Guest has access to the
>> complete file.
>>
>> Guest writes a valid QCOW2 image to it, chosen to include the full
>> backing file in the resulting image contents.  Set the backing file to
>> /secret/treasure.
>>
>> Reboot VM.  Image file gets probed, it's qcow2.  Backing file gets
>> probed, it's raw.  Guest has access to the contents of QCOW2 image.
>> This includes the backing file.  Oops.
>
> I thought selinux/svirt was supposed to secure QEMU processes and
> ensure they only have access to the resources they need?  If the
> backing file doesn't belong to me then my QEMU process shouldn't be
> able to open it.

Yes, SELinux will protect you from security holes in applications.
Protecting from != fixing of :)