On 08/15/2014 06:28 AM, Jeff Cody wrote: > I worry that will subtly alter current behavior in bad ways. For > instance, take this image chain: > > qemu-img create -f qcow2 foo.img 1G > qemu-img create -f qcow2 -b foo.img bar.img 1G > > qemu-kvm -drive file=bar.img,format=qcow2 > > > If I understand correctly what you are proposing, that means that > qemu-kvm would detect 'foo.img' as raw, while current behavior is to > detect it as 'qcow2'. >
Libvirt ALREADY defaults to detecting foo.img as raw, and refuses to grant SELinux permissions for qemu to read bar.img, which causes qemu to fail to start due to missing permissions. All because probing is deemed too dangerous (a probe that results in an answer of "raw" is trustworthy, a probe that results in any other answer is suspect if the file has any remote chance of having once been raw). > Although if we do that in conjunction with what Kevin proposed (forbid > probing on raw), it would behave 'properly', and bail out before doing > something bad. That could be OK. The problem is that you can't forbid probing on raw without forbidding probing almost everywhere. Again, an answer of "raw" is trustworthy, it is ALL OTHER answers that are suspect. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
