2012-08-22 18:43:07 +04:00
|
|
|
/*
|
|
|
|
* Serving QEMU block devices via NBD
|
|
|
|
*
|
|
|
|
* Copyright (c) 2012 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* Author: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
|
*
|
|
|
|
* This work is licensed under the terms of the GNU GPL, version 2 or
|
|
|
|
* later. See the COPYING file in the top-level directory.
|
|
|
|
*/
|
|
|
|
|
2016-01-29 20:50:05 +03:00
|
|
|
#include "qemu/osdep.h"
|
2012-12-17 21:20:04 +04:00
|
|
|
#include "sysemu/blockdev.h"
|
2014-11-18 14:21:17 +03:00
|
|
|
#include "sysemu/block-backend.h"
|
2013-02-05 20:06:20 +04:00
|
|
|
#include "hw/block/block.h"
|
2018-02-01 14:18:31 +03:00
|
|
|
#include "qapi/error.h"
|
2020-10-27 08:05:48 +03:00
|
|
|
#include "qapi/clone-visitor.h"
|
|
|
|
#include "qapi/qapi-visit-block-export.h"
|
2020-09-24 18:26:48 +03:00
|
|
|
#include "qapi/qapi-commands-block-export.h"
|
2012-12-17 21:19:44 +04:00
|
|
|
#include "block/nbd.h"
|
2016-02-10 21:41:03 +03:00
|
|
|
#include "io/channel-socket.h"
|
2017-12-18 13:16:42 +03:00
|
|
|
#include "io/net-listener.h"
|
2012-08-22 18:43:07 +04:00
|
|
|
|
2016-02-10 21:41:14 +03:00
|
|
|
typedef struct NBDServerData {
|
2017-12-18 13:16:42 +03:00
|
|
|
QIONetListener *listener;
|
2016-02-10 21:41:14 +03:00
|
|
|
QCryptoTLSCreds *tlscreds;
|
nbd: allow authorization with nbd-server-start QMP command
As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.
First the client must create a QAuthZ object instance using the
'object-add' command:
{
'execute': 'object-add',
'arguments': {
'qom-type': 'authz-list',
'id': 'authz0',
'parameters': {
'policy': 'deny',
'rules': [
{
'match': '*CN=fred',
'policy': 'allow'
}
]
}
}
}
They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:
{
'execute': 'nbd-server-start',
'arguments': {
'addr': {
'type': 'inet',
'host': '127.0.0.1',
'port': '9000'
},
'tls-creds': 'tls0',
'tls-authz': 'authz0'
}
}
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <20190227162035.18543-3-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2019-02-27 19:20:34 +03:00
|
|
|
char *tlsauthz;
|
2020-09-24 18:26:54 +03:00
|
|
|
uint32_t max_connections;
|
|
|
|
uint32_t connections;
|
2016-02-10 21:41:14 +03:00
|
|
|
} NBDServerData;
|
|
|
|
|
|
|
|
static NBDServerData *nbd_server;
|
2020-09-24 18:26:57 +03:00
|
|
|
static bool is_qemu_nbd;
|
2016-02-10 21:41:14 +03:00
|
|
|
|
2020-09-24 18:26:54 +03:00
|
|
|
static void nbd_update_server_watch(NBDServerData *s);
|
|
|
|
|
2020-09-24 18:26:57 +03:00
|
|
|
void nbd_server_is_qemu_nbd(bool value)
|
|
|
|
{
|
|
|
|
is_qemu_nbd = value;
|
|
|
|
}
|
|
|
|
|
2020-09-24 18:27:12 +03:00
|
|
|
bool nbd_server_is_running(void)
|
|
|
|
{
|
|
|
|
return nbd_server || is_qemu_nbd;
|
|
|
|
}
|
|
|
|
|
nbd: Fix regression on resiliency to port scan
Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
server would not quit, regardless of how many probe connections
came and went, until a connection actually negotiated). But we
broke that in commit ee7d7aa when removing the return value to
nbd_client_new(), although that patch also introduced a bug causing
an assertion failure on a client that fails negotiation. We then
made it worse during refactoring in commit 1a6245a (a segfault
before we could even assert); the (masked) assertion was cleaned
up in d3780c2 (still in 2.6), and just recently we finally fixed
the segfault ("nbd: Fully intialize client in case of failed
negotiation"). But that still means that ever since we added
TLS support to qemu-nbd, we have been vulnerable to an ill-timed
port-scan being able to cause a denial of service by taking down
qemu-nbd before a real client has a chance to connect.
Since negotiation is now handled asynchronously via coroutines,
we no longer have a synchronous point of return by re-adding a
return value to nbd_client_new(). So this patch instead wires
things up to pass the negotiation status through the close_fn
callback function.
Simple test across two terminals:
$ qemu-nbd -f raw -p 30001 file
$ nmap 127.0.0.1 -p 30001 && \
qemu-io -c 'r 0 512' -f raw nbd://localhost:30001
Note that this patch does not change what constitutes successful
negotiation (thus, a client must enter transmission phase before
that client can be considered as a reason to terminate the server
when the connection ends). Perhaps we may want to tweak things
in a later patch to also treat a client that uses NBD_OPT_ABORT
as being a 'successful' negotiation (the client correctly talked
the NBD protocol, and informed us it was not going to use our
export after all), but that's a discussion for another day.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170608222617.20376-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-09 01:26:17 +03:00
|
|
|
static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
|
|
|
|
{
|
|
|
|
nbd_client_put(client);
|
2020-09-24 18:26:54 +03:00
|
|
|
assert(nbd_server->connections > 0);
|
|
|
|
nbd_server->connections--;
|
|
|
|
nbd_update_server_watch(nbd_server);
|
nbd: Fix regression on resiliency to port scan
Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
server would not quit, regardless of how many probe connections
came and went, until a connection actually negotiated). But we
broke that in commit ee7d7aa when removing the return value to
nbd_client_new(), although that patch also introduced a bug causing
an assertion failure on a client that fails negotiation. We then
made it worse during refactoring in commit 1a6245a (a segfault
before we could even assert); the (masked) assertion was cleaned
up in d3780c2 (still in 2.6), and just recently we finally fixed
the segfault ("nbd: Fully intialize client in case of failed
negotiation"). But that still means that ever since we added
TLS support to qemu-nbd, we have been vulnerable to an ill-timed
port-scan being able to cause a denial of service by taking down
qemu-nbd before a real client has a chance to connect.
Since negotiation is now handled asynchronously via coroutines,
we no longer have a synchronous point of return by re-adding a
return value to nbd_client_new(). So this patch instead wires
things up to pass the negotiation status through the close_fn
callback function.
Simple test across two terminals:
$ qemu-nbd -f raw -p 30001 file
$ nmap 127.0.0.1 -p 30001 && \
qemu-io -c 'r 0 512' -f raw nbd://localhost:30001
Note that this patch does not change what constitutes successful
negotiation (thus, a client must enter transmission phase before
that client can be considered as a reason to terminate the server
when the connection ends). Perhaps we may want to tweak things
in a later patch to also treat a client that uses NBD_OPT_ABORT
as being a 'successful' negotiation (the client correctly talked
the NBD protocol, and informed us it was not going to use our
export after all), but that's a discussion for another day.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170608222617.20376-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-09 01:26:17 +03:00
|
|
|
}
|
2012-08-22 18:43:07 +04:00
|
|
|
|
2017-12-18 13:16:42 +03:00
|
|
|
static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
|
|
|
|
gpointer opaque)
|
2012-08-22 18:43:07 +04:00
|
|
|
{
|
2020-09-24 18:26:54 +03:00
|
|
|
nbd_server->connections++;
|
|
|
|
nbd_update_server_watch(nbd_server);
|
|
|
|
|
2016-09-30 13:57:14 +03:00
|
|
|
qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
|
nbd: allow authorization with nbd-server-start QMP command
As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.
First the client must create a QAuthZ object instance using the
'object-add' command:
{
'execute': 'object-add',
'arguments': {
'qom-type': 'authz-list',
'id': 'authz0',
'parameters': {
'policy': 'deny',
'rules': [
{
'match': '*CN=fred',
'policy': 'allow'
}
]
}
}
}
They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:
{
'execute': 'nbd-server-start',
'arguments': {
'addr': {
'type': 'inet',
'host': '127.0.0.1',
'port': '9000'
},
'tls-creds': 'tls0',
'tls-authz': 'authz0'
}
}
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <20190227162035.18543-3-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2019-02-27 19:20:34 +03:00
|
|
|
nbd_client_new(cioc, nbd_server->tlscreds, nbd_server->tlsauthz,
|
nbd: Fix regression on resiliency to port scan
Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
server would not quit, regardless of how many probe connections
came and went, until a connection actually negotiated). But we
broke that in commit ee7d7aa when removing the return value to
nbd_client_new(), although that patch also introduced a bug causing
an assertion failure on a client that fails negotiation. We then
made it worse during refactoring in commit 1a6245a (a segfault
before we could even assert); the (masked) assertion was cleaned
up in d3780c2 (still in 2.6), and just recently we finally fixed
the segfault ("nbd: Fully intialize client in case of failed
negotiation"). But that still means that ever since we added
TLS support to qemu-nbd, we have been vulnerable to an ill-timed
port-scan being able to cause a denial of service by taking down
qemu-nbd before a real client has a chance to connect.
Since negotiation is now handled asynchronously via coroutines,
we no longer have a synchronous point of return by re-adding a
return value to nbd_client_new(). So this patch instead wires
things up to pass the negotiation status through the close_fn
callback function.
Simple test across two terminals:
$ qemu-nbd -f raw -p 30001 file
$ nmap 127.0.0.1 -p 30001 && \
qemu-io -c 'r 0 512' -f raw nbd://localhost:30001
Note that this patch does not change what constitutes successful
negotiation (thus, a client must enter transmission phase before
that client can be considered as a reason to terminate the server
when the connection ends). Perhaps we may want to tweak things
in a later patch to also treat a client that uses NBD_OPT_ABORT
as being a 'successful' negotiation (the client correctly talked
the NBD protocol, and informed us it was not going to use our
export after all), but that's a discussion for another day.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170608222617.20376-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-09 01:26:17 +03:00
|
|
|
nbd_blockdev_client_closed);
|
2012-08-22 18:43:07 +04:00
|
|
|
}
|
|
|
|
|
2020-09-24 18:26:54 +03:00
|
|
|
static void nbd_update_server_watch(NBDServerData *s)
|
|
|
|
{
|
|
|
|
if (!s->max_connections || s->connections < s->max_connections) {
|
|
|
|
qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, NULL);
|
|
|
|
} else {
|
|
|
|
qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
|
|
|
|
}
|
|
|
|
}
|
2016-02-10 21:41:14 +03:00
|
|
|
|
|
|
|
static void nbd_server_free(NBDServerData *server)
|
2012-08-22 18:43:07 +04:00
|
|
|
{
|
2016-02-10 21:41:14 +03:00
|
|
|
if (!server) {
|
2012-08-22 18:43:07 +04:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-12-18 13:16:42 +03:00
|
|
|
qio_net_listener_disconnect(server->listener);
|
|
|
|
object_unref(OBJECT(server->listener));
|
2016-02-10 21:41:14 +03:00
|
|
|
if (server->tlscreds) {
|
|
|
|
object_unref(OBJECT(server->tlscreds));
|
|
|
|
}
|
nbd: allow authorization with nbd-server-start QMP command
As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.
First the client must create a QAuthZ object instance using the
'object-add' command:
{
'execute': 'object-add',
'arguments': {
'qom-type': 'authz-list',
'id': 'authz0',
'parameters': {
'policy': 'deny',
'rules': [
{
'match': '*CN=fred',
'policy': 'allow'
}
]
}
}
}
They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:
{
'execute': 'nbd-server-start',
'arguments': {
'addr': {
'type': 'inet',
'host': '127.0.0.1',
'port': '9000'
},
'tls-creds': 'tls0',
'tls-authz': 'authz0'
}
}
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <20190227162035.18543-3-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2019-02-27 19:20:34 +03:00
|
|
|
g_free(server->tlsauthz);
|
2016-02-10 21:41:14 +03:00
|
|
|
|
|
|
|
g_free(server);
|
|
|
|
}
|
|
|
|
|
|
|
|
static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp)
|
|
|
|
{
|
|
|
|
Object *obj;
|
|
|
|
QCryptoTLSCreds *creds;
|
|
|
|
|
|
|
|
obj = object_resolve_path_component(
|
|
|
|
object_get_objects_root(), id);
|
|
|
|
if (!obj) {
|
|
|
|
error_setg(errp, "No TLS credentials with id '%s'",
|
|
|
|
id);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
creds = (QCryptoTLSCreds *)
|
|
|
|
object_dynamic_cast(obj, TYPE_QCRYPTO_TLS_CREDS);
|
|
|
|
if (!creds) {
|
|
|
|
error_setg(errp, "Object with id '%s' is not TLS credentials",
|
|
|
|
id);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2021-06-28 19:09:09 +03:00
|
|
|
if (!qcrypto_tls_creds_check_endpoint(creds,
|
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
|
|
|
|
errp)) {
|
2016-02-10 21:41:14 +03:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
object_ref(obj);
|
|
|
|
return creds;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-04-26 10:36:41 +03:00
|
|
|
void nbd_server_start(SocketAddress *addr, const char *tls_creds,
|
2020-09-24 18:26:54 +03:00
|
|
|
const char *tls_authz, uint32_t max_connections,
|
|
|
|
Error **errp)
|
2016-02-10 21:41:14 +03:00
|
|
|
{
|
|
|
|
if (nbd_server) {
|
|
|
|
error_setg(errp, "NBD server already running");
|
2016-02-10 21:41:03 +03:00
|
|
|
return;
|
2012-08-22 18:43:07 +04:00
|
|
|
}
|
2016-02-10 21:41:03 +03:00
|
|
|
|
2016-02-10 21:41:14 +03:00
|
|
|
nbd_server = g_new0(NBDServerData, 1);
|
2020-09-24 18:26:54 +03:00
|
|
|
nbd_server->max_connections = max_connections;
|
2017-12-18 13:16:42 +03:00
|
|
|
nbd_server->listener = qio_net_listener_new();
|
|
|
|
|
|
|
|
qio_net_listener_set_name(nbd_server->listener,
|
|
|
|
"nbd-listener");
|
|
|
|
|
2021-02-09 18:27:58 +03:00
|
|
|
/*
|
|
|
|
* Because this server is persistent, a backlog of SOMAXCONN is
|
|
|
|
* better than trying to size it to max_connections.
|
|
|
|
*/
|
|
|
|
if (qio_net_listener_open_sync(nbd_server->listener, addr, SOMAXCONN,
|
|
|
|
errp) < 0) {
|
2016-02-10 21:41:14 +03:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
2017-04-26 10:36:41 +03:00
|
|
|
if (tls_creds) {
|
2016-02-10 21:41:14 +03:00
|
|
|
nbd_server->tlscreds = nbd_get_tls_creds(tls_creds, errp);
|
|
|
|
if (!nbd_server->tlscreds) {
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
nbd: allow authorization with nbd-server-start QMP command
As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.
First the client must create a QAuthZ object instance using the
'object-add' command:
{
'execute': 'object-add',
'arguments': {
'qom-type': 'authz-list',
'id': 'authz0',
'parameters': {
'policy': 'deny',
'rules': [
{
'match': '*CN=fred',
'policy': 'allow'
}
]
}
}
}
They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:
{
'execute': 'nbd-server-start',
'arguments': {
'addr': {
'type': 'inet',
'host': '127.0.0.1',
'port': '9000'
},
'tls-creds': 'tls0',
'tls-authz': 'authz0'
}
}
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <20190227162035.18543-3-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2019-02-27 19:20:34 +03:00
|
|
|
nbd_server->tlsauthz = g_strdup(tls_authz);
|
|
|
|
|
2020-09-24 18:26:54 +03:00
|
|
|
nbd_update_server_watch(nbd_server);
|
2016-02-10 21:41:14 +03:00
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
error:
|
|
|
|
nbd_server_free(nbd_server);
|
|
|
|
nbd_server = NULL;
|
2012-08-22 18:43:07 +04:00
|
|
|
}
|
|
|
|
|
2020-02-24 17:29:57 +03:00
|
|
|
void nbd_server_start_options(NbdServerOptions *arg, Error **errp)
|
|
|
|
{
|
2020-09-24 18:26:54 +03:00
|
|
|
nbd_server_start(arg->addr, arg->tls_creds, arg->tls_authz,
|
|
|
|
arg->max_connections, errp);
|
2020-02-24 17:29:57 +03:00
|
|
|
}
|
|
|
|
|
2017-04-26 10:36:41 +03:00
|
|
|
void qmp_nbd_server_start(SocketAddressLegacy *addr,
|
|
|
|
bool has_tls_creds, const char *tls_creds,
|
nbd: allow authorization with nbd-server-start QMP command
As with the previous patch to qemu-nbd, the nbd-server-start QMP command
also needs to be able to specify authorization when enabling TLS encryption.
First the client must create a QAuthZ object instance using the
'object-add' command:
{
'execute': 'object-add',
'arguments': {
'qom-type': 'authz-list',
'id': 'authz0',
'parameters': {
'policy': 'deny',
'rules': [
{
'match': '*CN=fred',
'policy': 'allow'
}
]
}
}
}
They can then reference this in the new 'tls-authz' parameter when
executing the 'nbd-server-start' command:
{
'execute': 'nbd-server-start',
'arguments': {
'addr': {
'type': 'inet',
'host': '127.0.0.1',
'port': '9000'
},
'tls-creds': 'tls0',
'tls-authz': 'authz0'
}
}
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <20190227162035.18543-3-berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2019-02-27 19:20:34 +03:00
|
|
|
bool has_tls_authz, const char *tls_authz,
|
2020-09-24 18:26:54 +03:00
|
|
|
bool has_max_connections, uint32_t max_connections,
|
2017-04-26 10:36:41 +03:00
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
SocketAddress *addr_flat = socket_address_flatten(addr);
|
|
|
|
|
2020-09-24 18:26:54 +03:00
|
|
|
nbd_server_start(addr_flat, tls_creds, tls_authz, max_connections, errp);
|
2017-04-26 10:36:41 +03:00
|
|
|
qapi_free_SocketAddress(addr_flat);
|
|
|
|
}
|
|
|
|
|
2020-09-24 18:27:01 +03:00
|
|
|
void qmp_nbd_server_add(NbdServerAddOptions *arg, Error **errp)
|
2020-09-24 18:26:50 +03:00
|
|
|
{
|
2020-09-24 18:26:53 +03:00
|
|
|
BlockExport *export;
|
|
|
|
BlockDriverState *bs;
|
|
|
|
BlockBackend *on_eject_blk;
|
2020-09-24 18:27:01 +03:00
|
|
|
BlockExportOptions *export_opts;
|
2020-09-24 18:26:53 +03:00
|
|
|
|
|
|
|
bs = bdrv_lookup_bs(arg->device, arg->device, errp);
|
|
|
|
if (!bs) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2020-09-24 18:27:01 +03:00
|
|
|
/*
|
|
|
|
* block-export-add would default to the node-name, but we may have to use
|
|
|
|
* the device name as a default here for compatibility.
|
|
|
|
*/
|
|
|
|
if (!arg->has_name) {
|
2020-10-27 08:05:48 +03:00
|
|
|
arg->has_name = true;
|
|
|
|
arg->name = g_strdup(arg->device);
|
2020-09-24 18:27:01 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
export_opts = g_new(BlockExportOptions, 1);
|
|
|
|
*export_opts = (BlockExportOptions) {
|
|
|
|
.type = BLOCK_EXPORT_TYPE_NBD,
|
2020-09-24 18:27:04 +03:00
|
|
|
.id = g_strdup(arg->name),
|
2020-09-24 18:27:01 +03:00
|
|
|
.node_name = g_strdup(bdrv_get_node_name(bs)),
|
2020-09-24 18:27:11 +03:00
|
|
|
.has_writable = arg->has_writable,
|
|
|
|
.writable = arg->writable,
|
2020-09-24 18:26:50 +03:00
|
|
|
};
|
2020-10-27 08:05:49 +03:00
|
|
|
QAPI_CLONE_MEMBERS(BlockExportOptionsNbdBase, &export_opts->u.nbd,
|
2020-10-27 08:05:48 +03:00
|
|
|
qapi_NbdServerAddOptions_base(arg));
|
2020-10-27 08:05:49 +03:00
|
|
|
if (arg->has_bitmap) {
|
qapi: nbd-export: allow select bitmaps by node/name pair
Hi all! Current logic of relying on search through backing chain is not
safe neither convenient.
Sometimes it leads to necessity of extra bitmap copying. Also, we are
going to add "snapshot-access" driver, to access some snapshot state
through NBD. And this driver is not formally a filter, and of course
it's not a COW format driver. So, searching through backing chain will
not work. Instead of widening the workaround of bitmap searching, let's
extend the interface so that user can select bitmap precisely.
Note, that checking for bitmap active status is not copied to the new
API, I don't see a reason for it, user should understand the risks. And
anyway, bitmap from other node is unrelated to this export being
read-only or read-write.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@openvz.org>
Message-Id: <20220314213226.362217-3-v.sementsov-og@mail.ru>
[eblake: Adjust S-o-b to Vladimir's new email, with permission]
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2022-03-15 00:32:25 +03:00
|
|
|
BlockDirtyBitmapOrStr *el = g_new(BlockDirtyBitmapOrStr, 1);
|
|
|
|
|
|
|
|
*el = (BlockDirtyBitmapOrStr) {
|
|
|
|
.type = QTYPE_QSTRING,
|
|
|
|
.u.local = g_strdup(arg->bitmap),
|
|
|
|
};
|
2020-10-27 08:05:49 +03:00
|
|
|
export_opts->u.nbd.has_bitmaps = true;
|
qapi: nbd-export: allow select bitmaps by node/name pair
Hi all! Current logic of relying on search through backing chain is not
safe neither convenient.
Sometimes it leads to necessity of extra bitmap copying. Also, we are
going to add "snapshot-access" driver, to access some snapshot state
through NBD. And this driver is not formally a filter, and of course
it's not a COW format driver. So, searching through backing chain will
not work. Instead of widening the workaround of bitmap searching, let's
extend the interface so that user can select bitmap precisely.
Note, that checking for bitmap active status is not copied to the new
API, I don't see a reason for it, user should understand the risks. And
anyway, bitmap from other node is unrelated to this export being
read-only or read-write.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@openvz.org>
Message-Id: <20220314213226.362217-3-v.sementsov-og@mail.ru>
[eblake: Adjust S-o-b to Vladimir's new email, with permission]
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2022-03-15 00:32:25 +03:00
|
|
|
QAPI_LIST_PREPEND(export_opts->u.nbd.bitmaps, el);
|
2020-10-27 08:05:49 +03:00
|
|
|
}
|
2020-09-24 18:26:53 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* nbd-server-add doesn't complain when a read-only device should be
|
|
|
|
* exported as writable, but simply downgrades it. This is an error with
|
|
|
|
* block-export-add.
|
|
|
|
*/
|
|
|
|
if (bdrv_is_read_only(bs)) {
|
2020-09-24 18:27:11 +03:00
|
|
|
export_opts->has_writable = true;
|
|
|
|
export_opts->writable = false;
|
2020-09-24 18:26:53 +03:00
|
|
|
}
|
|
|
|
|
2020-09-24 18:27:01 +03:00
|
|
|
export = blk_exp_add(export_opts, errp);
|
2020-09-24 18:26:53 +03:00
|
|
|
if (!export) {
|
2020-09-24 18:27:01 +03:00
|
|
|
goto fail;
|
2020-09-24 18:26:53 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* nbd-server-add removes the export when the named BlockBackend used for
|
|
|
|
* @device goes away.
|
|
|
|
*/
|
|
|
|
on_eject_blk = blk_by_name(arg->device);
|
|
|
|
if (on_eject_blk) {
|
|
|
|
nbd_export_set_on_eject_blk(export, on_eject_blk);
|
|
|
|
}
|
2020-09-24 18:27:01 +03:00
|
|
|
|
|
|
|
fail:
|
|
|
|
qapi_free_BlockExportOptions(export_opts);
|
2012-08-22 18:43:07 +04:00
|
|
|
}
|
|
|
|
|
2018-01-19 16:57:16 +03:00
|
|
|
void qmp_nbd_server_remove(const char *name,
|
2020-09-24 18:27:06 +03:00
|
|
|
bool has_mode, BlockExportRemoveMode mode,
|
2018-01-19 16:57:16 +03:00
|
|
|
Error **errp)
|
|
|
|
{
|
2020-09-24 18:27:06 +03:00
|
|
|
BlockExport *exp;
|
2018-01-19 16:57:16 +03:00
|
|
|
|
2020-09-24 18:27:06 +03:00
|
|
|
exp = blk_exp_find(name);
|
|
|
|
if (exp && exp->drv->type != BLOCK_EXPORT_TYPE_NBD) {
|
|
|
|
error_setg(errp, "Block export '%s' is not an NBD export", name);
|
2018-01-19 16:57:16 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2020-09-24 18:27:06 +03:00
|
|
|
qmp_block_export_del(name, has_mode, mode, errp);
|
2018-01-19 16:57:16 +03:00
|
|
|
}
|
|
|
|
|
2012-08-22 18:43:07 +04:00
|
|
|
void qmp_nbd_server_stop(Error **errp)
|
|
|
|
{
|
2019-01-11 22:47:14 +03:00
|
|
|
if (!nbd_server) {
|
|
|
|
error_setg(errp, "NBD server not running");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2020-09-24 18:27:03 +03:00
|
|
|
blk_exp_close_all_type(BLOCK_EXPORT_TYPE_NBD);
|
2012-08-22 18:43:07 +04:00
|
|
|
|
2016-02-10 21:41:14 +03:00
|
|
|
nbd_server_free(nbd_server);
|
|
|
|
nbd_server = NULL;
|
2012-08-22 18:43:07 +04:00
|
|
|
}
|