qemu/tests/qemu-iotests/085

277 lines
7.5 KiB
Plaintext
Raw Normal View History

#!/usr/bin/env bash
# group: rw
#
# Live snapshot tests
#
# This tests live snapshots of images on a running QEMU instance, using
# QMP commands. Both single disk snapshots, and transactional group
# snapshots are performed.
#
# Copyright (C) 2014 Red Hat, Inc.
# Copyright (C) 2015 Igalia, S.L.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# creator
owner=jcody@redhat.com
seq=`basename $0`
echo "QA output created by $seq"
status=1 # failure is the default!
snapshot_virt0="snapshot-v0.qcow2"
snapshot_virt1="snapshot-v1.qcow2"
SNAPSHOTS=10
_cleanup()
{
_cleanup_qemu
_cleanup_test_img
for i in $(seq 1 ${SNAPSHOTS})
do
_rm_test_img "${TEST_DIR}/${i}-${snapshot_virt0}"
_rm_test_img "${TEST_DIR}/${i}-${snapshot_virt1}"
done
for img in "${TEST_IMG}".{1,2,base}
do
_rm_test_img "$img"
done
}
trap "_cleanup; exit \$status" 0 1 2 3 15
# get standard environment, filters and checks
. ./common.rc
. ./common.filter
. ./common.qemu
_supported_fmt qcow2
_supported_proto file
# ${1}: unique identifier for the snapshot filename
create_single_snapshot()
{
cmd="{ 'execute': 'blockdev-snapshot-sync',
'arguments': { 'device': 'virtio0',
'snapshot-file':'${TEST_DIR}/${1}-${snapshot_virt0}',
'format': 'qcow2' } }"
_send_qemu_cmd $h "${cmd}" "return"
}
# ${1}: unique identifier for the snapshot filename
create_group_snapshot()
{
cmd="{ 'execute': 'transaction', 'arguments':
{'actions': [
{ 'type': 'blockdev-snapshot-sync', 'data' :
{ 'device': 'virtio0',
'snapshot-file': '${TEST_DIR}/${1}-${snapshot_virt0}' } },
{ 'type': 'blockdev-snapshot-sync', 'data' :
{ 'device': 'virtio1',
'snapshot-file': '${TEST_DIR}/${1}-${snapshot_virt1}' } } ]
} }"
_send_qemu_cmd $h "${cmd}" "return"
}
# ${1}: unique identifier for the snapshot filename
# ${2}: extra_params to the blockdev-add command
# ${3}: filename
do_blockdev_add()
{
cmd="{ 'execute': 'blockdev-add', 'arguments':
{ 'driver': 'qcow2', 'node-name': 'snap_${1}', ${2}
'file':
{ 'driver': 'file', 'filename': '${3}',
'node-name': 'file_${1}' } } }"
_send_qemu_cmd $h "${cmd}" "return"
}
# ${1}: unique identifier for the snapshot filename
create_snapshot_image()
{
base_image="${TEST_DIR}/$((${1}-1))-${snapshot_virt0}"
snapshot_file="${TEST_DIR}/${1}-${snapshot_virt0}"
iotests: Specify explicit backing format where sensible There are many existing qcow2 images that specify a backing file but no format. This has been the source of CVEs in the past, but has become more prominent of a problem now that libvirt has switched to -blockdev. With older -drive, at least the probing was always done by qemu (so the only risk of a changed format between successive boots of a guest was if qemu was upgraded and probed differently). But with newer -blockdev, libvirt must specify a format; if libvirt guesses raw where the image was formatted, this results in data corruption visible to the guest; conversely, if libvirt guesses qcow2 where qemu was using raw, this can result in potential security holes, so modern libvirt instead refuses to use images without explicit backing format. The change in libvirt to reject images without explicit backing format has pointed out that a number of tools have been far too reliant on probing in the past. It's time to set a better example in our own iotests of properly setting this parameter. iotest calls to create, rebase, and convert are all impacted to some degree. It's a bit annoying that we are inconsistent on command line - while all of those accept -o backing_file=...,backing_fmt=..., the shortcuts are different: create and rebase have -b and -F, while convert has -B but no -F. (amend has no shortcuts, but the previous patch just deprecated the use of amend to change backing chains). Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20200706203954.341758-9-eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2020-07-06 23:39:52 +03:00
TEST_IMG=$snapshot_file _make_test_img -u -b "${base_image}" -F $IMGFMT "$size"
}
# ${1}: unique identifier for the snapshot filename
add_snapshot_image()
{
snapshot_file="${TEST_DIR}/${1}-${snapshot_virt0}"
create_snapshot_image "$1"
block: Use JSON null instead of "" to disable backing file BlockdevRef is an alternate of BlockdevOptions (inline definition) and str (reference to an existing block device by name). BlockdevRef value "" is special: "no block device should be referenced." It's actually interpreted that way in just one place: optional member @backing of COW formats. Semantics: * Present means "use this block device" as backing storage * Absent means "default to the one stored in the image" * Except "" means "don't use backing storage at all" The first two are perfectly normal: when the parameter is absent, it defaults to an implied value, but the value's meaning is the same. The third one overloads the parameter with a second meaning. The overloading is *implicit*, i.e. it's not visible in the types. Works here, because "" is not a value block device ID. Pressing argument values the schema accepts, but are semantically invalid, into service to mean "do something else entirely" is not general, as suitable invalid values need not exist. I also find it ugly. To clean this up, we could add a separate flag argument to suppress @backing, or add a distinct value to @backing. This commit implements the latter: add JSON null to the values of @backing, deprecate "". Because we're so close to the 2.10 freeze, implement it in the stupidest way possible: have qmp_blockdev_add() rewrite null to "" before anything else can see the null. Works, because BlockdevRef occurs only within arguments of blockdev-add. The proper way to do it would be rewriting "" to null, preferably in a cleaner way, but that requires fixing up code to work with null. Add a TODO comment for that. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Acked-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2017-07-18 09:54:00 +03:00
do_blockdev_add "$1" "'backing': null, " "${snapshot_file}"
}
# ${1}: unique identifier for the snapshot filename
# ${2}: expected response, defaults to 'return'
blockdev_snapshot()
{
cmd="{ 'execute': 'blockdev-snapshot',
'arguments': { 'node': 'virtio0',
'overlay':'snap_${1}' } }"
_send_qemu_cmd $h "${cmd}" "${2:-return}"
}
size=128M
TEST_IMG="$TEST_IMG.1" _make_test_img $size
TEST_IMG="$TEST_IMG.2" _make_test_img $size
echo
echo === Running QEMU ===
echo
qemu_comm_method="qmp"
_launch_qemu -drive file="${TEST_IMG}.1",if=virtio -drive file="${TEST_IMG}.2",if=virtio
h=$QEMU_HANDLE
echo
echo === Sending capabilities ===
echo
_send_qemu_cmd $h "{ 'execute': 'qmp_capabilities' }" "return"
# Tests for the blockdev-snapshot-sync command
echo
echo === Create a single snapshot on virtio0 ===
echo
create_single_snapshot 1
echo
echo === Invalid command - missing device and nodename ===
echo
_send_qemu_cmd $h "{ 'execute': 'blockdev-snapshot-sync',
'arguments': { 'snapshot-file':'${TEST_DIR}/1-${snapshot_virt0}',
'format': 'qcow2' } }" "error"
echo
echo === Invalid command - missing snapshot-file ===
echo
_send_qemu_cmd $h "{ 'execute': 'blockdev-snapshot-sync',
'arguments': { 'device': 'virtio0',
'format': 'qcow2' } }" "error"
echo
echo
echo === Create several transactional group snapshots ===
echo
for i in $(seq 2 ${SNAPSHOTS})
do
create_group_snapshot ${i}
done
# Tests for the blockdev-snapshot command
echo
echo === Create a couple of snapshots using blockdev-snapshot ===
echo
SNAPSHOTS=$((${SNAPSHOTS}+1))
add_snapshot_image ${SNAPSHOTS}
blockdev_snapshot ${SNAPSHOTS}
SNAPSHOTS=$((${SNAPSHOTS}+1))
add_snapshot_image ${SNAPSHOTS}
blockdev_snapshot ${SNAPSHOTS}
echo
echo === Invalid command - cannot create a snapshot using a file BDS ===
echo
_send_qemu_cmd $h "{ 'execute': 'blockdev-snapshot',
'arguments': { 'node':'virtio0',
'overlay':'file_${SNAPSHOTS}' }
}" "error"
echo
echo === Invalid command - snapshot node used as active layer ===
echo
blockdev_snapshot ${SNAPSHOTS} error
_send_qemu_cmd $h "{ 'execute': 'blockdev-snapshot',
'arguments': { 'node':'virtio0',
'overlay':'virtio0' }
}" "error"
_send_qemu_cmd $h "{ 'execute': 'blockdev-snapshot',
'arguments': { 'node':'virtio0',
'overlay':'virtio1' }
}" "error"
echo
echo === Invalid command - snapshot node used as backing hd ===
echo
blockdev_snapshot $((${SNAPSHOTS}-1)) error
echo
echo === Invalid command - snapshot node has a backing image ===
echo
SNAPSHOTS=$((${SNAPSHOTS}+1))
TEST_IMG="$TEST_IMG.base" _make_test_img "$size"
iotests: Specify explicit backing format where sensible There are many existing qcow2 images that specify a backing file but no format. This has been the source of CVEs in the past, but has become more prominent of a problem now that libvirt has switched to -blockdev. With older -drive, at least the probing was always done by qemu (so the only risk of a changed format between successive boots of a guest was if qemu was upgraded and probed differently). But with newer -blockdev, libvirt must specify a format; if libvirt guesses raw where the image was formatted, this results in data corruption visible to the guest; conversely, if libvirt guesses qcow2 where qemu was using raw, this can result in potential security holes, so modern libvirt instead refuses to use images without explicit backing format. The change in libvirt to reject images without explicit backing format has pointed out that a number of tools have been far too reliant on probing in the past. It's time to set a better example in our own iotests of properly setting this parameter. iotest calls to create, rebase, and convert are all impacted to some degree. It's a bit annoying that we are inconsistent on command line - while all of those accept -o backing_file=...,backing_fmt=..., the shortcuts are different: create and rebase have -b and -F, while convert has -B but no -F. (amend has no shortcuts, but the previous patch just deprecated the use of amend to change backing chains). Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20200706203954.341758-9-eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2020-07-06 23:39:52 +03:00
_make_test_img -b "${TEST_IMG}.base" -F $IMGFMT "$size"
do_blockdev_add ${SNAPSHOTS} "" "${TEST_IMG}"
blockdev_snapshot ${SNAPSHOTS} error
echo
echo === Invalid command - creating loops ===
echo
SNAPSHOTS=$((${SNAPSHOTS}+1))
add_snapshot_image ${SNAPSHOTS}
_send_qemu_cmd $h "{ 'execute': 'blockdev-snapshot',
'arguments': { 'node':'snap_${SNAPSHOTS}',
'overlay':'snap_${SNAPSHOTS}' }
}" "error"
SNAPSHOTS=$((${SNAPSHOTS}+1))
create_snapshot_image ${SNAPSHOTS}
do_blockdev_add ${SNAPSHOTS} "'backing': 'snap_$((${SNAPSHOTS}-1))', " \
"${TEST_DIR}/${SNAPSHOTS}-${snapshot_virt0}"
_send_qemu_cmd $h "{ 'execute': 'blockdev-snapshot',
'arguments': { 'node':'snap_${SNAPSHOTS}',
'overlay':'snap_$((${SNAPSHOTS}-1))' }
}" "error"
echo
echo === Invalid command - The node does not exist ===
echo
blockdev_snapshot $((${SNAPSHOTS}+1)) error
_send_qemu_cmd $h "{ 'execute': 'blockdev-snapshot',
'arguments': { 'node':'nodevice',
'overlay':'snap_${SNAPSHOTS}' }
}" "error"
# success, all done
echo "*** done"
rm -f $seq.full
status=0