Currently the qemu-nbd program will auto-detect the format of
any disk it is given. This behaviour is known to be insecure.
For example, if qemu-nbd initially exposes a 'raw' file to an
unprivileged app, and that app runs
'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0'
then the next time the app is started, the qemu-nbd will now
detect it as a 'qcow2' file and expose /etc/shadow to the
unprivileged app.
The only way to avoid this is to explicitly tell qemu-nbd what
disk format to use on the command line, completely disabling
auto-detection. This patch adds a '-f' / '--format' arg for
this purpose, mirroring what is already available via qemu-img
and qemu commands.
qemu-nbd --format raw -p 9000 evil.img
will now always use raw, regardless of what format 'evil.img'
looks like it contains
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[Use errx, not err. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
It doesn't do anything yet except storing the options QDict in the
BlockDriverState.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Similar to --cache and --aio, this option mimics the discard suboption
of "-drive".
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Use a simple state machine with the following states:
- RUNNING => accepting connections
- TERMINATE => main loop must call nbd_export_close/put, and not accept
connections anymore
- TERMINATING => waiting for pending requests to finish
- TERMINATED => the NBDExport has been closed
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
In order to exit cleanly from qemu-nbd, add a callback that triggers
when an NBDExport is closed. In the case of qemu-nbd it will exit the
main loop.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
We will use a similar two-phase destruction for NBDExport, so we need
each NBDClient to add a reference to NBDExport.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Add two options to tune the I/O implementation of qemu-nbd, matching
the possibilities given by the QEMU -drive option.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This patch separates qemu-nbd's options in logical groups, thus making
the help message easier to read.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
In the next patch we need to look at the return code of nbd_wr_sync.
To avoid percolating the socket_error() ugliness all around, let's
handle errors by returning negative errno values.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When qemu-nbd becomes a daemon it calls daemon(3) with
nochdir=0, so daemon(3) changes current directory to /.
But at this time, qemu-nbd did not open any user-specified
files yet, so by changing current directory, all non-absolute
paths becomes wrong. The solution is to pass nochdir=1 to
daemon(3) function, and to chdir("/") after all init has
been performed, before entering the main loop, -- just like
a good daemon should do.
This patch is applicable for -stable.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
For some reason nbd_client_thread() has a do..while loop which can never
loop, the condition is bogus because we would take a goto instead. Drop
the loop.
Reported-by: Dr David Alan Gilbert <davidagilbert@uk.ibm.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
This patch sets up the fd handler in nbd.c instead of qemu-nbd.c. It
introduces NBDClient, which wraps the arguments to nbd_trip in a single
structure, so that we can add a notifier to it. This way, qemu-nbd can
know about disconnections.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Using a single main loop for sockets will help yielding from the socket
coroutine back to the main loop, and later reentering it.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This is cleaner, because we do not need to close the block device when
there is an error opening /dev/nbdX. It was done this way only to
print errors before daemonizing.
At the same time, use atexit to ensure that the block device is closed
whenever we exit.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Now that the client and server are in the same process, there is
no need to race on the creation of the socket. We can open the
listening socket before starting the client thread.
This avoids that "qemu-nbd -v -c" prints this once before connecting
successfully to the socket:
connect(unix:/var/lock/qemu-nbd-nbd0): No such file or directory
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
In order to get nice error messages, keep the qemu-nbd process running
until before issuing NBD_DO_IT and connected to the daemon with a pipe.
This lets the qemu-nbd process relay error messages from the daemon and
exit with a nonzero status if appropriate.
Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This avoids that qemu-nbd uses both forking and threads, which do
not behave well together.
qemu-nbd is already Unix only, and there is no qemu_thread_join,
so for now use pthreads.
Since the parent and child no longer have separate file descriptors,
we can open the NBD device before daemonizing, instead of checking
with access(2) and restricting the open to the client only.
Reported-by: Pierre Riteau <pierre.riteau@irisa.fr>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
It will be moved to a global variable by the next patch, and it
would conflict with the socket function.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
The client process right now uses SIGTERM to interrupt the server side.
This does not affect the exit status of "qemu-nbd -v -c" because the
server is a child process. This will change when both sides will be
in the same process, and anyway cleaning up things nicely upon SIGTERM
is good practice.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
nbd supports writing flags in bytes 24...27 of the header,
and uses that for the read-only flag. Add support for it
in qemu-nbd.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* qemu-common.h is not a system include file, so it should be included
with "" instead of <>. Otherwise incremental builds might fail
because only local include files are checked for changes.
* linux-user/syscall.c included the file twice.
Cc: Riku Voipio <riku.voipio@iki.fi>
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Acked-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Weil <weil@mail.berlios.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Changes since v1: create a wrapper function named qemu_daemon() in oslib-posix.c
instead of putting the OS specific workaround in qemu-nbd.c directly.
On OSX >= 10.5, daemon() is deprecated, resulting in the following warning:
----8<----
qemu-nbd.c: In function ‘main’:
qemu-nbd.c:371: warning: ‘daemon’ is deprecated (declared at /usr/include/stdlib.h:289)
----8<----
The following trick, used in mDNSResponder, takes care of this warning:
http://www.opensource.apple.com/source/mDNSResponder/mDNSResponder-258.18/mDNSPosix/PosixDaemon.c
On OSX, it temporarily renames the daemon() function before including stdlib.h
and declares it manually as an extern function. This way, the compiler does not
see the declaration from stdlib.h and thus does not display the warning.
Signed-off-by: Alexandre Raymond <cerbere@gmail.com>
Cc: Blue Swirl <blauwirbel@gmail.com>
Signed-off-by: Andreas Färber <andreas.faerber@web.de>
Change BDRV_O_NOCACHE to only imply bypassing the host OS file cache,
but no writeback semantics. All existing callers are changed to also
specify BDRV_O_CACHE_WB to give them writeback semantics.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
block/nbd.c: use default port number when none is specified
qemu-nbd.c: use IANA-assigned port number: 10809
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Use qemu_blockalign for all allocations in the block layer. This allows
increasing the required alignment, which is need to support O_DIRECT on
devices with large block sizes.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
This patch allows to connect Qemu using NBD protocol to an nbd-server
using named exports.
For instance, if on the host "isoserver", in /etc/nbd-server/config, you have:
[generic]
[debian-500-ppc-netinst]
exportname = /ISO/debian-500-powerpc-netinst.iso
[Fedora-10-ppc-netinst]
exportname = /ISO/Fedora-10-ppc-netinst.iso
You can connect to it, using:
qemu -cdrom nbd:isoserver:exportname=debian-500-ppc-netinst
qemu -cdrom nbd:isoserver:exportname=Fedora-10-ppc-netinst
NOTE: you need at least nbd-server 2.9.18
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
- use err(3) instead of errx(3) if errno is available
to report why failed
- let fail prior to daemon(3) if opening a nbd file
is likely to fail after daemonizing to avoid silent
failure exit
- add missing 'ret = 1' when unix_socket_outgoing failed
Signed-off-by: Ryota Ozaki <ozaki.ryota@gmail.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
What is known today as bdrv_open2 becomes the new bdrv_open. All remaining
callers of the old function are converted to the new one. In some places they
even know the right format, so they should have used bdrv_open2 from the
beginning.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
errx takes the exit status of a process as the first
argument. Passing errno to it is wrong. Instead the
patch lets errx take EXIT_FAILURE.
Signed-off-by: Ryota Ozaki <ozaki.ryota@gmail.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
bdrv_open may return -errno so we have to check
if the return value is '< 0', not '== -1'.
Signed-off-by: Ryota Ozaki <ozaki.ryota@gmail.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Really use read-only flags for opening the file when asked for read-only
Signed-off-by: Naphtali Sprei <nsprei@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Win32 suffers from a very big memory leak when dealing with SCSI devices.
Each read/write request allocates memory with qemu_memalign (ie
VirtualAlloc) but frees it with qemu_free (ie free).
Pair all qemu_memalign() calls with qemu_vfree() to prevent such leaks.
Signed-off-by: Herve Poussineau <hpoussin@reactos.org>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Instead of using the field 'readonly' of the BlockDriverState struct for passing the request,
pass the request in the flags parameter to the function.
Signed-off-by: Naphtali Sprei <nsprei@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
basename() needs #include <libgen.h>.
No prototype for daemon() is available on Solaris, but link
succeeds.
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>