From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 2B98A1FF183 for ; Wed, 2 Jul 2025 18:32:22 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BC23B336F3; Wed, 2 Jul 2025 18:29:29 +0200 (CEST) From: Fiona Ebner To: pve-devel@lists.proxmox.com Date: Wed, 2 Jul 2025 18:27:47 +0200 Message-ID: <20250702162838.393696-15-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250702162838.393696-1-f.ebner@proxmox.com> References: <20250702162838.393696-1-f.ebner@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.028 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH storage v5 14/51] qemu blockdev options: restrict allowed drivers and options X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Everything the default plugin method implementation can return is allowed, so there is no breakage introduced by this patch. By far the most common drivers will be 'file' and 'host_device', which the default implementation of the plugin method currently uses. Other quite common ones will be 'iscsi' and 'nbd'. There might also be plugins with 'rbd' and it is planned to support QEMU protocol-paths in the default plugin method implementation, where the 'rbd:' protocol will also be supported. Plugin authors are encouraged to request additional drivers and options based on their needs on the pve-devel mailing list. The list just starts out more restrictive, but everything where there is no good reason to not allow could be allowed in the future upon request. Suggested-by: Thomas Lamprecht Signed-off-by: Fiona Ebner --- New in v5. src/PVE/Storage.pm | 116 +++++++++++++++++++++++++++++++++++++- src/PVE/Storage/Plugin.pm | 6 +- 2 files changed, 118 insertions(+), 4 deletions(-) diff --git a/src/PVE/Storage.pm b/src/PVE/Storage.pm index 5afff26..25ce5f2 100755 --- a/src/PVE/Storage.pm +++ b/src/PVE/Storage.pm @@ -131,6 +131,102 @@ our $OVA_CONTENT_RE_1 = qr/${SAFE_CHAR_WITH_WHITESPACE_CLASS_RE}+\.(qcow2|raw|vm # FIXME remove with PVE 9.0, add versioned breaks for pve-manager our $vztmpl_extension_re = $VZTMPL_EXT_RE_1; +# See the QMP reference documentation. +my $allowed_qemu_blockdev_options_file = { + filename => 1, + # pr-manager + # aio + # aio-max-batch + # locking + # drop-cache + # x-check-cache-dropped +}; + +# Plugin authors should feel free to request allowing more based on their requirements on the +# pve-devel mailing list. See the QMP reference documentation: +# https://qemu.readthedocs.io/en/master/interop/qemu-qmp-ref.html#object-QMP-block-core.BlockdevOptions +my $allowed_qemu_blockdev_options = { + # alloc-track - only works in combination with stream job + # blkdebug - for debugging + # blklogwrites - for debugging + # blkreplay - for debugging + # blkverify - for debugging + # bochs + # cloop + # compress + # copy-before-write - should not be used directly by storage layer + # copy-on-read - should not be used directly by storage layer + # dmg + file => $allowed_qemu_blockdev_options_file, + # snapshot-access - should not be used directly by storage layer + # ftp + # ftps + # gluster - support is expected to be dropped in QEMU 10.1 + # host_cdrom - storage layer should not access host CD-ROM drive + host_device => $allowed_qemu_blockdev_options_file, + # http + # https + # io_uring - disabled by our QEMU build config (would require CONFIG_BLKIO) + iscsi => { + transport => 1, + portal => 1, + target => 1, + lun => 1, + # user - requires 'password-secret' + # password-secret - requires adding a 'secret' object on the commandline in qemu-server + 'initiator-name' => 1, + 'header-digest' => 1, + timeout => 1, + }, + # luks + nbd => { + server => 1, + export => 1, + # tls-creds - would require adding a 'secret' object on the commandline in qemu-server + # tls-hostname - requires tls-creds + # x-dirty-bitmap - would mean allocation information would be reported based on bitmap + 'reconnect-delay' => 1, + 'open-timeout' => 1, + }, + # nfs - disabled by our QEMU build config + # null-aio - for debugging + # null-co - for debugging + # nvme + # nvme-io_uring - disabled by our QEMU build config (would require CONFIG_BLKIO) + # parallels + # preallocate + # qcow + # qcow2 - format node is added by qemu-server + # qed + # quorum + # raw - format node is added by qemu-server + rbd => { + pool => 1, + namespace => 1, + image => 1, + conf => 1, + snapshot => 1, + encrypt => 1, + user => 1, + 'auth-client-required' => 1, + # key-secret would require adding a 'secret' object on the commandline in qemu-server + server => 1, + }, + # replication + # pbs + # ssh - disabled by our QEMU build config + # throttle + # vdi + # vhdx + # virtio-blk-vfio-pci - disabled by our QEMU build config (would require CONFIG_BLKIO) + # virtio-blk-vhost-user - disabled by our QEMU build config (would require CONFIG_BLKIO) + # virtio-blk-vhost-vdpa - disabled by our QEMU build config (would require CONFIG_BLKIO) + # vmdk - format node is added by qemu-server + # vpc + # vvfat + # zeroinit - filter that should not be used directly by storage layer +}; + # PVE::Storage utility functions sub config { @@ -733,7 +829,25 @@ sub qemu_blockdev_options { die "cannot use volume of type '$vtype' as a QEMU blockdevice\n" if $vtype ne 'images' && $vtype ne 'iso' && $vtype ne 'import'; - return $plugin->qemu_blockdev_options($scfg, $storeid, $volname, $machine_version, $options); + my $blockdev = + $plugin->qemu_blockdev_options($scfg, $storeid, $volname, $machine_version, $options); + + if (my $driver = $blockdev->{driver}) { + my $allowed_opts = $allowed_qemu_blockdev_options->{$driver}; + for my $opt (keys $blockdev->%*) { + next if $opt eq 'driver'; + if (!$allowed_opts->{$opt}) { + delete($blockdev->{$opt}); + log_warn( + "volume '$volid' - dropping block device option '$opt' set by storage plugin" + . " - not currently part of allowed schema"); + } + } + } else { + die "storage plugin for '$storeid' did not return a blockdev driver\n"; + } + + return $blockdev; } # used as last resort to adapt volnames when migrating diff --git a/src/PVE/Storage/Plugin.pm b/src/PVE/Storage/Plugin.pm index cfe89dd..3f2c638 100644 --- a/src/PVE/Storage/Plugin.pm +++ b/src/PVE/Storage/Plugin.pm @@ -1972,9 +1972,9 @@ Returns a hash reference with the basic options needed to open the volume via QE API. This at least requires a C<< $blockdev->{driver} >> and a reference to the image, e.g. C<< $blockdev->{filename} >> for the C driver. For files, the C driver can be used. For host block devices, the C driver can be used. The plugin must not set options like -C or C. Those are managed by qemu-server and will be overwritten. For other available -drivers and the exact specification of the options, see -L +C or C. Those are managed by qemu-server. See C<$allowed_qemu_blockdev_options> in the +C module for allowed drivers and options. Feel free to request more on the pve-devel +mailing list based on your requirements. While Perl does not have explicit types, the result will need to be converted to JSON later and match the QMP specification (see link above), so implicit types are important. In the return value, -- 2.47.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel