public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH storage v5 14/51] qemu blockdev options: restrict allowed drivers and options
Date: Wed,  2 Jul 2025 18:27:47 +0200	[thread overview]
Message-ID: <20250702162838.393696-15-f.ebner@proxmox.com> (raw)
In-Reply-To: <20250702162838.393696-1-f.ebner@proxmox.com>

Everything the default plugin method implementation can return is
allowed, so there is no breakage introduced by this patch.

By far the most common drivers will be 'file' and 'host_device', which
the default implementation of the plugin method currently uses. Other
quite common ones will be 'iscsi' and 'nbd'. There might also be
plugins with 'rbd' and it is planned to support QEMU protocol-paths in
the default plugin method implementation, where the 'rbd:' protocol
will also be supported.

Plugin authors are encouraged to request additional drivers and
options based on their needs on the pve-devel mailing list. The list
just starts out more restrictive, but everything where there is no
good reason to not allow could be allowed in the future upon request.

Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

New in v5.

 src/PVE/Storage.pm        | 116 +++++++++++++++++++++++++++++++++++++-
 src/PVE/Storage/Plugin.pm |   6 +-
 2 files changed, 118 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Storage.pm b/src/PVE/Storage.pm
index 5afff26..25ce5f2 100755
--- a/src/PVE/Storage.pm
+++ b/src/PVE/Storage.pm
@@ -131,6 +131,102 @@ our $OVA_CONTENT_RE_1 = qr/${SAFE_CHAR_WITH_WHITESPACE_CLASS_RE}+\.(qcow2|raw|vm
 # FIXME remove with PVE 9.0, add versioned breaks for pve-manager
 our $vztmpl_extension_re = $VZTMPL_EXT_RE_1;
 
+# See the QMP reference documentation.
+my $allowed_qemu_blockdev_options_file = {
+    filename => 1,
+    # pr-manager
+    # aio
+    # aio-max-batch
+    # locking
+    # drop-cache
+    # x-check-cache-dropped
+};
+
+# Plugin authors should feel free to request allowing more based on their requirements on the
+# pve-devel mailing list. See the QMP reference documentation:
+# https://qemu.readthedocs.io/en/master/interop/qemu-qmp-ref.html#object-QMP-block-core.BlockdevOptions
+my $allowed_qemu_blockdev_options = {
+    # alloc-track - only works in combination with stream job
+    # blkdebug - for debugging
+    # blklogwrites - for debugging
+    # blkreplay - for debugging
+    # blkverify - for debugging
+    # bochs
+    # cloop
+    # compress
+    # copy-before-write - should not be used directly by storage layer
+    # copy-on-read - should not be used directly by storage layer
+    # dmg
+    file => $allowed_qemu_blockdev_options_file,
+    # snapshot-access - should not be used directly by storage layer
+    # ftp
+    # ftps
+    # gluster - support is expected to be dropped in QEMU 10.1
+    # host_cdrom - storage layer should not access host CD-ROM drive
+    host_device => $allowed_qemu_blockdev_options_file,
+    # http
+    # https
+    # io_uring - disabled by our QEMU build config (would require CONFIG_BLKIO)
+    iscsi => {
+        transport => 1,
+        portal => 1,
+        target => 1,
+        lun => 1,
+        # user - requires 'password-secret'
+        # password-secret - requires adding a 'secret' object on the commandline in qemu-server
+        'initiator-name' => 1,
+        'header-digest' => 1,
+        timeout => 1,
+    },
+    # luks
+    nbd => {
+        server => 1,
+        export => 1,
+        # tls-creds - would require adding a 'secret' object on the commandline in qemu-server
+        # tls-hostname - requires tls-creds
+        # x-dirty-bitmap - would mean allocation information would be reported based on bitmap
+        'reconnect-delay' => 1,
+        'open-timeout' => 1,
+    },
+    # nfs - disabled by our QEMU build config
+    # null-aio - for debugging
+    # null-co - for debugging
+    # nvme
+    # nvme-io_uring - disabled by our QEMU build config (would require CONFIG_BLKIO)
+    # parallels
+    # preallocate
+    # qcow
+    # qcow2 - format node is added by qemu-server
+    # qed
+    # quorum
+    # raw - format node is added by qemu-server
+    rbd => {
+        pool => 1,
+        namespace => 1,
+        image => 1,
+        conf => 1,
+        snapshot => 1,
+        encrypt => 1,
+        user => 1,
+        'auth-client-required' => 1,
+        # key-secret would require adding a 'secret' object on the commandline in qemu-server
+        server => 1,
+    },
+    # replication
+    # pbs
+    # ssh - disabled by our QEMU build config
+    # throttle
+    # vdi
+    # vhdx
+    # virtio-blk-vfio-pci - disabled by our QEMU build config (would require CONFIG_BLKIO)
+    # virtio-blk-vhost-user - disabled by our QEMU build config (would require CONFIG_BLKIO)
+    # virtio-blk-vhost-vdpa - disabled by our QEMU build config (would require CONFIG_BLKIO)
+    # vmdk - format node is added by qemu-server
+    # vpc
+    # vvfat
+    # zeroinit - filter that should not be used directly by storage layer
+};
+
 #  PVE::Storage utility functions
 
 sub config {
@@ -733,7 +829,25 @@ sub qemu_blockdev_options {
     die "cannot use volume of type '$vtype' as a QEMU blockdevice\n"
         if $vtype ne 'images' && $vtype ne 'iso' && $vtype ne 'import';
 
-    return $plugin->qemu_blockdev_options($scfg, $storeid, $volname, $machine_version, $options);
+    my $blockdev =
+        $plugin->qemu_blockdev_options($scfg, $storeid, $volname, $machine_version, $options);
+
+    if (my $driver = $blockdev->{driver}) {
+        my $allowed_opts = $allowed_qemu_blockdev_options->{$driver};
+        for my $opt (keys $blockdev->%*) {
+            next if $opt eq 'driver';
+            if (!$allowed_opts->{$opt}) {
+                delete($blockdev->{$opt});
+                log_warn(
+                    "volume '$volid' - dropping block device option '$opt' set by storage plugin"
+                        . " - not currently part of allowed schema");
+            }
+        }
+    } else {
+        die "storage plugin for '$storeid' did not return a blockdev driver\n";
+    }
+
+    return $blockdev;
 }
 
 # used as last resort to adapt volnames when migrating
diff --git a/src/PVE/Storage/Plugin.pm b/src/PVE/Storage/Plugin.pm
index cfe89dd..3f2c638 100644
--- a/src/PVE/Storage/Plugin.pm
+++ b/src/PVE/Storage/Plugin.pm
@@ -1972,9 +1972,9 @@ Returns a hash reference with the basic options needed to open the volume via QE
 API. This at least requires a C<< $blockdev->{driver} >> and a reference to the image, e.g.
 C<< $blockdev->{filename} >> for the C<file> driver. For files, the C<file> driver can be used. For
 host block devices, the C<host_device> driver can be used. The plugin must not set options like
-C<cache> or C<aio>. Those are managed by qemu-server and will be overwritten. For other available
-drivers and the exact specification of the options, see
-L<https://qemu.readthedocs.io/en/master/interop/qemu-qmp-ref.html#object-QMP-block-core.BlockdevOptions>
+C<cache> or C<aio>. Those are managed by qemu-server. See C<$allowed_qemu_blockdev_options> in the
+C<PVE/Storage.pm> module for allowed drivers and options. Feel free to request more on the pve-devel
+mailing list based on your requirements.
 
 While Perl does not have explicit types, the result will need to be converted to JSON later and
 match the QMP specification (see link above), so implicit types are important. In the return value,
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  parent reply	other threads:[~2025-07-02 16:32 UTC|newest]

Thread overview: 59+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-02 16:27 [pve-devel] [PATCH qemu/storage/qemu-server v3 00/51] let's switch to blockdev, blockdev, blockdev, part four (final) Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu v3 01/51] PVE backup: prepare for the switch to using blockdev rather than drive Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu v3 02/51] block/zeroinit: support using as blockdev driver Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu v3 03/51] block/alloc-track: " Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu v3 04/51] block/qapi: include child references in block device info Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 05/51] plugin: add method to get qemu blockdevice options for volume Fiona Ebner
2025-07-03  9:33   ` Fabian Grünbichler
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 06/51] iscsi direct plugin: implement method to get qemu blockdevice options Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 07/51] zfs iscsi plugin: implement new " Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 08/51] zfs pool plugin: implement " Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 09/51] ceph/rbd: set 'keyring' in ceph configuration for externally managed RBD storages Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 10/51] rbd plugin: implement new method to get qemu blockdevice options Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 11/51] plugin: qemu block device: add hints option and EFI disk hint Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 12/51] plugin: qemu block device: add support for snapshot option Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 13/51] plugin: add machine version to qemu_blockdev_options() interface Fiona Ebner
2025-07-02 16:27 ` Fiona Ebner [this message]
2025-07-02 18:15   ` [pve-devel] [PATCH storage v5 14/51] qemu blockdev options: restrict allowed drivers and options Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 15/51] plugin: qemu blockdev options: parse protocol paths in default implementation Fiona Ebner
2025-07-03  9:38   ` Fabian Grünbichler
2025-07-02 16:27 ` [pve-devel] [PATCH storage v5 16/51] plugin api: bump api version and age Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 17/51] mirror: code style: avoid masking earlier declaration of $op Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 18/51] test: collect mocked functions for QemuServer module Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 19/51] drive: add helper to parse drive interface Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 20/51] drive: drop invalid export of get_scsi_devicetype Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 21/51] blockdev: add and use throttle_group_id() helper Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 22/51] blockdev: introduce top_node_name() and parse_top_node_name() helpers Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 23/51] blockdev: add helpers for attaching and detaching block devices Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 24/51] blockdev: add missing include for JSON module Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 25/51] backup: use blockdev for fleecing images Fiona Ebner
2025-07-02 16:27 ` [pve-devel] [PATCH qemu-server v3 26/51] backup: use blockdev for TPM state file Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 27/51] blockdev: introduce qdev_id_to_drive_id() helper Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 28/51] blockdev: introduce and use get_block_info() helper Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 29/51] blockdev: move helper for resize into module Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 30/51] blockdev: add helper to get node below throttle node Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 31/51] blockdev: resize: query and use node name for resize operation Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 32/51] blockdev: support using zeroinit filter Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 33/51] blockdev: make some functions private Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 34/51] blockdev: add 'no-throttle' option to skip generationg throttle top node Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 35/51] block job: allow specifying a block node that should be detached upon completion Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 36/51] block job: add blockdev mirror Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 37/51] blockdev: add change_medium() helper Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 38/51] blockdev: add blockdev_change_medium() helper Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 39/51] blockdev: move helper for configuring throttle limits to module Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 40/51] clone disk: skip check for aio=default (io_uring) compatibility starting with machine version 10.0 Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 41/51] print drive device: don't reference any drive for 'none' " Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 42/51] blockdev: add support for NBD paths Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 43/51] blockdev: add helper to generate PBS block device for live restore Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 44/51] blockdev: support alloc-track driver for live-{import, restore} Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 45/51] live import: also record volid information Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 46/51] live import/restore: query which node to use for operation Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 47/51] live import/restore: use Blockdev::detach helper Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 48/51] command line: switch to blockdev starting with machine version 10.0 Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 49/51] test: migration: update running machine to 10.0 Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 50/51] partially fix #3227: ensure that target image for mirror has the same size for EFI disks Fiona Ebner
2025-07-02 16:28 ` [pve-devel] [PATCH qemu-server v3 51/51] blockdev: pass along machine version to storage layer Fiona Ebner
2025-07-03  7:17 ` [pve-devel] [PATCH qemu/storage/qemu-server v3 00/51] let's switch to blockdev, blockdev, blockdev, part four (final) DERUMIER, Alexandre via pve-devel
2025-07-03  7:35   ` Fabian Grünbichler
2025-07-03  8:03     ` DERUMIER, Alexandre via pve-devel
2025-07-03 13:01 ` [pve-devel] applied-series: " Fabian Grünbichler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250702162838.393696-15-f.ebner@proxmox.com \
    --to=f.ebner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal