Eric Blake b66ff2c298 iotests: Specify explicit backing format where sensible
There are many existing qcow2 images that specify a backing file but
no format.  This has been the source of CVEs in the past, but has
become more prominent of a problem now that libvirt has switched to
-blockdev.  With older -drive, at least the probing was always done by
qemu (so the only risk of a changed format between successive boots of
a guest was if qemu was upgraded and probed differently).  But with
newer -blockdev, libvirt must specify a format; if libvirt guesses raw
where the image was formatted, this results in data corruption visible
to the guest; conversely, if libvirt guesses qcow2 where qemu was
using raw, this can result in potential security holes, so modern
libvirt instead refuses to use images without explicit backing format.

The change in libvirt to reject images without explicit backing format
has pointed out that a number of tools have been far too reliant on
probing in the past.  It's time to set a better example in our own
iotests of properly setting this parameter.

iotest calls to create, rebase, and convert are all impacted to some
degree.  It's a bit annoying that we are inconsistent on command line
- while all of those accept -o backing_file=...,backing_fmt=..., the
shortcuts are different: create and rebase have -b and -F, while
convert has -B but no -F.  (amend has no shortcuts, but the previous
patch just deprecated the use of amend to change backing chains).

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200706203954.341758-9-eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2020-07-14 15:18:59 +02:00

357 lines
12 KiB
Bash
Executable File

#!/usr/bin/env bash
#
# Test for configuring cache modes of arbitrary nodes (requires O_DIRECT)
#
# Copyright (C) 2015 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# creator
owner=kwolf@redhat.com
seq=`basename $0`
echo "QA output created by $seq"
status=1 # failure is the default!
_cleanup()
{
_cleanup_test_img
_rm_test_img "$TEST_IMG.snap"
}
trap "_cleanup; exit \$status" 0 1 2 3 15
# get standard environment, filters and checks
. ./common.rc
. ./common.filter
_supported_fmt qcow2
_supported_proto file
# We test all cache modes anyway, but O_DIRECT needs to be supported
_default_cache_mode none
_supported_cache_modes none directsync
do_run_qemu()
{
echo Testing: "$@"
(
if ! test -t 0; then
while read cmd; do
echo $cmd
done
fi
echo quit
) | $QEMU -nographic -monitor stdio -nodefaults "$@"
echo
}
run_qemu()
{
do_run_qemu "$@" 2>&1 | _filter_testdir | _filter_qemu | _filter_hmp
}
size=128M
TEST_IMG="$TEST_IMG.base" _make_test_img $size
TEST_IMG="$TEST_IMG.snap" _make_test_img $size
_make_test_img -b "$TEST_IMG.base" $size -F $IMGFMT
echo
echo === Simple test for all cache modes ===
echo
run_qemu -drive file="$TEST_IMG",cache=none
run_qemu -drive file="$TEST_IMG",cache=directsync
run_qemu -drive file="$TEST_IMG",cache=writeback
run_qemu -drive file="$TEST_IMG",cache=writethrough
run_qemu -drive file="$TEST_IMG",cache=unsafe
run_qemu -drive file="$TEST_IMG",cache=invalid_value
echo
echo === Check inheritance of cache modes ===
echo
files="if=none,file=$TEST_IMG,backing.file.filename=$TEST_IMG.base"
ids="node-name=image,backing.node-name=backing,backing.file.node-name=backing-file,file.node-name=file"
check_cache_all()
{
# cache.direct is supposed to be inherited by both bs->file and
# bs->backing
printf "cache.direct=on on none0\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",cache.direct=on | grep -e "Cache" -e "[Cc]annot|[Cc]ould not|[Cc]an't"
printf "\ncache.direct=on on file\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",file.cache.direct=on | grep -e "Cache" -e "[Cc]annot|[Cc]ould not|[Cc]an't"
printf "\ncache.direct=on on backing\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",backing.cache.direct=on | grep -e "Cache" -e "[Cc]annot|[Cc]ould not|[Cc]an't"
printf "\ncache.direct=on on backing-file\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",backing.file.cache.direct=on | grep -e "Cache" -e "[Cc]annot|[Cc]ould not|[Cc]an't"
# cache.writeback is supposed to be inherited by bs->backing; bs->file
# always gets cache.writeback=on
printf "\n\ncache.writeback=off on none0\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",cache.writeback=off | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.writeback=off on file\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",file.cache.writeback=off | grep -e "doesn't" -e "does not"
printf "\ncache.writeback=off on backing\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",backing.cache.writeback=off | grep -e "doesn't" -e "does not"
printf "\ncache.writeback=off on backing-file\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",backing.file.cache.writeback=off | grep -e "doesn't" -e "does not"
# cache.no-flush is supposed to be inherited by both bs->file and bs->backing
printf "\n\ncache.no-flush=on on none0\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",cache.no-flush=on | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.no-flush=on on file\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",file.cache.no-flush=on | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.no-flush=on on backing\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",backing.cache.no-flush=on | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.no-flush=on on backing-file\n"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids",backing.file.cache.no-flush=on | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
}
echo
echo "--- Configure cache modes on the command line ---"
echo
# First check the inherited cache mode after opening the image.
hmp_cmds="info block none0
info block image
info block file
info block backing
info block backing-file"
check_cache_all
echo
echo "--- Cache modes after reopen (live snapshot) ---"
echo
# Then trigger a reopen and check that the cache modes are still the same.
hmp_cmds="snapshot_blkdev -n none0 $TEST_IMG.snap $IMGFMT
info block
info block image
info block file
info block backing
info block backing-file"
check_cache_all
echo
echo "--- Change cache modes with reopen (qemu-io command, flags) ---"
echo
# This one actually changes the cache mode with the reopen. For this test, the
# new cache mode is specified in the flags, not as an option.
hmp_cmds='qemu-io none0 "reopen -c none"
info block none0
info block image
info block file
info block backing
info block backing-file'
check_cache_all
echo
echo "--- Change cache modes with reopen (qemu-io command, options) ---"
echo
# This one actually changes the cache mode with the reopen. For this test, the
# new cache mode is specified as an option, not in the flags.
hmp_cmds='qemu-io none0 "reopen -o cache.direct=on"
info block none0
info block image
info block file
info block backing
info block backing-file'
check_cache_all
echo
echo "--- Change cache modes after snapshot ---"
echo
# This checks that the original image doesn't inherit from the snapshot
hmp_cmds="snapshot_blkdev -n none0 $TEST_IMG.snap $IMGFMT
qemu-io none0 \"reopen -c none\"
info block none0
info block image
info block file
info block backing
info block backing-file"
check_cache_all
echo
echo "--- Change cache mode in parent, child has explicit option in JSON ---"
echo
# This checks that children with options explicitly set by the json:
# pseudo-protocol don't inherit these options from their parents.
#
# Yes, blkdebug::json:... is criminal, but I can't see another way to have a
# BDS initialised with the json: pseudo-protocol, but still have it inherit
# options from its parent node.
hmp_cmds="qemu-io none0 \"reopen -o cache.direct=on,cache.no-flush=on\"
info block none0
info block image
info block blkdebug
info block file"
echo "$hmp_cmds" | run_qemu -drive if=none,file="blkdebug::json:{\"filename\":\"$TEST_IMG\",,\"cache\":{\"direct\":false}}",node-name=image,file.node-name=blkdebug,file.image.node-name=file | grep "Cache"
echo
echo "=== Check that referenced BDSes don't inherit ==="
echo
drv_bkfile="if=none,driver=file,filename=$TEST_IMG.base,node-name=backing-file"
drv_bk="if=none,file=json:{'driver':'$IMGFMT',,'file':'backing-file',,'node-name':'backing'}"
drv_file="if=none,driver=file,filename=$TEST_IMG,node-name=file"
drv_img="if=none,id=blk,file=json:{'driver':'$IMGFMT',,'file':'file',,'backing':'backing',,'node-name':'image'}"
check_cache_all_separate()
{
# Check cache.direct
printf "cache.direct=on on blk\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile" -drive "$drv_bk" -drive "$drv_file" -drive "$drv_img",cache.direct=on | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.direct=on on file\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile" -drive "$drv_bk" -drive "$drv_file",cache.direct=on -drive "$drv_img" | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.direct=on on backing\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile" -drive "$drv_bk",cache.direct=on -drive "$drv_file" -drive "$drv_img" | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.direct=on on backing-file\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile",cache.direct=on -drive "$drv_bk" -drive "$drv_file" -drive "$drv_img" | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
# Check cache.writeback
printf "\n\ncache.writeback=off on blk\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile" -drive "$drv_bk" -drive "$drv_file" -drive "$drv_img",cache.writeback=off | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.writeback=off on file\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile" -drive "$drv_bk" -drive "$drv_file",cache.writeback=off -drive "$drv_img" | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.writeback=off on backing\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile" -drive "$drv_bk",cache.writeback=off -drive "$drv_file" -drive "$drv_img" | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.writeback=off on backing-file\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile",cache.writeback=off -drive "$drv_bk" -drive "$drv_file" -drive "$drv_img" | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
# Check cache.no-flush
printf "\n\ncache.no-flush=on on blk\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile" -drive "$drv_bk" -drive "$drv_file" -drive "$drv_img",cache.no-flush=on | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.no-flush=on on file\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile" -drive "$drv_bk" -drive "$drv_file",cache.no-flush=on -drive "$drv_img" | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.no-flush=on on backing\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile" -drive "$drv_bk",cache.no-flush=on -drive "$drv_file" -drive "$drv_img" | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
printf "\ncache.no-flush=on on backing-file\n"
echo "$hmp_cmds" | run_qemu -drive "$drv_bkfile",cache.no-flush=on -drive "$drv_bk" -drive "$drv_file" -drive "$drv_img" | grep -e "Cache" -e "[Cc]annot\|[Cc]ould not\|[Cc]an't"
}
echo
echo "--- Configure cache modes on the command line ---"
echo
# First check the inherited cache mode after opening the image.
hmp_cmds="info block image
info block file
info block backing
info block backing-file"
check_cache_all_separate
echo
echo "--- Cache modes after reopen (live snapshot) ---"
echo
# Then trigger a reopen and check that the cache modes are still the same.
hmp_cmds="snapshot_blkdev -n blk $TEST_IMG.snap $IMGFMT
info block blk
info block image
info block file
info block backing
info block backing-file"
check_cache_all_separate
echo
echo "--- Change cache modes with reopen (qemu-io command, flags) ---"
echo
# This one actually changes the cache mode with the reopen. For this test, the
# new cache mode is specified as flags, not as option.
hmp_cmds='qemu-io blk "reopen -c none"
info block image
info block file
info block backing
info block backing-file'
check_cache_all_separate
echo
echo "=== Reopening children instead of the root ==="
echo
files="if=none,file=$TEST_IMG,backing.file.filename=$TEST_IMG.base"
ids="node-name=image,backing.node-name=backing,backing.file.node-name=backing-file,file.node-name=file"
echo
echo "--- Basic reopen ---"
echo
hmp_cmds='qemu-io none0 "reopen -o backing.cache.direct=on"
info block none0
info block image
info block file
info block backing
info block backing-file'
check_cache_all
echo
echo "--- Change cache mode after reopening child ---"
echo
# This checks that children with options explicitly set with reopen don't
# inherit these options from their parents any more
# TODO Implement node-name support for 'qemu-io' HMP command for -c
# Can use only -o to access child node options for now
hmp_cmds="qemu-io none0 \"reopen -o file.cache.direct=off,file.cache.no-flush=off\"
qemu-io none0 \"reopen -o backing.file.cache.direct=off,backing.file.cache.no-flush=on\"
qemu-io none0 \"reopen -c none\"
info block image
info block file
info block backing
info block backing-file"
echo "$hmp_cmds" | run_qemu -drive "$files","$ids" | grep "Cache"
# success, all done
echo "*** done"
rm -f $seq.full
status=0