|
 |
fbe740 |
From 9146b5849b0dfc2ee59eea09712cc7f5f88c88f2 Mon Sep 17 00:00:00 2001
|
|
|
fbe740 |
Message-Id: <9146b5849b0dfc2ee59eea09712cc7f5f88c88f2@dist-git>
|
|
|
fbe740 |
From: Peter Krempa <pkrempa@redhat.com>
|
|
|
fbe740 |
Date: Fri, 28 Feb 2020 10:24:45 +0100
|
|
|
fbe740 |
Subject: [PATCH] kbase: backing_chains: Add steps how to securely probe image
|
|
|
fbe740 |
format
|
|
|
fbe740 |
MIME-Version: 1.0
|
|
|
fbe740 |
Content-Type: text/plain; charset=UTF-8
|
|
|
fbe740 |
Content-Transfer-Encoding: 8bit
|
|
|
fbe740 |
|
|
|
fbe740 |
We document steps how to fix images if they are rejected for missing
|
|
|
fbe740 |
the 'backing file format' field. Document also how to securely probe
|
|
|
fbe740 |
the image format if it's unknown.
|
|
|
fbe740 |
|
|
|
fbe740 |
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
|
|
|
fbe740 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
fbe740 |
(cherry picked from commit 82d5b762f11b50abb710c751251f28d4325a4c91)
|
|
|
fbe740 |
|
|
|
fbe740 |
https://bugzilla.redhat.com/show_bug.cgi?id=1798148
|
|
|
fbe740 |
Message-Id: <039ebfe436c361b067ef73a7c0bb16db1e410044.1582881363.git.pkrempa@redhat.com>
|
|
|
fbe740 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
fbe740 |
---
|
|
|
fbe740 |
docs/kbase/backing_chains.rst | 15 +++++++++++++++
|
|
|
fbe740 |
1 file changed, 15 insertions(+)
|
|
|
fbe740 |
|
|
|
fbe740 |
diff --git a/docs/kbase/backing_chains.rst b/docs/kbase/backing_chains.rst
|
|
|
fbe740 |
index 12ed6253ac..af848ccb14 100644
|
|
|
fbe740 |
--- a/docs/kbase/backing_chains.rst
|
|
|
fbe740 |
+++ b/docs/kbase/backing_chains.rst
|
|
|
fbe740 |
@@ -176,6 +176,21 @@ properly. ``$BACKING_IMAGE_PATH`` should be specified as a full absolute path.
|
|
|
fbe740 |
If relative referencing of the backing image is desired, the path must be
|
|
|
fbe740 |
relative to the location of image described by ``$IMAGE_PATH``.
|
|
|
fbe740 |
|
|
|
fbe740 |
+**Important:** If the ``$BACKING_IMAGE_FORMAT`` is not known it can be queried
|
|
|
fbe740 |
+using ``qemu-img info $BACKING_IMAGE_PATH`` and looking for the ``file format:``
|
|
|
fbe740 |
+field, but for security reasons should be used *only* if at least one of the
|
|
|
fbe740 |
+following criteria is met:
|
|
|
fbe740 |
+
|
|
|
fbe740 |
+- ``file format`` is ``raw``
|
|
|
fbe740 |
+- ``backing file`` is NOT present
|
|
|
fbe740 |
+- ``backing file`` is present AND is correct/trusted
|
|
|
fbe740 |
+
|
|
|
fbe740 |
+Note that the last criteria may require manual inspection and thus should not
|
|
|
fbe740 |
+be scripted unless the trust for the image can be expressed programatically.
|
|
|
fbe740 |
+
|
|
|
fbe740 |
+Also note that the above steps may need to be repeated recursively for any
|
|
|
fbe740 |
+subsequent backing images.
|
|
|
fbe740 |
+
|
|
|
fbe740 |
Missing images reported after after moving disk images into a different path
|
|
|
fbe740 |
----------------------------------------------------------------------------
|
|
|
fbe740 |
|
|
|
fbe740 |
--
|
|
|
fbe740 |
2.25.1
|
|
|
fbe740 |
|