Not too long ago (QEMU 5.0) it was possible to configure with --disable-tools and still have virtiofsd built. With the recent port of the build system to Meson, it is now built together with the tools though. The Kata Containers [1] project build QEMU with --disable-tools to decrease the attack surface, apart from the fact that tools (except for virtiofsd) aren't used at all. So the ability to build only virtiofsd is appreciated. On commit cece116c939 it was introduced the --enable-virtiofsd option. One might think that option will enable the virtiofsd build regardless of --disable-tools but it isn't the current behavior. So the patch that I am sending allows to disable all tools but virtiofsd. Side note: in a private chat with Stefan Hajnoczi he come up with the idea that perhaps --disable-tools could be like --without-default-features where one can add back on feature-by-feature basis. This is outside the scope of this series but I thought in sharing because IMHO it is deserves a discussion. [1] https://katacontainers.io Wainer dos Santos Moschetta (1): virtiofsd: Allow to build it without the tools tools/meson.build | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -- 2.29.2
Il lun 1 feb 2021, 22:15 Wainer dos Santos Moschetta <wainersm@redhat.com> ha scritto: > Not too long ago (QEMU 5.0) it was possible to configure with > --disable-tools > and still have virtiofsd built. With the recent port of the build system to > Meson, it is now built together with the tools though. > > The Kata Containers [1] project build QEMU with --disable-tools to > decrease the > attack surface ---enable-tools only adds separate executables, therefore it can't add to the attack surface of the emulators. So this is misleading. That said, it does make sense to let --enable-virtiofsd override --disable-tools, and the same in the other direction too. Paolo Side note: in a private chat with Stefan Hajnoczi he come up with the idea > that perhaps --disable-tools could be like --without-default-features where > one can add back on feature-by-feature basis. This is outside the scope of > this > series but I thought in sharing because IMHO it is deserves a discussion. > [1] https://katacontainers.io > > Wainer dos Santos Moschetta (1): > virtiofsd: Allow to build it without the tools > > tools/meson.build | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > -- > 2.29.2 > >
Hi, On 2/1/21 8:04 PM, Paolo Bonzini wrote: > > > Il lun 1 feb 2021, 22:15 Wainer dos Santos Moschetta > <wainersm@redhat.com <mailto:wainersm@redhat.com>> ha scritto: > > Not too long ago (QEMU 5.0) it was possible to configure with > --disable-tools > and still have virtiofsd built. With the recent port of the build > system to > Meson, it is now built together with the tools though. > > The Kata Containers [1] project build QEMU with --disable-tools to > decrease the > attack surface > > > ---enable-tools only adds separate executables, therefore it can't add > to the attack surface of the emulators. So this is misleading. You are right, Paolo, thanks for the comment. I meant to say the project avoid installing unneeded binaries on the system, extra files which may be subject to CVEs and force a sysadmin to handle them. I hope this clarifies my point. Thanks! Wainer > > That said, it does make sense to let --enable-virtiofsd override > --disable-tools, and the same in the other direction too. > > Paolo > > Side note: in a private chat with Stefan Hajnoczi he come up with > the idea > that perhaps --disable-tools could be like > --without-default-features where > one can add back on feature-by-feature basis. This is outside the > scope of this > series but I thought in sharing because IMHO it is deserves a > discussion. > > > [1] https://katacontainers.io <https://katacontainers.io> > > Wainer dos Santos Moschetta (1): > virtiofsd: Allow to build it without the tools > > tools/meson.build | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > -- > 2.29.2 >
© 2016 - 2024 Red Hat, Inc.