From nobody Mon May 20 15:50:04 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1614618819; cv=none; d=zohomail.com; s=zohoarc; b=MtESvQnj/gVgeRYJKZfbsDYZwVSWxucJkHGSPfxUvEGQI5QRjH7KMvk7Fr78g/aVYC5Dl+ZQpvN/jsTRMeBuckbZyCx1zxAAtLhTPCEg1Xj8FHf3j83BwxysPdNi9t/HWpqz7m9N3T9ZN/S76eR/xoMcO7539KmrcOceNVNk3mM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1614618819; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7PCgX/YkBFGDDiBdjKiPAdczLgGhXbmtxQ7OeCCU2ZI=; b=B7NJF74vW9xV8Rb8LH3rN18WRdbu2fhWnvvXI+RDdElVl/nBl5hJBjnzcYWuAM2xKJYOGrC7d9n3SRtYWM3S4b2Sg7g0M4MzB/MOHGhjg+qmaSd0PV00Y9bJPIK9YSWIS/BEV/G172BL/rsPaNTlnA92uPux9KZCFKFxgnC5Aqo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1614618819207780.6393772973228; Mon, 1 Mar 2021 09:13:39 -0800 (PST) Received: from localhost ([::1]:50552 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lGm70-0005VW-6C for importer@patchew.org; Mon, 01 Mar 2021 12:13:38 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:33378) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lGm58-0004Jg-I9 for qemu-devel@nongnu.org; Mon, 01 Mar 2021 12:11:42 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:35708) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1lGm4k-0006Cx-PK for qemu-devel@nongnu.org; Mon, 01 Mar 2021 12:11:42 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-537-gmSajK9ZNEaCQJTvll3sqw-1; Mon, 01 Mar 2021 12:11:16 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 135C9801965; Mon, 1 Mar 2021 17:11:15 +0000 (UTC) Received: from localhost (ovpn-115-54.ams2.redhat.com [10.36.115.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id A9BD360BD8; Mon, 1 Mar 2021 17:11:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614618678; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7PCgX/YkBFGDDiBdjKiPAdczLgGhXbmtxQ7OeCCU2ZI=; b=VJh6SntOx93SCn44UgnHTV3KJyDU9B0EnX2PE0ZbLvzY0EvAsgsoPQ5EL/u+5971PdbAmE X7aE9VhFGAoDBX8ooGyGT//6ddbMMMaTA2vedRBGNY1mSQjdoFuJMxb8puY13J8YHQ6CpP lvcEuFnr/jINJdYwwEYCCe2Qg6Y/MFE= X-MC-Unique: gmSajK9ZNEaCQJTvll3sqw-1 From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH v2 1/2] docs: show how to spawn qemu-storage-daemon with fd passing Date: Mon, 1 Mar 2021 17:11:06 +0000 Message-Id: <20210301171107.134100-2-stefanha@redhat.com> In-Reply-To: <20210301171107.134100-1-stefanha@redhat.com> References: <20210301171107.134100-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=stefanha@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=216.205.24.124; envelope-from=stefanha@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , =?UTF-8?q?Daniel=20P=20=2E=20Berrang=C3=A9?= , Stefan Hajnoczi , qemu-block@nongnu.org, "Richard W . M . Jones" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" The QMP monitor, NBD server, and vhost-user-blk export all support file descriptor passing. This is a useful technique because it allows the parent process to spawn and wait for qemu-storage-daemon without busy waiting, which may delay startup due to arbitrary sleep() calls. This Python example is inspired by the test case written for libnbd by Richard W.M. Jones : https://gitlab.com/nbdkit/libnbd/-/commit/89113f484effb0e6c322314ba75c1cbe0= 7a04543 Thanks to Daniel P. Berrang=C3=A9 for suggestions on how to get this working. Now let's document it! Reported-by: Richard W.M. Jones Cc: Kevin Wolf Cc: Daniel P. Berrang=C3=A9 Signed-off-by: Stefan Hajnoczi --- v2: * Use /var/run/qmp.sock instead of /tmp/qmp-$PID.sock to prevent security issues with world-writeable directories [Rich, Daniel] --- docs/tools/qemu-storage-daemon.rst | 37 ++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/docs/tools/qemu-storage-daemon.rst b/docs/tools/qemu-storage-d= aemon.rst index f63627eaf6..3b67ca72df 100644 --- a/docs/tools/qemu-storage-daemon.rst +++ b/docs/tools/qemu-storage-daemon.rst @@ -101,10 +101,12 @@ Standard options: =20 .. option:: --nbd-server addr.type=3Dinet,addr.host=3D,addr.port=3D<= port>[,tls-creds=3D][,tls-authz=3D][,max-connections=3D] --nbd-server addr.type=3Dunix,addr.path=3D[,tls-creds=3D][,tls= -authz=3D][,max-connections=3D] + --nbd-server addr.type=3Dfd,addr.str=3D[,tls-creds=3D][,tls-auth= z=3D][,max-connections=3D] =20 is a server for NBD exports. Both TCP and UNIX domain sockets are suppor= ted. - TLS encryption can be configured using ``--object`` tls-creds-* and auth= z-* - secrets (see below). + A listen socket can be provided via file descriptor passing (see Examples + below). TLS encryption can be configured using ``--object`` tls-creds-* = and + authz-* secrets (see below). =20 To configure an NBD server on UNIX domain socket path ``/tmp/nbd.sock``:: =20 @@ -127,6 +129,37 @@ QMP commands:: --chardev socket,path=3Dqmp.sock,server,nowait,id=3Dchar1 \ --monitor chardev=3Dchar1 =20 +Launch the daemon from Python with a QMP monitor socket using file descrip= tor +passing so there is no need to busy wait for the QMP monitor to become +available:: + + #!/usr/bin/env python3 + import subprocess + import socket + + sock_path =3D '/var/run/qmp.sock' + + with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as listen_sock: + listen_sock.bind(sock_path) + listen_sock.listen() + + fd =3D listen_sock.fileno() + + subprocess.Popen( + ['qemu-storage-daemon', + '--chardev', f'socket,fd=3D{fd},server=3Don,id=3Dchar1', + '--monitor', 'chardev=3Dchar1'], + pass_fds=3D[fd], + ) + + qmp_sock =3D socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + qmp_sock.connect(sock_path) + ...QMP interaction... + +The same socket spawning approach also works with the ``--nbd-server +addr.type=3Dfd,addr.str=3D`` and ``--export +type=3Dvhost-user-blk,addr.type=3Dfd,addr.str=3D`` options. + Export raw image file ``disk.img`` over NBD UNIX domain socket ``nbd.sock`= `:: =20 $ qemu-storage-daemon \ --=20 2.29.2 From nobody Mon May 20 15:50:04 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1614618969; cv=none; d=zohomail.com; s=zohoarc; b=RaVtvO5z00/peO/D9BKxjUGbku5gPTiumYkcza4VBJY9+Xojcmrt0J6Pi02IaayM+b+mJLTiFYsuyvhL5fjPG/LvaRsSkp/ZaAGniuUhIhpbvAHqEaFatWpAwgl9cKveS4LQtfG9uYZIk/KrzswpkcRFONRLl1UKexrG/afvIQo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1614618969; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=amtZNCg3pPxpyq3o/dUW3xVQIX8mJ2tBhYJI+5XPFio=; b=ecnBPEqQrKTYQONDBti3Q10T8IOHH13Ehu8SrThvyNuB0JX5ZJdeHwhtQpuBlg0TtJ4Mb7zPwf1zqEGEUR20Ew9WOyVEKQkwXPOXEAayckpupXNfQPO2dMF9DpeRBhrIaOfHtfAlXx/1eSn100FBf2rYjDO/JIJ8jMDPlCswzLk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1614618969701570.9321188166198; Mon, 1 Mar 2021 09:16:09 -0800 (PST) Received: from localhost ([::1]:55392 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lGm9Q-0007dv-HW for importer@patchew.org; Mon, 01 Mar 2021 12:16:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:33390) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lGm59-0004Kf-3l for qemu-devel@nongnu.org; Mon, 01 Mar 2021 12:11:43 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:33501) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1lGm4p-0006Ea-1J for qemu-devel@nongnu.org; Mon, 01 Mar 2021 12:11:42 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-441-m12DE8lWMpGPDBJA59ty_w-1; Mon, 01 Mar 2021 12:11:20 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A76B68030B7; Mon, 1 Mar 2021 17:11:19 +0000 (UTC) Received: from localhost (ovpn-115-54.ams2.redhat.com [10.36.115.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4B06710013C1; Mon, 1 Mar 2021 17:11:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614618682; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=amtZNCg3pPxpyq3o/dUW3xVQIX8mJ2tBhYJI+5XPFio=; b=bhNtGmJu9mXRf235YabSBI5xl2vFZ5GNSpJB69NkrszPBDHz/WapFmMymwP/4jOi8GX7vM zz3ut0R+Sa8cSAC6z2kGBAqJYiYPLOx5/iauvSZs09DxQY2j+KnABU+3kfeDO/Ky4KaQwl OKDLQ2NEC4Iys1jDOEBTjV2C6L10rIY= X-MC-Unique: m12DE8lWMpGPDBJA59ty_w-1 From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH v2 2/2] docs: replace insecure /tmp examples in qsd docs Date: Mon, 1 Mar 2021 17:11:07 +0000 Message-Id: <20210301171107.134100-3-stefanha@redhat.com> In-Reply-To: <20210301171107.134100-1-stefanha@redhat.com> References: <20210301171107.134100-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=stefanha@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=216.205.24.124; envelope-from=stefanha@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , =?UTF-8?q?Daniel=20P=20=2E=20Berrang=C3=A9?= , Stefan Hajnoczi , qemu-block@nongnu.org, "Richard W . M . Jones" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" World-writeable directories have security issues. Avoid showing them in the documentation since someone might accidentally use them in situations where they are insecure. There tend to be 3 security problems: 1. Denial of service. An adversary may be able to create the file beforehand, consume all space/inodes, etc to sabotage us. 2. Impersonation. An adversary may be able to create a listen socket and accept incoming connections that were meant for us. 3. Unauthenticated client access. An adversary may be able to connect to us if we did not set the uid/gid and permissions correctly. These can be prevented or mitigated with private /tmp, carefully setting the umask, etc but that requires special action and does not apply to all situations. Just avoid using /tmp in examples. Reported-by: Richard W.M. Jones Reported-by: Daniel P. Berrang=C3=A9 Signed-off-by: Stefan Hajnoczi --- docs/tools/qemu-storage-daemon.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/tools/qemu-storage-daemon.rst b/docs/tools/qemu-storage-d= aemon.rst index 3b67ca72df..0c2a915434 100644 --- a/docs/tools/qemu-storage-daemon.rst +++ b/docs/tools/qemu-storage-daemon.rst @@ -69,7 +69,7 @@ Standard options: a description of character device properties. A common character device definition configures a UNIX domain socket:: =20 - --chardev socket,id=3Dchar1,path=3D/tmp/qmp.sock,server,nowait + --chardev socket,id=3Dchar1,path=3D/var/run/qsd-qmp.sock,server,nowait =20 .. option:: --export [type=3D]nbd,id=3D,node-name=3D[,name= =3D][,writable=3Don|off][,bitmap=3D] --export [type=3D]vhost-user-blk,id=3D,node-name=3D,addr.= type=3Dunix,addr.path=3D[,writable=3Don|off][,logical-block-si= ze=3D][,num-queues=3D] @@ -108,9 +108,10 @@ Standard options: below). TLS encryption can be configured using ``--object`` tls-creds-* = and authz-* secrets (see below). =20 - To configure an NBD server on UNIX domain socket path ``/tmp/nbd.sock``:: + To configure an NBD server on UNIX domain socket path + ``/var/run/qsd-nbd.sock``:: =20 - --nbd-server addr.type=3Dunix,addr.path=3D/tmp/nbd.sock + --nbd-server addr.type=3Dunix,addr.path=3D/var/run/qsd-nbd.sock =20 .. option:: --object help --object ,help --=20 2.29.2