From nobody Mon May 20 14:38:33 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1614619783; cv=none; d=zohomail.com; s=zohoarc; b=FWMxZw8ynha0Ih75H0twA8hUtd/REu8Az/KD5WPBcf8zdBHX8rW9w+l9saMo/GKq7HNgmJrg72qPJwQxS/WEQIlzVkC87a9mpnHpODBT/+CG+vcVN58flY6vi7pwTpPiYcR+udoRD3K6X+vjOg4sjFOcPJABTIBKTikm0rucbFo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1614619783; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=pOvdoudQIuU/VcDTqIwiqfJkGiSpZYpRZlb8TAYwl0Q=; b=GfELYz9oEFNIYvKsoERaVCc9uvgZH/guajsudEnmn5a2FR5enAT4/yXDxe1AHoRwYnvoUOH9YpoGzHube4qbdUDmqKxi2mL01sRMzqBaHofkwaH1y+DjnXV+uA+VQgWs9Vbl6KUXJmt7bl1JifAYAQy+UZ7/QqoTiJkOHb52jUw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1614619783431181.5451163857623; Mon, 1 Mar 2021 09:29:43 -0800 (PST) Received: from localhost ([::1]:47386 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lGmMX-00087B-S3 for importer@patchew.org; Mon, 01 Mar 2021 12:29:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39516) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lGmKh-0006js-Am for qemu-devel@nongnu.org; Mon, 01 Mar 2021 12:27:47 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:38725) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1lGmKf-0002op-7G for qemu-devel@nongnu.org; Mon, 01 Mar 2021 12:27:47 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-469-ig4bBh3PMAy88G5YRk61OQ-1; Mon, 01 Mar 2021 12:27:41 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1A23E106BAAB; Mon, 1 Mar 2021 17:27:40 +0000 (UTC) Received: from localhost (ovpn-115-54.ams2.redhat.com [10.36.115.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id BACDE5C1D1; Mon, 1 Mar 2021 17:27:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614619664; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pOvdoudQIuU/VcDTqIwiqfJkGiSpZYpRZlb8TAYwl0Q=; b=fz0KwLJuk1HO2gBlB5bCIKVCgZXv3UwxH6BpwkHNtAJ9qZ1KR11t91hN5JUgsENix2UbDy ZggwbfQkFvViFfubRnnVxrqTe6Myj2FWNAd5vm+0FudFOqm70fgUiVRk4gBjICfSB5c84k 55Gbl8lPoSJIcsg5ohmWTYt1FRZR7So= X-MC-Unique: ig4bBh3PMAy88G5YRk61OQ-1 From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH v3 1/2] docs: show how to spawn qemu-storage-daemon with fd passing Date: Mon, 1 Mar 2021 17:27:27 +0000 Message-Id: <20210301172728.135331-2-stefanha@redhat.com> In-Reply-To: <20210301172728.135331-1-stefanha@redhat.com> References: <20210301172728.135331-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=stefanha@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=216.205.24.124; envelope-from=stefanha@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , =?UTF-8?q?Daniel=20P=20=2E=20Berrang=C3=A9?= , Stefan Hajnoczi , qemu-block@nongnu.org, "Richard W . M . Jones" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" The QMP monitor, NBD server, and vhost-user-blk export all support file descriptor passing. This is a useful technique because it allows the parent process to spawn and wait for qemu-storage-daemon without busy waiting, which may delay startup due to arbitrary sleep() calls. This Python example is inspired by the test case written for libnbd by Richard W.M. Jones : https://gitlab.com/nbdkit/libnbd/-/commit/89113f484effb0e6c322314ba75c1cbe0= 7a04543 Thanks to Daniel P. Berrang=C3=A9 for suggestions on how to get this working. Now let's document it! Reported-by: Richard W.M. Jones Cc: Kevin Wolf Cc: Daniel P. Berrang=C3=A9 Signed-off-by: Stefan Hajnoczi Reviewed-by: Daniel P. Berrang=C3=A9 --- v2: * Use /var/run/qmp.sock instead of /tmp/qmp-$PID.sock to prevent security issues with world-writeable directories [Rich, Daniel] --- docs/tools/qemu-storage-daemon.rst | 42 ++++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/docs/tools/qemu-storage-daemon.rst b/docs/tools/qemu-storage-d= aemon.rst index f63627eaf6..789a8e4a75 100644 --- a/docs/tools/qemu-storage-daemon.rst +++ b/docs/tools/qemu-storage-daemon.rst @@ -101,10 +101,12 @@ Standard options: =20 .. option:: --nbd-server addr.type=3Dinet,addr.host=3D,addr.port=3D<= port>[,tls-creds=3D][,tls-authz=3D][,max-connections=3D] --nbd-server addr.type=3Dunix,addr.path=3D[,tls-creds=3D][,tls= -authz=3D][,max-connections=3D] + --nbd-server addr.type=3Dfd,addr.str=3D[,tls-creds=3D][,tls-auth= z=3D][,max-connections=3D] =20 is a server for NBD exports. Both TCP and UNIX domain sockets are suppor= ted. - TLS encryption can be configured using ``--object`` tls-creds-* and auth= z-* - secrets (see below). + A listen socket can be provided via file descriptor passing (see Examples + below). TLS encryption can be configured using ``--object`` tls-creds-* = and + authz-* secrets (see below). =20 To configure an NBD server on UNIX domain socket path ``/tmp/nbd.sock``:: =20 @@ -127,6 +129,42 @@ QMP commands:: --chardev socket,path=3Dqmp.sock,server,nowait,id=3Dchar1 \ --monitor chardev=3Dchar1 =20 +Launch the daemon from Python with a QMP monitor socket using file descrip= tor +passing so there is no need to busy wait for the QMP monitor to become +available:: + + #!/usr/bin/env python3 + import subprocess + import socket + + sock_path =3D '/var/run/qmp.sock' + + with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as listen_sock: + listen_sock.bind(sock_path) + listen_sock.listen() + + fd =3D listen_sock.fileno() + + subprocess.Popen( + ['qemu-storage-daemon', + '--chardev', f'socket,fd=3D{fd},server=3Don,id=3Dchar1', + '--monitor', 'chardev=3Dchar1'], + pass_fds=3D[fd], + ) + + # listen_sock was automatically closed when leaving the 'with' statement + # body. If the daemon process terminated early then the following connec= t() + # will fail with "Connection refused" because no process has the listen + # socket open anymore. Launch errors can be detected this way. + + qmp_sock =3D socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + qmp_sock.connect(sock_path) + ...QMP interaction... + +The same socket spawning approach also works with the ``--nbd-server +addr.type=3Dfd,addr.str=3D`` and ``--export +type=3Dvhost-user-blk,addr.type=3Dfd,addr.str=3D`` options. + Export raw image file ``disk.img`` over NBD UNIX domain socket ``nbd.sock`= `:: =20 $ qemu-storage-daemon \ --=20 2.29.2 From nobody Mon May 20 14:38:33 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1614619784; cv=none; d=zohomail.com; s=zohoarc; b=FsEdP9HZtfk3hBZ5L4iUDl1G0c0ppZ8Qf/UPf8BYAFRs0KFEYcXAyGnap12gz1PZkLFoHxYLcgGxF7aDfgfFhOno64oo9HzGn2dq/l5Lcfmqn5c3Oc2iQLFYLlYS4i9xDv6UX7ibsM82Gx2OIS/sIBkQZlzRAO+h6QQYwR19CIg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1614619784; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=+h3J6lyrpjo1RCh6voyew/14pVr4vkeu6sfRh9qJ2o0=; b=R6m6pejanbJoIaxH3z6AsGNmFDjAM4b+ILQ7BCRe7h/ll8gbOt2BowJdZWKybUYLA91vWImZvVW7KWXpsXYrrXydMu6uzNSxeVtH2Ja+I3Xtx6gA/g5ckNd69AFOCVhl2u/hztgpzAEhhMqxOospxu/fv6u55wyN8euGkUBWOUQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1614619784765591.1335237664322; Mon, 1 Mar 2021 09:29:44 -0800 (PST) Received: from localhost ([::1]:47554 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lGmMZ-0008B8-F6 for importer@patchew.org; Mon, 01 Mar 2021 12:29:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39564) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lGmKl-0006r4-B8 for qemu-devel@nongnu.org; Mon, 01 Mar 2021 12:27:52 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:43256) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1lGmKi-0002qG-EG for qemu-devel@nongnu.org; Mon, 01 Mar 2021 12:27:51 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-179-SSguEFBGMxuYi3Ina3W-Ng-1; Mon, 01 Mar 2021 12:27:45 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A2D9B80197C; Mon, 1 Mar 2021 17:27:44 +0000 (UTC) Received: from localhost (ovpn-115-54.ams2.redhat.com [10.36.115.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3F7305D6CF; Mon, 1 Mar 2021 17:27:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614619667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+h3J6lyrpjo1RCh6voyew/14pVr4vkeu6sfRh9qJ2o0=; b=dPUCQG/+4KasVAJuHf90Bz+Ob+75DGAZ07nFSz9495+7KtKRBS3/tu91yDRv6eyo1pSz5H k3JI9OzjOBsbuoth6pCxdlR7jABxIV410wCWftXTIJ3e9mNDLm0xVFPsPp4BCPXSoO2wWd De7M5qq8+lR716B64n3ls58/pkANzGQ= X-MC-Unique: SSguEFBGMxuYi3Ina3W-Ng-1 From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH v3 2/2] docs: replace insecure /tmp examples in qsd docs Date: Mon, 1 Mar 2021 17:27:28 +0000 Message-Id: <20210301172728.135331-3-stefanha@redhat.com> In-Reply-To: <20210301172728.135331-1-stefanha@redhat.com> References: <20210301172728.135331-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=stefanha@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=216.205.24.124; envelope-from=stefanha@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , =?UTF-8?q?Daniel=20P=20=2E=20Berrang=C3=A9?= , Stefan Hajnoczi , qemu-block@nongnu.org, "Richard W . M . Jones" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" World-writeable directories have security issues. Avoid showing them in the documentation since someone might accidentally use them in situations where they are insecure. There tend to be 3 security problems: 1. Denial of service. An adversary may be able to create the file beforehand, consume all space/inodes, etc to sabotage us. 2. Impersonation. An adversary may be able to create a listen socket and accept incoming connections that were meant for us. 3. Unauthenticated client access. An adversary may be able to connect to us if we did not set the uid/gid and permissions correctly. These can be prevented or mitigated with private /tmp, carefully setting the umask, etc but that requires special action and does not apply to all situations. Just avoid using /tmp in examples. Reported-by: Richard W.M. Jones Reported-by: Daniel P. Berrang=C3=A9 Signed-off-by: Stefan Hajnoczi Reviewed-by: Richard W.M. Jones --- docs/tools/qemu-storage-daemon.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/tools/qemu-storage-daemon.rst b/docs/tools/qemu-storage-d= aemon.rst index 789a8e4a75..2da28a447a 100644 --- a/docs/tools/qemu-storage-daemon.rst +++ b/docs/tools/qemu-storage-daemon.rst @@ -69,7 +69,7 @@ Standard options: a description of character device properties. A common character device definition configures a UNIX domain socket:: =20 - --chardev socket,id=3Dchar1,path=3D/tmp/qmp.sock,server,nowait + --chardev socket,id=3Dchar1,path=3D/var/run/qsd-qmp.sock,server,nowait =20 .. option:: --export [type=3D]nbd,id=3D,node-name=3D[,name= =3D][,writable=3Don|off][,bitmap=3D] --export [type=3D]vhost-user-blk,id=3D,node-name=3D,addr.= type=3Dunix,addr.path=3D[,writable=3Don|off][,logical-block-si= ze=3D][,num-queues=3D] @@ -108,9 +108,10 @@ Standard options: below). TLS encryption can be configured using ``--object`` tls-creds-* = and authz-* secrets (see below). =20 - To configure an NBD server on UNIX domain socket path ``/tmp/nbd.sock``:: + To configure an NBD server on UNIX domain socket path + ``/var/run/qsd-nbd.sock``:: =20 - --nbd-server addr.type=3Dunix,addr.path=3D/tmp/nbd.sock + --nbd-server addr.type=3Dunix,addr.path=3D/var/run/qsd-nbd.sock =20 .. option:: --object help --object ,help --=20 2.29.2