Comment 104 for bug 2059809

John, you're right that if we claim it's a raw and pass something else that's bad. However, because of this code we'll (now) just treat it as raw. In this case we pass '-f raw' to the qemu-img command here and forever more down the line of dealing with the image. We already do that elsewhere, but this was the last place we weren't because we weren't strict enough about the input to this should-be-safe info operation. Thus if you put a qcow in a raw image, we'll inspect it as raw and find it to be raw, then pass to qemu-img with '-f raw' and it will say "yep, a raw" and treat it as such.

If you know of elsewhere in the code we don't pass the -f format explicitly to qemu-img, let me know, but when I looked this was the only remaining place.

I do have another routine in the glance code that runs the inspectors in parallel (which is not expensive since they're stream-based and very small) while it walks through enough of the file to satisfy them all. Basically a detection routine (i.e. what Sylvain is talking about), which we could use to say "aha, you said it was a raw, but it looks to me like a qcow!" We could certainly add that level of detection here, but it also has the potential for false positives, of course, so I feel like it's probably better to leave it out for now. We could add it later to nova as an extra layer if we want.

I'm planning to propose that to glance so that you can turn on deep inspection *inside* the upload pipeline such that it will reject images mid-stream if the safety check fails and/or if the image appears to be a format other than what you claimed.

Also, we did look at and discuss if there was a way to run qemu-img inside a privsep with no rights or something. However, what we really need is to run it inside a chroot. And even then, there's an exploit path which would instantiate the nbd driver inside qemu-img, which could then access local network resources, even if it was insulated from the rest of the host files.