OpenStack Compute (nova)

  1. Bug #2038898
  2. Comment #8

Comment 8 for bug 2038898

Revision history for this message
Pavlo Shchelokovskyy (pshchelo) wrote :

I did the testing with full set of permutations of:

- libvirt.images_type = default | qcow2 | flat | raw
- use_cow_images = True | False
- force_raw_images = True | False
- Glance image = qcow2 | raw

I was booting an instance and checking the `qemu-img info $nova_state_path/instances/<instance_id>/disk` for the image format, if the backing file is used and the backing file format.

Results: https://paste.opendev.org/show/bAMQ9pR9tOewEDKB4roK/

Summary:

- `libvirt.images_type = raw` behaves exactly the same as `flat`
- `use_cow_images` has any effect only with `libvirt.images_type = default`

  `images_type = default` + `use_cow_images = True` == `images_type = qcow2`

  `images_type = default` + `use_cow_images = False` == `images_type = flat`

- when non-default `images_type` is configured, use_cow_images has no effect at all

That's it, it plays no other role with libvirt driver when booting the instance (is used however is several places with hyperv though).

It is however used in finish_migration to decide if to convert the image during cold migration. I believe this is a leftover from the times when there was no separation between qcow2 and 'raw/flat', and this option was the only one on which the format of the instance disk was chosen on.
AFAIK since we generate the XML on the target node from scratch but telling it to use existing copied from src host image. The problem is when the XML we generate based on settings of current (target) host says one thing, but the actual file format is something else - if we think it is qcow2, but it is raw, we have security vulnerability, if we think it is raw but it is qcow2 - instance does not start at all.
So it seems this check in finish_migration is broken now, it does not account for all the possible ways how this vulnerability may be triggered, and more over, breaks other legitimate scenarios.

What should be done IMO:
1. fix the check in finish_migration to not rely on `use_cow_images`
2. deprecate the usage of `use_cow_images` with libvirt driver
3. deprecate `default` value for `libvirt.images_type`

we could start by emitting a startup warning in libvirt driver when use_cow_images = False and images_type = default, to warn those relying on that behavior of choosing 'flat' that this is deprecated, and they rather must set it explicitly.

at the same time, we should deprecate the use_cow_images and copy it over to hyperv.use_cow_images, and use that in the hyperv driver.