Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1801219 - Requested operation is not valid: format of backing image ... was not specified in the image metadata
Summary: Requested operation is not valid: format of backing image ... was not specifi...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: libguestfs
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Richard W.M. Jones
QA Contact: YongkuiGuo
URL:
Whiteboard:
Depends On: 1798148
Blocks: 1786403
TreeView+ depends on / blocked
 
Reported: 2020-02-10 13:07 UTC by Richard W.M. Jones
Modified: 2020-07-02 11:50 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1798148
Environment:
Last Closed: 2020-07-02 11:50:12 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Richard W.M. Jones 2020-02-10 13:07:33 UTC 
+++ This bug was initially created as a clone of Bug #1798148 +++

Description of problem:

$ qemu-img create -f qcow2 test.qcow2 1M
$ qemu-img create -f qcow2 overlay.qcow2 -b test.qcow2 
$ qemu-img info overlay.qcow2 
image: overlay.qcow2
file format: qcow2
virtual size: 1 MiB (1048576 bytes)
disk size: 196 KiB
cluster_size: 65536
backing file: test.qcow2
Format specific information:
    compat: 1.1
    lazy refcounts: false
    refcount bits: 16
    corrupt: false

But if you add overlay.qcow2 to a guest then you can no longer
start the guest:

$ virt-install --import --name test --disk path=overlay.qcw2,format=qcow2 

ERROR    Requested operation is not valid: format of backing image 'test.qcow2' of image '/var/tmp/overlay.qcow2' was not specified in the image metadata (See https://libvirt.org/kbase/backing_chains.html for troubleshooting)

Note this is a regression over earlier behaviour, and also breaks
libguestfs tools such as virt-sparsify.

Version-Release number of selected component (if applicable):

libvirt-6.0.0-2.module+el8.2.0+5513+34927b6c.x86_64

How reproducible:

100%

Steps to Reproduce:
1. See above.

--- Additional comment from Rick Barry on 2020-02-04 19:32:45 UTC ---

Rich, if you plan to take this BZ you can either reassign it to yourself or assign it back to virt-maint and add the Triaged flag after you've determined the priority and set the ITR the way you want.

--- Additional comment from Peter Krempa on 2020-02-05 13:25:47 UTC ---

Note that the above scenario relied on format detection which was considered unsupported and insecure for a very long time (at least since 2012, I didn't look further).

Since libvirt wasn't able to tell qemu how to open the image until -blockdev was introduced the only recourse was to use selinux to prevent opening any unwanted backing images.

That means that for a very long time, any image which didn't have a format specified was considered to be raw from libvirt's point of view. This 'accidentally' worked in some cases, e.g. when the image didn't have any backing image. Saying 'accidentally' because we didn't have a way to fix it. Additionally in cases when selinux or any other security driver was not available, the insecure format probing could still be exploited.

Since -blockdev support was introduced it became possible to control the backing files of images which libvirt started to do.

In that case it turned out, that actually assuming that a non-specified format equals to RAW which we did for a long time is dangerous as it can lead to data corruption. To avoid any possibility of it we started reporting the error you mention in this bug.

The following bugs tracked some of the problems which occured before:

https://bugzilla.redhat.com/show_bug.cgi?id=1588373
If the image which didn't have the format specified has more than one backing image, selinux will not label them properly and startup will fail.

https://bugzilla.redhat.com/show_bug.cgi?id=1790101
Not specifying the format makes the image look corrupt as the backing image was QCOW2 and libvirt assumed root.

You can also see the questions asked on the upstream list:
https://www.redhat.com/archives/libvir-list/2020-January/msg00320.html

As of the reasons above we never wanted to allow the image format probing done by qemu in the first place but that became possible only using blockdev. As of such the behaviour we have now is expected as we want to require users to certify the image format one way or another.

Note that in addition to recording the format of the image in the overlay file when creating it:

qemu-img create -f qcow2 -F qcow2 -b /path/to/backing.qcow2 /path/to/overlay.qcow2)

(-F specifies the backing file format)

It's now also possible to express the format in the VM XML as well as the fact that backing.qcow2 has no backing store:

    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/path/to/overlay.qcow2'/>
      <backingStore type='file'>
        <format type='qcow2'/>
        <source file='/path/to/backing.qcow2'/>
        <backingStore/>
      </backingStore>
      <target dev='vdb' bus='virtio'/>
    </disk>

(note that you can also assume that if libvirt doesn't support the <backing> store on input, which can be also queried via the domcapabilities api [1] that the elements are ignored and the backing chain is probed)

Any new libvirt will thus reject any probed image which doesn't have the backing store specified and you can use one of the two approaches outlined above to avoid that issue.

[1] https://www.redhat.com/archives/libvirt-users/2020-January/msg00081.html
    https://libvirt.org/formatdomaincaps.html#featureBackingStoreInput

--- Additional comment from Richard W.M. Jones on 2020-02-06 11:06:01 UTC ---

This change breaks at least virt-customize and virt-sparsify.  I am still
analysing the extent of the problems and how easy it will be to fix.
I don't think that making this change in the middle of RHEL 8 is a good idea,
I think this will negatively affect a lot of customers.

--- Additional comment from Richard W.M. Jones on 2020-02-06 17:21:02 UTC ---

Easiest workaround seems to be to do the autodetection in libguestfs, so:
https://www.redhat.com/archives/libguestfs/2020-February/msg00013.html
Comment 2 Peter Krempa 2020-02-25 15:18:18 UTC 
I've reopened https://bugzilla.redhat.com/show_bug.cgi?id=1798148 as there are few situations where we can do image probing safely which will return the semantics to the old state for few safe scenarios.
Comment 3 Peter Krempa 2020-02-28 09:58:21 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1798148 Is now in post. Also one note (and the reason for actually allowing it in libvirt): the patch mentioned above specifcially does the probing in an insecure way. If the probed image format is qcow2 it does not check whether a backing image is present: https://libvirt.org/kbase/backing_chains.html#vm-refuses-to-start-due-to-misconfigured-backing-store-format under 'Important'
Comment 4 Pino Toscano 2020-07-02 09:28:26 UTC 
Fast forward few months: what should we do about this bug?

libvirt added back autodetection in some cases where it is safe to do so, and I think we had less issues reported due to this;
otherwise, as Peter linked already, there is a libvirt KBase describing this situation:
https://libvirt.org/kbase/backing_chains.html#vm-refuses-to-start-due-to-misconfigured-backing-store-format

libguestfs itself explicitly specifies the format of images whenever it knows it, so most of (if not all) the cases where a format is missing are images supplied by the user via command line or API.
Comment 5 Richard W.M. Jones 2020-07-02 09:34:16 UTC 
I've been using the latest libvirt and libguestfs together for a while and
haven't hit this bug recently, so I guess whatever fix Peter added is working.
There's still the patch I posted to do autodetection every time to consider:

https://www.redhat.com/archives/libguestfs/2020-February/msg00013.html
Comment 6 Pino Toscano 2020-07-02 09:54:08 UTC 
(In reply to Richard W.M. Jones from comment #5)
> There's still the patch I posted to do autodetection every time to consider:
> 
> https://www.redhat.com/archives/libguestfs/2020-February/msg00013.html

This patch was already discussed, and we [1] decided it was unsuitable for libguestfs for the same reasons as libvirt:
- if libvirt does not do the format autodetection in all cases because it deems that unsafe, then doing it in libguestfs does not make sense either, since it would be unsafe in the very same way
- if libvirt would consider safe to always do autodetection, then doing the autodetection in libguestfs would not make sense (at least when using the libvirt backend)

So no, there is no patch to consider about this.

[1] where "we" means Peter, Dan, and me, apparently
Comment 7 Richard W.M. Jones 2020-07-02 10:27:04 UTC 
Libguestfs has always done autodetection if the format is not specified
(while recommending that to be safe you should specify the format - and
all libguestfs own tools do this where possible).  But in any case if libvirt
is doing autodetection in all the cases anyone cares about I'll wait until
an actual user/customer files a bug.

Shall we close this bug?
Note You need to log in before you can comment on or make changes to this bug.