Coverage for nova/privsep/qemu.py: 93%
78 statements
« prev ^ index » next coverage.py v7.6.12, created at 2025-04-17 15:08 +0000
1# Copyright 2018 Michael Still and Aptira
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
15"""
16Helpers for qemu tasks.
17"""
19import contextlib
20import os
21import tempfile
22import typing as ty
24from oslo_concurrency import processutils
25from oslo_log import log as logging
26from oslo_utils import units
28from nova import exception
29from nova.i18n import _
30import nova.privsep.utils
32LOG = logging.getLogger(__name__)
34QEMU_IMG_LIMITS = processutils.ProcessLimits(
35 cpu_time=30,
36 address_space=1 * units.Gi)
39class EncryptionOptions(ty.TypedDict):
40 secret: str
41 format: str
44@nova.privsep.sys_admin_pctxt.entrypoint
45def convert_image(source, dest, in_format, out_format, instances_path,
46 compress, src_encryption=None, dest_encryption=None):
47 unprivileged_convert_image(source, dest, in_format, out_format,
48 instances_path, compress,
49 src_encryption=src_encryption,
50 dest_encryption=dest_encryption)
53# NOTE(mikal): this method is deliberately not wrapped in a privsep entrypoint
54def unprivileged_convert_image(
55 source: str,
56 dest: str,
57 in_format: ty.Optional[str],
58 out_format: str,
59 instances_path: str,
60 compress: bool,
61 src_encryption: ty.Optional[EncryptionOptions] = None,
62 dest_encryption: ty.Optional[EncryptionOptions] = None,
63) -> None:
64 """Disk image conversion with qemu-img
66 :param source: Location of the disk image to convert
67 :param dest: Desired location of the converted disk image
68 :param in_format: Disk image format of the source image
69 :param out_format: Desired disk image format of the converted disk image
70 :param instances_path: Location where instances are stored on disk
71 :param compress: Whether to compress the converted disk image
72 :param src_encryption: (Optional) Dict detailing various encryption
73 attributes for the source image such as the format and passphrase.
74 :param dest_encryption: (Optional) Dict detailing various encryption
75 attributes for the destination image such as the format and passphrase.
77 The in_format and out_format represent disk image file formats in QEMU,
78 which are:
80 * qcow2, which can be encrypted or not encrypted depending on options
81 * raw, which is unencrypted
82 * luks, which is encrypted raw
84 See https://www.qemu.org/docs/master/system/qemu-block-drivers.html
85 """
86 # NOTE(mdbooth, kchamart): `qemu-img convert` defaults to
87 # 'cache=writeback' for the source image, and 'cache=unsafe' for the
88 # target, which means that data is not synced to disk at completion.
89 # We explicitly use 'cache=none' here, for the target image, to (1)
90 # ensure that we don't interfere with other applications using the
91 # host's I/O cache, and (2) ensure that the data is on persistent
92 # storage when the command exits. Without (2), a host crash may
93 # leave a corrupt image in the image cache, which Nova cannot
94 # recover automatically.
96 # NOTE(zigo, kchamart): We cannot use `qemu-img convert -t none` if
97 # the 'instance_dir' is mounted on a filesystem that doesn't support
98 # O_DIRECT, which is the case, for example, with 'tmpfs'. This
99 # simply crashes `openstack server create` in environments like live
100 # distributions. In such cases, the best choice is 'writeback',
101 # which (a) makes the conversion multiple times faster; and (b) is
102 # as safe as it can be, because at the end of the conversion it,
103 # just like 'writethrough', calls fsync(2)|fdatasync(2), which
104 # ensures to safely write the data to the physical disk.
106 # NOTE(mikal): there is an assumption here that the source and destination
107 # are in the instances_path. Is that worth enforcing?
108 if nova.privsep.utils.supports_direct_io(instances_path):
109 cache_mode = 'none'
110 else:
111 cache_mode = 'writeback'
112 cmd = ['qemu-img', 'convert', '-t', cache_mode, '-O', out_format]
114 # qemu-img: --image-opts and --format are mutually exclusive
115 # If the source is encrypted, we will need to pass encryption related
116 # options using --image-opts.
117 driver_str = ''
118 if in_format is not None: 118 ↛ 124line 118 didn't jump to line 124 because the condition on line 118 was always true
119 if not src_encryption:
120 cmd += ['-f', in_format]
121 else:
122 driver_str = f'driver={in_format},'
124 if compress:
125 cmd += ['-c']
127 src_secret_file = None
128 dest_secret_file = None
129 encryption_opts: ty.List[str] = []
130 with contextlib.ExitStack() as stack:
131 if src_encryption:
132 src_secret_file = stack.enter_context(
133 tempfile.NamedTemporaryFile(mode='tr+', encoding='utf-8'))
135 # Write out the passphrase secret to a temp file
136 src_secret_file.write(src_encryption['secret'])
138 # Ensure the secret is written to disk, we can't .close() here as
139 # that removes the file when using NamedTemporaryFile
140 src_secret_file.flush()
142 # When --image-opts is used, the source filename must be passed as
143 # part of the option string instead of as a positional arg.
144 #
145 # The basic options include the secret and encryption format
146 # Option names depend on the QEMU disk image file format:
147 # https://www.qemu.org/docs/master/system/qemu-block-drivers.html#disk-image-file-formats # noqa
148 # For 'luks' it is 'key-secret' and format is implied
149 # For 'qcow2' it is 'encrypt.key-secret' and 'encrypt.format'
150 prefix = 'encrypt.' if in_format == 'qcow2' else ''
151 encryption_opts = [
152 '--object', f"secret,id=sec0,file={src_secret_file.name}",
153 '--image-opts',
154 f"{driver_str}file.driver=file,file.filename={source},"
155 f"{prefix}key-secret=sec0",
156 ]
158 if dest_encryption:
159 dest_secret_file = stack.enter_context(
160 tempfile.NamedTemporaryFile(mode='tr+', encoding='utf-8'))
162 # Write out the passphrase secret to a temp file
163 dest_secret_file.write(dest_encryption['secret'])
165 # Ensure the secret is written to disk, we can't .close()
166 # here as that removes the file when using
167 # NamedTemporaryFile
168 dest_secret_file.flush()
170 prefix = 'encrypt.' if out_format == 'qcow2' else ''
171 encryption_opts += [
172 '--object', f"secret,id=sec1,file={dest_secret_file.name}",
173 '-o', f'{prefix}key-secret=sec1',
174 ]
175 if prefix:
176 # The encryption format is only relevant for the 'qcow2' disk
177 # format. Otherwise, the disk format is 'luks' and the
178 # encryption format is implied and not accepted as an option in
179 # that case.
180 encryption_opts += [
181 '-o', f"{prefix}format={dest_encryption['format']}"
182 ]
183 # Supported luks options:
184 # cipher-alg=<str> - Name of cipher algorithm and
185 # key length
186 # cipher-mode=<str> - Name of encryption cipher mode
187 # hash-alg=<str> - Name of hash algorithm to use
188 # for PBKDF
189 # iter-time=<num> - Time to spend in PBKDF in
190 # milliseconds
191 # ivgen-alg=<str> - Name of IV generator algorithm
192 # ivgen-hash-alg=<str> - Name of IV generator hash
193 # algorithm
194 #
195 # NOTE(melwitt): Sensible defaults (that match the qemu
196 # defaults) are hardcoded at this time for simplicity and
197 # consistency when instances are migrated. Configuration of
198 # luks options could be added in a future release.
199 encryption_options = {
200 'cipher-alg': 'aes-256',
201 'cipher-mode': 'xts',
202 'hash-alg': 'sha256',
203 'iter-time': 2000,
204 'ivgen-alg': 'plain64',
205 'ivgen-hash-alg': 'sha256',
206 }
207 for option, value in encryption_options.items():
208 encryption_opts += [
209 '-o', f'{prefix}{option}={value}',
210 ]
212 if src_encryption or dest_encryption:
213 cmd += encryption_opts
215 # If the source is not encrypted, it's passed as a positional argument.
216 if not src_encryption:
217 cmd += [source]
219 processutils.execute(*cmd + [dest])
222@nova.privsep.sys_admin_pctxt.entrypoint
223def privileged_qemu_img_info(path, format=None):
224 """Return an object containing the parsed output from qemu-img info
226 This is a privileged call to qemu-img info using the sys_admin_pctxt
227 entrypoint allowing host block devices etc to be accessed.
228 """
229 return unprivileged_qemu_img_info(path, format=format)
232def unprivileged_qemu_img_info(path, format=None):
233 """Return an object containing the parsed output from qemu-img info."""
234 try:
235 # The following check is about ploop images that reside within
236 # directories and always have DiskDescriptor.xml file beside them
237 if (os.path.isdir(path) and 237 ↛ 239line 237 didn't jump to line 239 because the condition on line 237 was never true
238 os.path.exists(os.path.join(path, "DiskDescriptor.xml"))):
239 path = os.path.join(path, "root.hds")
241 cmd = [
242 'env', 'LC_ALL=C', 'LANG=C', 'qemu-img', 'info', path,
243 '--force-share', '--output=json',
244 ]
245 if format is not None:
246 cmd = cmd + ['-f', format]
247 out, err = processutils.execute(*cmd, prlimit=QEMU_IMG_LIMITS)
248 except processutils.ProcessExecutionError as exp:
249 if exp.exit_code == -9:
250 # this means we hit prlimits, make the exception more specific
251 msg = (_("qemu-img aborted by prlimits when inspecting "
252 "%(path)s : %(exp)s") % {'path': path, 'exp': exp})
253 elif exp.exit_code == 1 and 'No such file or directory' in exp.stderr: 253 ↛ 259line 253 didn't jump to line 259 because the condition on line 253 was always true
254 # The os.path.exists check above can race so this is a simple
255 # best effort at catching that type of failure and raising a more
256 # specific error.
257 raise exception.DiskNotFound(location=path)
258 else:
259 msg = (_("qemu-img failed to execute on %(path)s : %(exp)s") %
260 {'path': path, 'exp': exp})
261 raise exception.InvalidDiskInfo(reason=msg)
263 if not out: 263 ↛ 264line 263 didn't jump to line 264 because the condition on line 263 was never true
264 msg = (_("Failed to run qemu-img info on %(path)s : %(error)s") %
265 {'path': path, 'error': err})
266 raise exception.InvalidDiskInfo(reason=msg)
267 return out