On Wed, Jul 11, 2018 at 02:17:18PM +0300, Adam Litke wrote: > Adding some kubevirt developers to the thread. Thanks guys for the > information! I think this could work perfectly for on the fly conversion > of qcow2 images to raw format on our PVCs.
FYI if you are intending to accept qcow2 images from untrustworthy sources you must take special care to validate the image in a confined environment. It is possible to construct malicious images that inflict a denial of service attack on CPU or memory or both, even when merely opening the image to query its metadata. This has been reported as a CVE against OpenStack in the past: https://bugs.launchpad.net/ossa/+bug/1449062 Recommendation is to run 'qemu-img info' to extract the metadata and sanity check results eg no backing file list, not unreasonable size, etc. When running 'qemu-img info' apply process limits of 30 secs CPU time, and 1 GB address space. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|