2016527 – Use nbdkit plugins for handling http/https and ssh disk sources

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2016527 - Use nbdkit plugins for handling http/https and ssh disk sources

Summary: Use nbdkit plugins for handling http/https and ssh disk sources

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jonathon Jongsma
QA Contact:	Han Han
Docs Contact:
URL:
Whiteboard:
Depends On:	2021154 2176939 2182505
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-21 19:11 UTC by Jonathon Jongsma
Modified:	2023-09-23 17:56 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-09-22 16:36:39 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHEL-7384	0	None	Migrated	None	2023-09-22 16:36:33 UTC
Red Hat Issue Tracker	RHELPLAN-100544	0	None	None	None	2021-10-21 19:14:50 UTC

Description Jonathon Jongsma 2021-10-21 19:11:50 UTC

Up until now, qemu-kvm has had a dependency on the qemu-block-curl plugin, which allows qemu guests to use http/https network locations as a disk source. However, in rhel 9, this dependency is being removed from qemu-kvm, which results in issues such as bug #2014229. 

The long-term solution is to switch to using the more featureful and maintained nbdkit curl plugin (https://libguestfs.org/nbdkit-curl-plugin.1.html) within libvirt. 

From an email from Rich:

It would need to instead run an nbdkit subprocess first, eg:

  nbdkit -U /tmp/randomly-named-sock --exit-with-parent -f -r \
         --pidfile /tmp/randomly-named-file \
         curl http://foo protocols=http,https,ftp,ftps &

  # wait for pidfile to get created

  # pass nbd:unix:/tmp/randomly-named-sock as qemu parameter
  # or:
  #   <disk type='network' device='disk'>
  #     <driver name='qemu'/>
  #     <source protocol='nbd'>
  #       <host transport='unix' socket='/tmp/randomly-named-sock'/>
  #     </source>
  #     <target dev='vda' bus='virtio'/>
  #   </disk>

  # wait for qemu then:
  kill `cat /tmp/randomly-named-file`
  rm /tmp/randomly-named-sock

(or nbdkit will clean itself up because of --exit-with-parent)

Comment 1 Richard W.M. Jones 2021-10-21 19:53:32 UTC

Is this going to be transparent in terms of libvirt XML, or
do we plan to model this through the XML?  In other words
would we just want to transparently change the implementation of:

  <disk type='network'>
    <source protocol="https" name="url_path">
  ...

or would we model it like:

  <disk type='network'>
    <source protocol="external">
      <program>nbdkit</program>
      <args>...

(or however that would work)

Comment 2 Peter Krempa 2021-10-25 08:44:38 UTC

(In reply to Richard W.M. Jones from comment #1)
> Is this going to be transparent in terms of libvirt XML, or
> do we plan to model this through the XML?  In other words
> would we just want to transparently change the implementation of:
> 
>   <disk type='network'>
>     <source protocol="https" name="url_path">
>   ...

If we want to transparently fix the issue of the curl driver being removed from qemu we need to switch to nbdkit when it's not present with identical configuration. Otherwise the higher level APP would need to change their behaviour to ...

 
> or would we model it like:
> 
>   <disk type='network'>
>     <source protocol="external">
>       <program>nbdkit</program>
>       <args>...
> 
> (or however that would work)

... use this new XML.

It would make sense to start nbdkit separately, but generally we try to avoid giving the user the ability to specify arbitrary arguments for a program as it doesn't give us a chance to abstract changes in the helper program. In this instance the only thing the user will get is security isolation.

Comment 3 Richard W.M. Jones 2021-10-25 08:52:52 UTC

Sure thing, I agree.  By the way if the nbdkit support is generic enough
then it could be used to enable VDDK support using nbdkit-vddk-plugin, eg:

  <disk type='network'>
    <source protocol="vddk" file="[datastore1] Fedora/Fedora.vmdk">
      <host name="esxi"/>
      <auth username='root'/>
      <libdir>/opt/vmware-vix-disklib-distrib</libdir>
    </source>
   ...
  </disk>

https://libguestfs.org/nbdkit-vddk-plugin.1.html

Comment 4 Jonathon Jongsma 2021-10-28 17:10:25 UTC

So, Rich's comment makes me wonder -- are http and https the only protocols we are currently planning to move up to the libvirt level? Or will there be more dependencies removed from qemu-kvm that will cause similar issues for other protocols (e.g. ssh, etc)?

Comment 5 Richard W.M. Jones 2021-10-28 17:20:03 UTC

ssh is likely too IMHO.  We've spent less time on nbdkit-ssh-plugin,
but it is still slightly more featureful than the qemu driver, and
because of (low) performance characteristics makes sense to move out
of qemu too.

Comment 6 Jonathon Jongsma 2021-10-28 18:43:37 UTC

oh, indeed the ssh plugin was actually removed as a dependency from qemu in rhel 9 as well, I thought it was only curl so far. Updating title.

Comment 7 Miroslav Rezanina 2021-11-03 09:42:59 UTC

(In reply to Jonathon Jongsma from comment #4)
> So, Rich's comment makes me wonder -- are http and https the only protocols
> we are currently planning to move up to the libvirt level? Or will there be
> more dependencies removed from qemu-kvm that will cause similar issues for
> other protocols (e.g. ssh, etc)?

Yes, curl and ssh protocols are now optional (not required by qemu-kvm).

Comment 8 Kevin Wolf 2022-09-06 14:16:48 UTC

(In reply to Richard W.M. Jones from comment #3)
> Sure thing, I agree.  By the way if the nbdkit support is generic enough
> then it could be used to enable VDDK support using nbdkit-vddk-plugin

The more generic support sounds like something that could maybe supported by the future XML syntax that enables using a storage daemon, because nbdkit essentially just functions as a limited storage daemon in this case. Limited because it doesn't have QMP or anything like that, so I suppose certain features like storage migration or taking snapshots might not be possible when it's used.

@pkrempa This sounds like something to discuss in our planned storage daemon meeting.

Comment 9 Richard W.M. Jones 2022-09-06 15:03:31 UTC

The direct answer to how to do snapshotting (etc) is that you'd do it
in exactly the same way as snapshotting any NBD device, ie. qemu or q-s-d
does it.  It's entirely conceivable that q-s-d would be involved here.

The point of this change is to deal with 3 or 4 different problems:

(1a) Some drivers in qemu are not really maintained (eg. ssh), and the
nbdkit equivalent is both maintained and far more featureful.

(1b) nbdkit-curl-plugin is also much more featureful, and in particular
can do cookie and header renewal which is essential for accessing
certain non-public webservices like docker registries.

(2) Some drivers cannot be in qemu for licensing reasons (eg. vddk).

(3) Some drivers cannot be in qemu for technical reasons
(eg. vddk because it requires a re-exec(2) to reinitialize the
process, the imageio driver which is written in Python).

(4) We'd like to apply fine-grained SELinux policies per block driver.

Comment 10 Kevin Wolf 2022-09-07 09:40:13 UTC

(In reply to Richard W.M. Jones from comment #9)
> The direct answer to how to do snapshotting (etc) is that you'd do it
> in exactly the same way as snapshotting any NBD device, ie. qemu or q-s-d
> does it.  It's entirely conceivable that q-s-d would be involved here.

Right, so libvirt may need to support one storage daemon (nbdkit) serving another storage daemon (qsd), and also accessing the external process not for a whole disk image, but just for a backing file. That's a pretty important data point when designing how libvirt manages things.

> (1a) Some drivers in qemu are not really maintained (eg. ssh), and the
> nbdkit equivalent is both maintained and far more featureful.

It's indeed a sad truth that we decided to duplicate some efforts with nbdkit, inevitably leading to one implementation being less actively maintained than the other. But what you're using it for is not really relevant for the point I was making, which is about a generic way to use storage daemons (potentially including nbdkit) from libvirt.

Comment 12 Jaroslav Suchanek 2022-12-19 09:30:54 UTC

v3 on the list,
https://listman.redhat.com/archives/libvir-list/2022-October/235052.html

Comment 14 RHEL Program Management 2023-09-22 16:35:08 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 15 RHEL Program Management 2023-09-22 16:36:39 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.