Re: [Qemu-devel] Minutes of KVM Forum BoF on deprecating stuff

[John Snow]

On 10/26/2018 10:22 AM, Daniel P. Berrangé wrote:
> 
> On Fri, Oct 26, 2018 at 04:03:51PM +0200, Markus Armbruster wrote:
>> This is from my (imperfect) notes, corrections welcome.
>>
>> Motivation: QEMU contains stuff of dubious value, which gets in the way
>> in various (sometimes painful and expensive) ways.
>>
>> Deprecation is the marking of an external interface as "we intend to
>> remove this, you should stop using it" (preferably with advice on what
>> to use instead).  We have a deprecation policy to guide us through this
>> process.
> 
> 
> Something I meant to bring up but forgot is about the classification
> of devices, especially with a view towards security. It is not directly
> about deprecation, but it is somewhat related as it is related  to the
> state of maintainence and quality level
> 
> We've got alot of devices, but only a subset are written and maintained
> to a level where we'd consider them robust wrt malcious guests. Other
> devices are only suitable for friendly guest environments. We should
> clearly document which are the devices that we consider to provide
> a secure boundary to guests, so users can make suitably informed choices.
> I'd guess this means all virtio devices, and then few of the emulated
> devices that are commonly used & maintained in a KVM environment.
> 
> This would be useful for distros/vendors/users who wish to limit their
> potential attack surface once we have a KConfig system for fine grained
> disablement of features.
> 

It would be really helpful to describe which devices receive which kind
of support.

At the highest tier of support, we offer some kind of guarantee: this
device is secure (as far as we know), and will receive CVE patches promptly.

At the next tier of support, we expect that the device works, but it may
be best-effort.

At the lowest tier, the devices are experimental and absolutely should
not show up in a production environment.

Of course, RHEL's configuration has made some assessments as to what's
safe and what isn't -- but this information isn't reflected here in our
upstream configuration.

It would be nice to effectively convert everything over to qdev, make
the support level a metadata construct, and even allow configurations
like ./configure --enterprise-devices-only that disable the ability to
load or interface with anything we don't promise support for.

>> Topics we covered, reordered for readability:
>>
>> * Dropping features inconveniences their users.  Keeping them impedes
>>   forward movement, and thus inconveniences other users.  We need to
>>   engage with the tradeoffs.
>>
>> * The cost of keeping both old and new for a deprecation grace period
>>   (currently two releases) can be painfully high.  Tradeoff again.
>>   However, there's rough consensus not to mess with the deprecation
>>   policy right now.
>>
>> * When something has been broken for the customary deprecation grace
>>   period, removing it without going through the deprecation process
>>   should be okay.
>>
>> * We may have to deprecate interfaces, but we may also have a need to
>>   deprecate guarantees interfaces provide.  Worse when the guarantees
>>   are tacit.  No good answers.  Let's attack less thorny problems first.
>>
>> * One obvious class of candidates for removal is machines we don't know
>>   how to boot, or can't boot, say because we lack required firmware
>>   and/or OS.
>>
>>   Of course, "can boot" should be an automated test.  As a first step
>>   towards that, we should at least document how to boot each machine.
>>   We're going to ask machine maintainers to do that.
>>
>> * We need to communicate "you're using something that is deprecated".
>>   How?  Right now, we print a deprecation message.  Okay when humans use
>>   QEMU directly in a shell.  However, when QEMU sits at the bottom of a
>>   software stack, the message will likely end up in a log file that is
>>   effectively write-only.
>>  
>>   - The one way to get people read log files is crashing their
>>     application.  A command line option --future could make QEMU crash
>>     right after printing a deprecation message.  This could help with
>>     finding use of deprecated features in a testing environment.
>>
>>   - A less destructive way to grab people's attention is to make things
>>     run really, really slow: have QEMU go to sleep for a while after
>>     printing a deprecation message.
>>     
>>   - We can also pass the buck to the next layer up: emit a QMP event.
>>
>>     Sadly, by the time the next layer connects to QMP, plenty of stuff
>>     already happened.  We'd have to buffer deprecation events somehow.
>>
>>     What would libvirt do with such an event?  Log it, taint the domain,
>>     emit a (libvirt) event to pass it on to the next layer up.
>>
>>   - A completely different idea is to have a configuratin linter.  To
>>     support doing this at the libvirt level, QEMU could expose "is
>>     deprecated" in interface introspection.  Feels feasible for QMP,
>>     where we already have sufficiently expressive introspection.  For
>>     CLI, we'd first have to provide that (but we want that anyway).
>>
>>   - We might also want to dispay deprecation messages in QEMU's GUI
>>     somehow, or on serial consoles.
> 
> Regards,
> Daniel
>