Ubuntu
qemu-kvm package

qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso

Bug #453441 reported by Dustin Kirkland 
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu-kvm (Ubuntu)
Fix Released
Wishlist
Dustin Kirkland 
Ubuntu karmic-updates
Karmic
Fix Released
Wishlist
Dustin Kirkland 
Ubuntu karmic-updates

Bug Description

Binary package hint: qemu-kvm

qemu-kvm has the ability to boot off of a remote, http iso.

This is really, really useful, particularly when testing daily iso's, or from a system like my laptop with a small SSD hard drive.

All we need to do to enable this is to build-depend on libcurl4-gnutls-dev.

:-Dustin

===========================
SRU Justification

This is truly a wishlist item, but absolutely trivial to fix, and very high impact. This should significantly improve our developers', testers', and users' abilities to test ISOs during the Lucid cycle. We simple need to build-depend on a curl library. This will enable kvm to actually boot using -cdrom http://remote.host/path/to/image.iso, streaming the ISO over a network connection. The impact is tremendous. On systems with relatively small hard disks (SSDs, eg), it can be very beneficial to save some disk space and stream ISOs. This should in no way affect any other functionality. The risk of regression should be negligible.

TEST CASE:
 * kvm -m 512 -cdrom http://mirrors.kernel.org/ubuntu-releases/8.04.3/ubuntu-8.04.3-desktop-amd64.iso
Should boot to the graphical desktop. (Actually, you can stop if you see the bootloader screen.)
===========================

See original description
Dustin Kirkland  (kirkland)
Changed in qemu-kvm (Ubuntu):
status: New → In Progress
importance: Undecided → Wishlist
assignee: nobody → Dustin Kirkland (kirkland)
Dustin Kirkland  (kirkland)
Changed in qemu-kvm (Ubuntu):
milestone: none → karmic-updates
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Patch attached for SRU review. I will upload it with 2 other bugs.

:-Dustin

description: updated
Dustin Kirkland  (kirkland)
Changed in qemu-kvm (Ubuntu Karmic):
status: In Progress → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

This is a new feature which hasn't been in Ubuntu before. How much was this tested? Was there ever a review about potential security issues? Does it change the default behaviour in any way?

Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso

On Thu, Oct 29, 2009 at 1:39 PM, Martin Pitt <email address hidden> wrote:
> This is a new feature which hasn't been in Ubuntu before. How much was
> this tested?

I have run this extensively myself. The kvm I generally run on my own
hardware is a kvm that I build myself. I have that library on my
system and in my chroots, so the build of kvm that I've been using has
had it for a while now. I use it extensively, as I boot from ISOs on
my mirror over my local gigabit network all the time. Saves a lot of
disk space on my local system.

That said, I didn't notice that this was missing from the official
deb's until very late into Karmic RC, so I didn't upload it.

> Was there ever a review about potential security issues?

Not that I know of.

> Does it change the default behaviour in any way?

Default behavior -- no. I think the risk of regression is very, very,
very low. Most users will never boot from a remote ISO, so they'll
never see this. If they do, and for some reason it doesn't work, then
they're no worse off than they were before (not being able to boot
from an ISO url).

I think the upshot is very valuable. Many people (including Ubuntu
developers) will continue using Karmic to develop Lucid. It would be
very nice, this cycle, to be able to boot VMs in this way, using an
http/ftp style URL.

If you're really opposed to this, I suppose that we could just push it
to -backports. That's okay, I guess. I simply added it to this SRU
since I was fixing/uploading anyway, and the advantage is very nice.

Thanks for the careful look, Martin.

:-Dustin

Revision history for this message
Martin Pitt (pitti) wrote :

Accepted qemu-kvm into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Martin, I've tested the package in karmic-proposed. Verifying this one is *very* easy. I would appreciate it if someone else would try the instructions in the description.

:-Dustin

description: updated
Revision history for this message
Tim McIntyre (salfordfred) wrote :

tested this as per the test case above using qemu-kvm 0.11.0-0ubuntu6.3 from karmic-proposed

the test case works for me, within seconds i am greeted with the ubuntu installer menu. please advise if you require further information.

regards

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu-kvm - 0.11.0-0ubuntu6.3

---------------
qemu-kvm (0.11.0-0ubuntu6.3) karmic-security; urgency=low

  * SECURITY UPDATE: linux <= 2.6.25 guests (e.g. hardy) with virtio
    networking are subject to DoS by qemu-kvm application crash;
    the crash can be remotely triggered by a malicious user flooding any
    open network port (LP: #458521)
    - debian/patches/12_whitelist_host_virtio_networking_features.patch:
      fix accounting of virtio networking features available to make
      available to the guests
    - CVE-2009-XXXX
  * debian/kvm-ok: check for other common reasons why KVM might not be
    usable, LP: #452323
  * debian/control: build-depend on libcurl devel, to allow booting from
    ISOs over http, LP: #453441

 -- Dustin Kirkland <email address hidden> Thu, 29 Oct 2009 11:36:18 -0500

Changed in qemu-kvm (Ubuntu Karmic):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Copied karmic-proposed to lucid.

Changed in qemu-kvm (Ubuntu):
status: In Progress → Fix Released
Changed in qemu-kvm (Ubuntu Karmic):
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu-kvm - 0.11.0-0ubuntu6.3

---------------
qemu-kvm (0.11.0-0ubuntu6.3) karmic-security; urgency=low

  * SECURITY UPDATE: linux <= 2.6.25 guests (e.g. hardy) with virtio
    networking are subject to DoS by qemu-kvm application crash;
    the crash can be remotely triggered by a malicious user flooding any
    open network port (LP: #458521)
    - debian/patches/12_whitelist_host_virtio_networking_features.patch:
      fix accounting of virtio networking features available to make
      available to the guests
    - CVE-2009-XXXX
  * debian/kvm-ok: check for other common reasons why KVM might not be
    usable, LP: #452323
  * debian/control: build-depend on libcurl devel, to allow booting from
    ISOs over http, LP: #453441

 -- Dustin Kirkland <email address hidden> Thu, 29 Oct 2009 11:36:18 -0500

Changed in qemu-kvm (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.