1QEMU-IMG.1(1) QEMU-IMG.1(1)
2
6 qemu-img - QEMU disk image utility
7
9 qemu-img [standard options] command [command options]
10
12 qemu-img allows you to create, convert and modify images offline. It
13 can handle all image formats supported by QEMU.
14 Warning: Never use qemu-img to modify images in use by a running
16 virtual machine or any other process; this may destroy the image. Also,
17 be aware that querying an image that is being modified by another
18 process may encounter inconsistent state.
19
21 Standard options:
22 -h, --help
24 Display this help and exit
25 -V, --version
27 Display version information and exit
28 -T, --trace [[enable=]pattern][,events=file][,file=file]
30 Specify tracing options.
31 [enable=]pattern
33 Immediately enable events matching pattern (either event name
34 or a globbing pattern). This option is only available if QEMU
35 has been compiled with the simple, log or ftrace tracing
36 backend. To specify multiple events or patterns, specify the
37 -trace option multiple times.
38 Use "-trace help" to print a list of names of trace points.
40 events=file
42 Immediately enable events listed in file. The file must
43 contain one event name (as listed in the trace-events-all file)
44 per line; globbing patterns are accepted too. This option is
45 only available if QEMU has been compiled with the simple, log
46 or ftrace tracing backend.
47 file=file
49 Log output traces to file. This option is only available if
50 QEMU has been compiled with the simple tracing backend.
51 The following commands are supported:
53 amend [--object objectdef] [--image-opts] [-p] [-q] [-f fmt] [-t cache]
55 -o options filename
56 bench [-c count] [-d depth] [-f fmt] [--flush-interval=flush_interval]
57 [-n] [--no-drain] [-o offset] [--pattern=pattern] [-q] [-s buffer_size]
58 [-S step_size] [-t cache] [-w] [-U] filename
59 check [--object objectdef] [--image-opts] [-q] [-f fmt] [--output=ofmt]
60 [-r [leaks | all]] [-T src_cache] [-U] filename
61 commit [--object objectdef] [--image-opts] [-q] [-f fmt] [-t cache] [-b
62 base] [-d] [-p] filename
63 compare [--object objectdef] [--image-opts] [-f fmt] [-F fmt] [-T
64 src_cache] [-p] [-q] [-s] [-U] filename1 filename2
65 convert [--object objectdef] [--image-opts] [--target-image-opts] [-U]
66 [-c] [-p] [-q] [-n] [-f fmt] [-t cache] [-T src_cache] [-O output_fmt]
67 [-B backing_file] [-o options] [-l snapshot_param] [-S sparse_size] [-m
68 num_coroutines] [-W] filename [filename2 [...]] output_filename
69 create [--object objectdef] [-q] [-f fmt] [-b backing_file] [-F
70 backing_fmt] [-u] [-o options] filename [size]
71 dd [--image-opts] [-U] [-f fmt] [-O output_fmt] [bs=block_size]
72 [count=blocks] [skip=blocks] if=input of=output
73 info [--object objectdef] [--image-opts] [-f fmt] [--output=ofmt]
74 [--backing-chain] [-U] filename
75 map [--object objectdef] [--image-opts] [-f fmt] [--output=ofmt] [-U]
76 filename
77 measure [--output=ofmt] [-O output_fmt] [-o options] [--size N |
78 [--object objectdef] [--image-opts] [-f fmt] [-l snapshot_param]
79 filename]
80 snapshot [--object objectdef] [--image-opts] [-U] [-q] [-l | -a
81 snapshot | -c snapshot | -d snapshot] filename
82 rebase [--object objectdef] [--image-opts] [-U] [-q] [-f fmt] [-t
83 cache] [-T src_cache] [-p] [-u] -b backing_file [-F backing_fmt]
84 filename
85 resize [--object objectdef] [--image-opts] [-f fmt]
86 [--preallocation=prealloc] [-q] [--shrink] filename [+ | -]size
87 Command parameters:
89 filename
91 is a disk image filename
92 fmt is the disk image format. It is guessed automatically in most
94 cases. See below for a description of the supported disk formats.
95 size
97 is the disk image size in bytes. Optional suffixes "k" or "K"
98 (kilobyte, 1024) "M" (megabyte, 1024k) and "G" (gigabyte, 1024M)
99 and T (terabyte, 1024G) are supported. "b" is ignored.
100 output_filename
102 is the destination disk image filename
103 output_fmt
105 is the destination format
106 options
108 is a comma separated list of format specific options in a
109 name=value format. Use "-o ?" for an overview of the options
110 supported by the used format or see the format descriptions below
111 for details.
112 snapshot_param
114 is param used for internal snapshot, format is
115 'snapshot.id=[ID],snapshot.name=[NAME]' or '[ID_OR_NAME]'
116 --object objectdef
118 is a QEMU user creatable object definition. See the qemu(1) manual
119 page for a description of the object properties. The most common
120 object type is a "secret", which is used to supply passwords and/or
121 encryption keys.
122 --image-opts
124 Indicates that the source filename parameter is to be interpreted
125 as a full option string, not a plain filename. This parameter is
126 mutually exclusive with the -f parameter.
127 --target-image-opts
129 Indicates that the output_filename parameter(s) are to be
130 interpreted as a full option string, not a plain filename. This
131 parameter is mutually exclusive with the -O parameters. It is
132 currently required to also use the -n parameter to skip image
133 creation. This restriction may be relaxed in a future release.
134 --force-share (-U)
136 If specified, "qemu-img" will open the image in shared mode,
137 allowing other QEMU processes to open it in write mode. For
138 example, this can be used to get the image information (with 'info'
139 subcommand) when the image is used by a running guest. Note that
140 this could produce inconsistent results because of concurrent
141 metadata changes, etc. This option is only allowed when opening
142 images in read-only mode.
143 --backing-chain
145 will enumerate information about backing files in a disk image
146 chain. Refer below for further description.
147 -c indicates that target image must be compressed (qcow format only)
149 -h with or without a command shows help and lists the supported
151 formats
152 -p display progress bar (compare, convert and rebase commands only).
154 If the -p option is not used for a command that supports it, the
155 progress is reported when the process receives a "SIGUSR1" or
156 "SIGINFO" signal.
157 -q Quiet mode - do not print any output (except errors). There's no
159 progress bar in case both -q and -p options are used.
160 -S size
162 indicates the consecutive number of bytes that must contain only
163 zeros for qemu-img to create a sparse image during conversion. This
164 value is rounded down to the nearest 512 bytes. You may use the
165 common size suffixes like "k" for kilobytes.
166 -t cache
168 specifies the cache mode that should be used with the (destination)
169 file. See the documentation of the emulator's "-drive cache=..."
170 option for allowed values.
171 -T src_cache
173 specifies the cache mode that should be used with the source
174 file(s). See the documentation of the emulator's "-drive cache=..."
175 option for allowed values.
176 Parameters to snapshot subcommand:
178 snapshot
180 is the name of the snapshot to create, apply or delete
181 -a applies a snapshot (revert disk to saved state)
183 -c creates a snapshot
185 -d deletes a snapshot
187 -l lists all snapshots in the given image
189 Parameters to compare subcommand:
191 -f First image format
193 -F Second image format
195 -s Strict mode - fail on different image size or sector allocation
197 Parameters to convert subcommand:
199 -n Skip the creation of the target volume
201 -m Number of parallel coroutines for the convert process
203 -W Allow out-of-order writes to the destination. This option improves
205 performance, but is only recommended for preallocated devices like
206 host devices or other raw block devices.
207 -C Try to use copy offloading to move data from source image to
209 target. This may improve performance if the data is remote, such as
210 with NFS or iSCSI backends, but will not automatically sparsify
211 zero sectors, and may result in a fully allocated target image
212 depending on the host support for getting allocation information.
213 Parameters to dd subcommand:
215 bs=block_size
217 defines the block size
218 count=blocks
220 sets the number of input blocks to copy
221 if=input
223 sets the input file
224 of=output
226 sets the output file
227 skip=blocks
229 sets the number of input blocks to skip
230 Command description:
232 amend [--object objectdef] [--image-opts] [-p] [-p] [-f fmt] [-t cache]
234 -o options filename
235 Amends the image format specific options for the image file
236 filename. Not all file formats support this operation.
237 bench [-c count] [-d depth] [-f fmt] [--flush-interval=flush_interval]
239 [-n] [--no-drain] [-o offset] [--pattern=pattern] [-q] [-s buffer_size]
240 [-S step_size] [-t cache] [-w] [-U] filename
241 Run a simple sequential I/O benchmark on the specified image. If
242 "-w" is specified, a write test is performed, otherwise a read test
243 is performed.
244 A total number of count I/O requests is performed, each buffer_size
246 bytes in size, and with depth requests in parallel. The first
247 request starts at the position given by offset, each following
248 request increases the current position by step_size. If step_size
249 is not given, buffer_size is used for its value.
250 If flush_interval is specified for a write test, the request queue
252 is drained and a flush is issued before new writes are made
253 whenever the number of remaining requests is a multiple of
254 flush_interval. If additionally "--no-drain" is specified, a flush
255 is issued without draining the request queue first.
256 If "-n" is specified, the native AIO backend is used if possible.
258 On Linux, this option only works if "-t none" or "-t directsync" is
259 specified as well.
260 For write tests, by default a buffer filled with zeros is written.
262 This can be overridden with a pattern byte specified by pattern.
263 check [--object objectdef] [--image-opts] [-q] [-f fmt] [--output=ofmt]
265 [-r [leaks | all]] [-T src_cache] [-U] filename
266 Perform a consistency check on the disk image filename. The command
267 can output in the format ofmt which is either "human" or "json".
268 If "-r" is specified, qemu-img tries to repair any inconsistencies
270 found during the check. "-r leaks" repairs only cluster leaks,
271 whereas "-r all" fixes all kinds of errors, with a higher risk of
272 choosing the wrong fix or hiding corruption that has already
273 occurred.
274 Only the formats "qcow2", "qed" and "vdi" support consistency
276 checks.
277 In case the image does not have any inconsistencies, check exits
279 with 0. Other exit codes indicate the kind of inconsistency found
280 or if another error occurred. The following table summarizes all
281 exit codes of the check subcommand:
282 0 Check completed, the image is (now) consistent
284 1 Check not completed because of internal errors
286 2 Check completed, image is corrupted
288 3 Check completed, image has leaked clusters, but is not
290 corrupted
291 63 Checks are not supported by the image format
293 If "-r" is specified, exit codes representing the image state refer
295 to the state after (the attempt at) repairing it. That is, a
296 successful "-r all" will yield the exit code 0, independently of
297 the image state before.
298 commit [--object objectdef] [--image-opts] [-q] [-f fmt] [-t cache] [-b
300 base] [-d] [-p] filename
301 Commit the changes recorded in filename in its base image or
302 backing file. If the backing file is smaller than the snapshot,
303 then the backing file will be resized to be the same size as the
304 snapshot. If the snapshot is smaller than the backing file, the
305 backing file will not be truncated. If you want the backing file
306 to match the size of the smaller snapshot, you can safely truncate
307 it yourself once the commit operation successfully completes.
308 The image filename is emptied after the operation has succeeded. If
310 you do not need filename afterwards and intend to drop it, you may
311 skip emptying filename by specifying the "-d" flag.
312 If the backing chain of the given image file filename has more than
314 one layer, the backing file into which the changes will be
315 committed may be specified as base (which has to be part of
316 filename's backing chain). If base is not specified, the immediate
317 backing file of the top image (which is filename) will be used.
318 Note that after a commit operation all images between base and the
319 top image will be invalid and may return garbage data when read.
320 For this reason, "-b" implies "-d" (so that the top image stays
321 valid).
322 compare [--object objectdef] [--image-opts] [-f fmt] [-F fmt] [-T
324 src_cache] [-p] [-q] [-s] [-U] filename1 filename2
325 Check if two images have the same content. You can compare images
326 with different format or settings.
327 The format is probed unless you specify it by -f (used for
329 filename1) and/or -F (used for filename2) option.
330 By default, images with different size are considered identical if
332 the larger image contains only unallocated and/or zeroed sectors in
333 the area after the end of the other image. In addition, if any
334 sector is not allocated in one image and contains only zero bytes
335 in the second one, it is evaluated as equal. You can use Strict
336 mode by specifying the -s option. When compare runs in Strict mode,
337 it fails in case image size differs or a sector is allocated in one
338 image and is not allocated in the second one.
339 By default, compare prints out a result message. This message
341 displays information that both images are same or the position of
342 the first different byte. In addition, result message can report
343 different image size in case Strict mode is used.
344 Compare exits with 0 in case the images are equal and with 1 in
346 case the images differ. Other exit codes mean an error occurred
347 during execution and standard error output should contain an error
348 message. The following table sumarizes all exit codes of the
349 compare subcommand:
350 0 Images are identical
352 1 Images differ
354 2 Error on opening an image
356 3 Error on checking a sector allocation
358 4 Error on reading data
360 convert [--object objectdef] [--image-opts] [--target-image-opts] [-U]
362 [-C] [-c] [-p] [-q] [-n] [-f fmt] [-t cache] [-T src_cache] [-O
363 output_fmt] [-B backing_file] [-o options] [-l snapshot_param] [-S
364 sparse_size] [-m num_coroutines] [-W] filename [filename2 [...]]
365 output_filename
366 Convert the disk image filename or a snapshot snapshot_param to
367 disk image output_filename using format output_fmt. It can be
368 optionally compressed ("-c" option) or use any format specific
369 options like encryption ("-o" option).
370 Only the formats "qcow" and "qcow2" support compression. The
372 compression is read-only. It means that if a compressed sector is
373 rewritten, then it is rewritten as uncompressed data.
374 Image conversion is also useful to get smaller image when using a
376 growable format such as "qcow": the empty sectors are detected and
377 suppressed from the destination image.
378 sparse_size indicates the consecutive number of bytes (defaults to
380 4k) that must contain only zeros for qemu-img to create a sparse
381 image during conversion. If sparse_size is 0, the source will not
382 be scanned for unallocated or zero sectors, and the destination
383 image will always be fully allocated.
384 You can use the backing_file option to force the output image to be
386 created as a copy on write image of the specified base image; the
387 backing_file should have the same content as the input's base
388 image, however the path, image format, etc may differ.
389 If a relative path name is given, the backing file is looked up
391 relative to the directory containing output_filename.
392 If the "-n" option is specified, the target volume creation will be
394 skipped. This is useful for formats such as "rbd" if the target
395 volume has already been created with site specific options that
396 cannot be supplied through qemu-img.
397 Out of order writes can be enabled with "-W" to improve
399 performance. This is only recommended for preallocated devices
400 like host devices or other raw block devices. Out of order write
401 does not work in combination with creating compressed images.
402 num_coroutines specifies how many coroutines work in parallel
404 during the convert process (defaults to 8).
405 create [--object objectdef] [-q] [-f fmt] [-b backing_file] [-F
407 backing_fmt] [-u] [-o options] filename [size]
408 Create the new disk image filename of size size and format fmt.
409 Depending on the file format, you can add one or more options that
410 enable additional features of this format.
411 If the option backing_file is specified, then the image will record
413 only the differences from backing_file. No size needs to be
414 specified in this case. backing_file will never be modified unless
415 you use the "commit" monitor command (or qemu-img commit).
416 If a relative path name is given, the backing file is looked up
418 relative to the directory containing filename.
419 Note that a given backing file will be opened to check that it is
421 valid. Use the "-u" option to enable unsafe backing file mode,
422 which means that the image will be created even if the associated
423 backing file cannot be opened. A matching backing file must be
424 created or additional options be used to make the backing file
425 specification valid when you want to use an image created this way.
426 The size can also be specified using the size option with "-o", it
428 doesn't need to be specified separately in this case.
429 dd [--image-opts] [-U] [-f fmt] [-O output_fmt] [bs=block_size]
431 [count=blocks] [skip=blocks] if=input of=output
432 Dd copies from input file to output file converting it from fmt
433 format to output_fmt format.
434 The data is by default read and written using blocks of 512 bytes
436 but can be modified by specifying block_size. If count=blocks is
437 specified dd will stop reading input after reading blocks input
438 blocks.
439 The size syntax is similar to dd(1)'s size syntax.
441 info [--object objectdef] [--image-opts] [-f fmt] [--output=ofmt]
443 [--backing-chain] [-U] filename
444 Give information about the disk image filename. Use it in
445 particular to know the size reserved on disk which can be different
446 from the displayed size. If VM snapshots are stored in the disk
447 image, they are displayed too. The command can output in the format
448 ofmt which is either "human" or "json".
449 If a disk image has a backing file chain, information about each
451 disk image in the chain can be recursively enumerated by using the
452 option "--backing-chain".
453 For instance, if you have an image chain like:
455 base.qcow2 <- snap1.qcow2 <- snap2.qcow2
457 To enumerate information about each disk image in the above chain,
459 starting from top to base, do:
460 qemu-img info --backing-chain snap2.qcow2
462 map [-f fmt] [--output=ofmt] filename
464 Dump the metadata of image filename and its backing file chain. In
465 particular, this commands dumps the allocation state of every
466 sector of filename, together with the topmost file that allocates
467 it in the backing file chain.
468 Two option formats are possible. The default format ("human") only
470 dumps known-nonzero areas of the file. Known-zero parts of the
471 file are omitted altogether, and likewise for parts that are not
472 allocated throughout the chain. qemu-img output will identify a
473 file from where the data can be read, and the offset in the file.
474 Each line will include four fields, the first three of which are
475 hexadecimal numbers. For example the first line of:
476 Offset Length Mapped to File
478 0 0x20000 0x50000 /tmp/overlay.qcow2
479 0x100000 0x10000 0x95380000 /tmp/backing.qcow2
480 means that 0x20000 (131072) bytes starting at offset 0 in the image
482 are available in /tmp/overlay.qcow2 (opened in "raw" format)
483 starting at offset 0x50000 (327680). Data that is compressed,
484 encrypted, or otherwise not available in raw format will cause an
485 error if "human" format is in use. Note that file names can
486 include newlines, thus it is not safe to parse this output format
487 in scripts.
488 The alternative format "json" will return an array of dictionaries
490 in JSON format. It will include similar information in the
491 "start", "length", "offset" fields; it will also include other more
492 specific information:
493 - whether the sectors contain actual data or not (boolean field
495 "data"; if false, the sectors are either unallocated or stored
496 as optimized all-zero clusters);
497 - whether the data is known to read as zero (boolean field
499 "zero");
500 - in order to make the output shorter, the target file is
502 expressed as a "depth"; for example, a depth of 2 refers to the
503 backing file of the backing file of filename.
504 In JSON format, the "offset" field is optional; it is absent in
506 cases where "human" format would omit the entry or exit with an
507 error. If "data" is false and the "offset" field is present, the
508 corresponding sectors in the file are not yet in use, but they are
509 preallocated.
510 For more information, consult include/block/block.h in QEMU's
512 source code.
513 measure [--output=ofmt] [-O output_fmt] [-o options] [--size N |
515 [--object objectdef] [--image-opts] [-f fmt] [-l snapshot_param]
516 filename]
517 Calculate the file size required for a new image. This information
518 can be used to size logical volumes or SAN LUNs appropriately for
519 the image that will be placed in them. The values reported are
520 guaranteed to be large enough to fit the image. The command can
521 output in the format ofmt which is either "human" or "json".
522 If the size N is given then act as if creating a new empty image
524 file using qemu-img create. If filename is given then act as if
525 converting an existing image file using qemu-img convert. The
526 format of the new file is given by output_fmt while the format of
527 an existing file is given by fmt.
528 A snapshot in an existing image can be specified using
530 snapshot_param.
531 The following fields are reported:
533 required size: 524288
535 fully allocated size: 1074069504
536 The "required size" is the file size of the new image. It may be
538 smaller than the virtual disk size if the image format supports
539 compact representation.
540 The "fully allocated size" is the file size of the new image once
542 data has been written to all sectors. This is the maximum size
543 that the image file can occupy with the exception of internal
544 snapshots, dirty bitmaps, vmstate data, and other advanced image
545 format features.
546 snapshot [--object objectdef] [--image-opts] [-U] [-q] [-l | -a
548 snapshot | -c snapshot | -d snapshot] filename
549 List, apply, create or delete snapshots in image filename.
550 rebase [--object objectdef] [--image-opts] [-U] [-q] [-f fmt] [-t
552 cache] [-T src_cache] [-p] [-u] -b backing_file [-F backing_fmt]
553 filename
554 Changes the backing file of an image. Only the formats "qcow2" and
555 "qed" support changing the backing file.
556 The backing file is changed to backing_file and (if the image
558 format of filename supports this) the backing file format is
559 changed to backing_fmt. If backing_file is specified as "" (the
560 empty string), then the image is rebased onto no backing file (i.e.
561 it will exist independently of any backing file).
562 If a relative path name is given, the backing file is looked up
564 relative to the directory containing filename.
565 cache specifies the cache mode to be used for filename, whereas
567 src_cache specifies the cache mode for reading backing files.
568 There are two different modes in which "rebase" can operate:
570 Safe mode
572 This is the default mode and performs a real rebase operation.
573 The new backing file may differ from the old one and qemu-img
574 rebase will take care of keeping the guest-visible content of
575 filename unchanged.
576 In order to achieve this, any clusters that differ between
578 backing_file and the old backing file of filename are merged
579 into filename before actually changing the backing file.
580 Note that the safe mode is an expensive operation, comparable
582 to converting an image. It only works if the old backing file
583 still exists.
584 Unsafe mode
586 qemu-img uses the unsafe mode if "-u" is specified. In this
587 mode, only the backing file name and format of filename is
588 changed without any checks on the file contents. The user must
589 take care of specifying the correct new backing file, or the
590 guest-visible content of the image will be corrupted.
591 This mode is useful for renaming or moving the backing file to
593 somewhere else. It can be used without an accessible old
594 backing file, i.e. you can use it to fix an image whose backing
595 file has already been moved/renamed.
596 You can use "rebase" to perform a "diff" operation on two disk
598 images. This can be useful when you have copied or cloned a guest,
599 and you want to get back to a thin image on top of a template or
600 base image.
601 Say that "base.img" has been cloned as "modified.img" by copying
603 it, and that the "modified.img" guest has run so there are now some
604 changes compared to "base.img". To construct a thin image called
605 "diff.qcow2" that contains just the differences, do:
606 qemu-img create -f qcow2 -b modified.img diff.qcow2
608 qemu-img rebase -b base.img diff.qcow2
609 At this point, "modified.img" can be discarded, since "base.img +
611 diff.qcow2" contains the same information.
612 resize [--object objectdef] [--image-opts] [-f fmt]
614 [--preallocation=prealloc] [-q] [--shrink] filename [+ | -]size
615 Change the disk image as if it had been created with size.
616 Before using this command to shrink a disk image, you MUST use file
618 system and partitioning tools inside the VM to reduce allocated
619 file systems and partition sizes accordingly. Failure to do so
620 will result in data loss!
621 When shrinking images, the "--shrink" option must be given. This
623 informs qemu-img that the user acknowledges all loss of data beyond
624 the truncated image's end.
625 After using this command to grow a disk image, you must use file
627 system and partitioning tools inside the VM to actually begin using
628 the new space on the device.
629 When growing an image, the "--preallocation" option may be used to
631 specify how the additional image area should be allocated on the
632 host. See the format description in the "NOTES" section which
633 values are allowed. Using this option may result in slightly more
634 data being allocated than necessary.
635
637 Supported image file formats:
638 raw Raw disk image format (default). This format has the advantage of
640 being simple and easily exportable to all other emulators. If your
641 file system supports holes (for example in ext2 or ext3 on Linux or
642 NTFS on Windows), then only the written sectors will reserve space.
643 Use "qemu-img info" to know the real size used by the image or "ls
644 -ls" on Unix/Linux.
645 Supported options:
647 "preallocation"
649 Preallocation mode (allowed values: "off", "falloc", "full").
650 "falloc" mode preallocates space for image by calling
651 posix_fallocate(). "full" mode preallocates space for image by
652 writing zeros to underlying storage.
653 qcow2
655 QEMU image format, the most versatile format. Use it to have
656 smaller images (useful if your filesystem does not supports holes,
657 for example on Windows), optional AES encryption, zlib based
658 compression and support of multiple VM snapshots.
659 Supported options:
661 "compat"
663 Determines the qcow2 version to use. "compat=0.10" uses the
664 traditional image format that can be read by any QEMU since
665 0.10. "compat=1.1" enables image format extensions that only
666 QEMU 1.1 and newer understand (this is the default). Amongst
667 others, this includes zero clusters, which allow efficient
668 copy-on-read for sparse images.
669 "backing_file"
671 File name of a base image (see create subcommand)
672 "backing_fmt"
674 Image format of the base image
675 "encryption"
677 If this option is set to "on", the image is encrypted with
678 128-bit AES-CBC.
679 The use of encryption in qcow and qcow2 images is considered to
681 be flawed by modern cryptography standards, suffering from a
682 number of design problems:
683 - The AES-CBC cipher is used with predictable initialization
685 vectors based on the sector number. This makes it
686 vulnerable to chosen plaintext attacks which can reveal the
687 existence of encrypted data.
688 - The user passphrase is directly used as the encryption key.
690 A poorly chosen or short passphrase will compromise the
691 security of the encryption.
692 - In the event of the passphrase being compromised there is
694 no way to change the passphrase to protect data in any qcow
695 images. The files must be cloned, using a different
696 encryption passphrase in the new file. The original file
697 must then be securely erased using a program like shred,
698 though even this is ineffective with many modern storage
699 technologies.
700 - Initialization vectors used to encrypt sectors are based on
702 the guest virtual sector number, instead of the host
703 physical sector. When a disk image has multiple internal
704 snapshots this means that data in multiple physical sectors
705 is encrypted with the same initialization vector. With the
706 CBC mode, this opens the possibility of watermarking
707 attacks if the attack can collect multiple sectors
708 encrypted with the same IV and some predictable data.
709 Having multiple qcow2 images with the same passphrase also
710 exposes this weakness since the passphrase is directly used
711 as the key.
712 Use of qcow / qcow2 encryption is thus strongly discouraged.
714 Users are recommended to use an alternative encryption
715 technology such as the Linux dm-crypt / LUKS system.
716 "cluster_size"
718 Changes the qcow2 cluster size (must be between 512 and 2M).
719 Smaller cluster sizes can improve the image file size whereas
720 larger cluster sizes generally provide better performance.
721 "preallocation"
723 Preallocation mode (allowed values: "off", "metadata",
724 "falloc", "full"). An image with preallocated metadata is
725 initially larger but can improve performance when the image
726 needs to grow. "falloc" and "full" preallocations are like the
727 same options of "raw" format, but sets up metadata also.
728 "lazy_refcounts"
730 If this option is set to "on", reference count updates are
731 postponed with the goal of avoiding metadata I/O and improving
732 performance. This is particularly interesting with
733 cache=writethrough which doesn't batch metadata updates. The
734 tradeoff is that after a host crash, the reference count tables
735 must be rebuilt, i.e. on the next open an (automatic) "qemu-img
736 check -r all" is required, which may take some time.
737 This option can only be enabled if "compat=1.1" is specified.
739 "nocow"
741 If this option is set to "on", it will turn off COW of the
742 file. It's only valid on btrfs, no effect on other file
743 systems.
744 Btrfs has low performance when hosting a VM image file, even
746 more when the guest on the VM also using btrfs as file system.
747 Turning off COW is a way to mitigate this bad performance.
748 Generally there are two ways to turn off COW on btrfs: a)
749 Disable it by mounting with nodatacow, then all newly created
750 files will be NOCOW. b) For an empty file, add the NOCOW file
751 attribute. That's what this option does.
752 Note: this option is only valid to new or empty files. If there
754 is an existing file which is COW and has data blocks already,
755 it couldn't be changed to NOCOW by setting "nocow=on". One can
756 issue "lsattr filename" to check if the NOCOW flag is set or
757 not (Capital 'C' is NOCOW flag).
758 Other
760 QEMU also supports various other image file formats for
761 compatibility with older QEMU versions or other hypervisors,
762 including VMDK, VDI, VHD (vpc), VHDX, qcow1 and QED. For a full
763 list of supported formats see "qemu-img --help". For a more
764 detailed description of these formats, see the QEMU Emulation User
765 Documentation.
766 The main purpose of the block drivers for these formats is image
768 conversion. For running VMs, it is recommended to convert the disk
769 images to either raw or qcow2 in order to achieve good performance.
770
772 The HTML documentation of QEMU for more precise information and Linux
773 user mode emulator invocation.
774
776 Fabrice Bellard
777 2019-05-14 QEMU-IMG.1(1)