[QCow2] - Error: backing-file required but not provided #1154
Description
Hi folks,
I need a bit of help loading qcow2 snapshots in dissect for analysis. My issue is that I have differential snapshots based on a linux base image:
$ file snapshots/snapshot-ubuntu_2204-02069a61db34472d87754fabe5f2d648.qcow2
snapshots/snapshot-ubuntu_2204-02069a61db34472d87754fabe5f2d648.qcow2: QEMU QCOW Image (v3), has backing file (path ubuntu-22.04-packer.qcow2, mtime Thu Jan 1 00:00:16 1970), 5242880000 bytes (v3), has backing file (path ubuntu-22.04-packer.qcow2), 5242880000 bytes
I am trying to run target-info or target-query on this specific image and it yields this error:
$ target-info snapshot-ubuntu_2204-02069a61db34472d87754fabe5f2d648.qcow2
File "/home/andreia/dissect/.venv/lib/python3.12/site-packages/dissect/hypervisor/disk/qcow2.py", line 119, in __init__
raise Error(f"backing-file required but not provided (auto_backing_file = {self.auto_backing_file})")
dissect.hypervisor.exceptions.Error: backing-file required but not provided (auto_backing_file = ubuntu-22.04-packer.qcow2)
[...]
File "/home/andreia/dissect/.venv/lib/python3.12/site-packages/dissect/target/container.py", line 241, in open
raise ContainerError(f"Failed to open container {item}") from e
dissect.target.exceptions.ContainerError: Failed to open container snapshot-ubuntu_2204-02069a61db34472d87754fabe5f2d648.qcow2
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/andreia/dissect/.venv/lib/python3.12/site-packages/dissect/target/target.py", line 353, in open_all
target = cls._load(sub_entry, ldr)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/andreia/dissect/.venv/lib/python3.12/site-packages/dissect/target/target.py", line 513, in _load
raise TargetError(f"Failed to load target: {path}") from e
dissect.target.exceptions.TargetError: Failed to load target: snapshot-ubuntu_2204-02069a61db34472d87754fabe5f2d648.qcow2
I noticed that it automatically detected the backing file - (auto_backing_file = ubuntu-22.04-packer.qcow2) - and I am at right relative path, but still target-info doesn't pick up the backing file.
In my journey of trying to make this work, I've also tried to script this using the python API:
def analyze_image(target_path: Path, backing_path: Path):
target = Target.open(backing_path)
with target_path.open("rb") as snap_fh, backing_path.open("rb") as base_fh:
container = QCow2Container(snap_fh, None, backing_file=base_fh)
target.disks.add(container)
target.apply()
print("Install date:", target.install_date)
print("Last activity:", target.activity)The issue with the python script is that it doesn't seem to load the snapshot at all - activity/install_date/users are exactly the same from the base image, not from the snapshot (and I specifically know that the last_activity should be different). So I'm assuming that here I am actually doing something wrong, maybe I didn't really understand how to add disks/backing_files to an open target.
Another thing worth mentioning is that I managed to bypass this by creating standalone images with qemu-img convert. Creating a full qcow2 image from the base + snapshot gives me a workable image for dissect, so there's nothing wrong with the base img or the snapshot. But in the long run I don't want to do this because it takes a lot of disk space and we have to analyze dozens of snapshots.
That being said, I have the following questions:
- How can I make dissect API or target-query work with differential snapshots?
- Is there a way to pass the backing file to
target-queryusing cmd line args?
If I can be of help to solve a missing feature down this path, I am happy to try to contribute with a PR.
Thanks in advance for your time 😄