From: "Daniel P. Berrange" <berrange@redhat.com>
To: Kevin Wolf <kwolf@redhat.com>
Cc: "Richard W.M. Jones" <rjones@redhat.com>,
Fam Zheng <famz@redhat.com>,
qemu-block@nongnu.org, Jeff Cody <jcody@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
qemu-devel@nongnu.org, stefanha@redhat.com, pbonzini@redhat.com,
den@openvz.org, Max Reitz <mreitz@redhat.com>,
John Snow <jsnow@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v4 00/27] block: Lock images when opening
Date: Tue, 10 May 2016 10:43:10 +0100 [thread overview]
Message-ID: <20160510094310.GH13377@redhat.com> (raw)
In-Reply-To: <20160510093514.GH4921@noname.str.redhat.com>
On Tue, May 10, 2016 at 11:35:14AM +0200, Kevin Wolf wrote:
> Am 10.05.2016 um 11:23 hat Daniel P. Berrange geschrieben:
> > On Tue, May 10, 2016 at 11:14:22AM +0200, Kevin Wolf wrote:
> > > Am 10.05.2016 um 10:50 hat Daniel P. Berrange geschrieben:
> > > > On Tue, May 10, 2016 at 09:43:04AM +0100, Richard W.M. Jones wrote:
> > > > > On Tue, May 10, 2016 at 09:14:26AM +0100, Richard W.M. Jones wrote:
> > > > > > However I didn't test the write-shareable case (the libvirt
> > > > > > <shareable/> flag which should map to a shared lock -- is that right Dan?).
> > > > >
> > > > > To Dan (mainly): I think setting the <shareable/> flag in libvirt only
> > > > > sets cache=unsafe on the qemu drive (it may have other effects for
> > > > > virtlockd). Should there be an extra qemu drive flag to communicate
> > > > > that the drive is write-shareable?
> > > >
> > > > Sure, if QEMU had a way to indicate that the disk was used in a
> > > > write-sharable mode, libvirt would use it.
> > > >
> > > > I agree with your general point that we should do no locking for
> > > > read-only access, F_RDLCK for shared-write and F_WRLCK for
> > > > exclusive-write access. I think I made that point similarly against
> > > > an earlier version of this patchset
> > >
> > > Why should we do no locking for read-only access by default? If an image
> > > is written to, read-only accesses are potentially inconsistent and we
> > > should protect users against it.
> > >
> > > The only argument I can see in the old versions of this series is
> > > "libguestfs does it and usually it gets away with it". For me, that's
> > > not an argument for generally allowing this, but at most for providing a
> > > switch to bypass the locking.
> > >
> > > Because let's be clear about this: If someone lost data because they
> > > took an inconsistent backup this way and comes to us qemu developers,
> > > all we can tell them is "sorry, what you did is not supported". And
> > > that's a pretty strong sign that locking should prevent it by default.
> >
> > We have 3 usage scenarios - readonly-share, writable-shared and
> > writable-exclusive, and only 2 lock types to play with. This series
> > does no locking at all in the writable-shared case, so we still have
> > the problem you describe in that someone opening the image for readonly
> > access will succeeed even when it is used writable-shared by another
> > process.
> >
> > So we have to pick a trade-off here. IMHO it is more important to
> > ensure we have locks in both the write-shared & write-exclusive case,
> > as both of those can definitely result in corrupted images if not
> > careful, where as read-only access merely results in your reading
> > bad data, no risk of corrupting the original image.
>
> I agree that we want locking for the writable-shared case. That doesn't
> mean no locking for read-only, though. I think read-only and writeable-
> shared are the same thing as far as locking is concerned.
It doesn't make much sense to say that it is unsafe to use read-only
in combination with write-exclusive, but then allow read-only with
write-shared. In both cases you have the same scenario that the
read-only app may get inconsistent data when reading.
> This is the matrix of the allowed combinations (without a manual lock
> override that enables libguestfs to use unsupported cases), as I see it:
>
> wr-excl wr-shared read-only
> write-exclusive no no no
> write-shared no yes yes
> read-only no yes yes
>
> Do you disagree with any of the entries?
I would have 'yes' in all the read-only cells.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2016-05-10 9:43 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-10 2:50 [Qemu-devel] [PATCH v4 00/27] block: Lock images when opening Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 01/27] block: Add BDRV_O_NO_LOCK Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 02/27] qapi: Add lock-image in blockdev-add options Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 03/27] blockdev: Add and parse "lock-image" option for block devices Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 04/27] block: Introduce image file locking Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 05/27] block: Add bdrv_image_locked Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 06/27] block: Make bdrv_reopen_{commit, abort} private functions Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 07/27] block: Handle image locking during reopen Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 08/27] osdep: Add qemu_lock_fd and qemu_unlock_fd Fam Zheng
2016-05-10 7:54 ` Richard W.M. Jones
2016-05-10 8:57 ` Daniel P. Berrange
2016-05-10 9:06 ` Richard W.M. Jones
2016-05-10 9:20 ` Daniel P. Berrange
2016-05-11 0:48 ` Fam Zheng
2016-05-11 1:05 ` Fam Zheng
2016-05-11 9:01 ` Daniel P. Berrange
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 09/27] osdep: Introduce qemu_dup Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 10/27] raw-posix: Use qemu_dup Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 11/27] raw-posix: Implement .bdrv_lockf Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 12/27] gluster: " Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 13/27] qemu-io: Add "-L" option for BDRV_O_NO_LOCK Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 14/27] qemu-img: Add "-L" option to sub commands Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 15/27] qemu-img: Update documentation of "-L" option Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 16/27] qemu-nbd: Add "--no-lock/-L" option Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 17/27] block: Don't lock drive-backup target image in none mode Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 18/27] mirror: Disable image locking on target backing chain Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 19/27] qemu-iotests: 140: Disable image lock for qemu-io access Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 20/27] qemu-iotests: 046: Move version detection out from verify_io Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 21/27] qemu-iotests: Wait for QEMU processes before checking image in 091 Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 22/27] qemu-iotests: 030: Disable image lock when checking test image Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 23/27] iotests: 087: Disable image lock in cases where file is shared Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 24/27] iotests: Disable image locking in 085 Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 25/27] tests: Use null-co:// instead of /dev/null Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 26/27] block: Turn on image locking by default Fam Zheng
2016-05-10 2:50 ` [Qemu-devel] [PATCH v4 27/27] qemu-iotests: Add test case 153 for image locking Fam Zheng
2016-05-10 8:14 ` [Qemu-devel] [PATCH v4 00/27] block: Lock images when opening Richard W.M. Jones
2016-05-10 8:43 ` Richard W.M. Jones
2016-05-10 8:50 ` Daniel P. Berrange
2016-05-10 9:14 ` Kevin Wolf
2016-05-10 9:23 ` Daniel P. Berrange
2016-05-10 9:35 ` Kevin Wolf
2016-05-10 9:43 ` Daniel P. Berrange [this message]
2016-05-10 10:07 ` Kevin Wolf
2016-05-10 10:16 ` Richard W.M. Jones
2016-05-10 11:08 ` Kevin Wolf
2016-05-10 11:46 ` Richard W.M. Jones
2016-05-10 12:01 ` Kevin Wolf
2016-05-10 12:11 ` Richard W.M. Jones
2016-05-10 12:22 ` Daniel P. Berrange
2016-05-10 12:45 ` Kevin Wolf
2016-05-11 8:04 ` Markus Armbruster
2016-05-11 8:52 ` Daniel P. Berrange
2016-05-11 8:04 ` Fam Zheng
2016-05-11 9:28 ` Richard W.M. Jones
2016-05-11 10:03 ` Kevin Wolf
2016-05-10 10:29 ` Daniel P. Berrange
2016-05-10 11:14 ` Kevin Wolf
2016-05-10 10:02 ` Richard W.M. Jones
2016-05-11 11:48 ` Richard W.M. Jones
2016-05-11 11:56 ` Kevin Wolf
2016-05-12 1:07 ` Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160510094310.GH13377@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=den@openvz.org \
--cc=famz@redhat.com \
--cc=jcody@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.