From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:54912)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1QpGKN-0005dL-3A
	for qemu-devel@nongnu.org; Fri, 05 Aug 2011 05:04:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1QpGKL-0005fU-QJ
	for qemu-devel@nongnu.org; Fri, 05 Aug 2011 05:04:23 -0400
Received: from mx1.redhat.com ([209.132.183.28]:52596)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1QpGKL-0005fI-Hp
	for qemu-devel@nongnu.org; Fri, 05 Aug 2011 05:04:21 -0400
Message-ID: <4E3BB2C3.4020607@redhat.com>
Date: Fri, 05 Aug 2011 11:07:15 +0200
From: Kevin Wolf <kwolf@redhat.com>
MIME-Version: 1.0
References: <CAJSP0QV-3_BK61TYbLMGj+ktap-j1_8Prnjbh7MFYT90Tkdgkg@mail.gmail.com>
In-Reply-To: <CAJSP0QV-3_BK61TYbLMGj+ktap-j1_8Prnjbh7MFYT90Tkdgkg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] Safely reopening image files by stashing fds
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Supriya Kannery <supriyak@linux.vnet.ibm.com>, Anthony Liguori <aliguori@us.ibm.com>, qemu-devel <qemu-devel@nongnu.org>

Am 05.08.2011 10:40, schrieb Stefan Hajnoczi:
> We've discussed safe methods for reopening image files (e.g. useful for
> changing the hostcache parameter).  The problem is that closing the file first
> and then opening it again exposes us to the error case where the open fails.
> At that point we cannot get to the file anymore and our options are to
> terminate QEMU, pause the VM, or offline the block device.
> 
> This window of vulnerability can be eliminated by keeping the file descriptor
> around and falling back to it should the open fail.
> 
> The challenge for the file descriptor approach is that image formats, like
> VMDK, can span multiple files.  Therefore the solution is not as simple as
> stashing a single file descriptor and reopening from it.

So far I agree. The rest I believe is wrong because you can't assume
that every backend uses file descriptors. The qemu block layer is based
on BlockDriverStates, not fds. They are a concept that should be hidden
in raw-posix.

I think something like this could do:

struct BDRVReopenState {
    BlockDriverState *bs;
    /* can be extended by block drivers */
};

.bdrv_reopen(BlockDriverState *bs, BDRVReopenState **reopen_state, int
flags);
.bdrv_reopen_commit(BDRVReopenState *reopen_state);
.bdrv_reopen_abort(BDRVReopenState *reopen_state);

raw-posix would store the old file descriptor in its reopen_state. On
commit, it closes the old descriptors, on abort it reverts to the old
one and closes the newly opened one.

Makes things a bit more complicated than the simple bdrv_reopen I had in
mind before, but it allows VMDK to get an all-or-nothing semantics.

Kevin