From: Kevin Wolf <kwolf@redhat.com>
To: Paul Durrant <Paul.Durrant@citrix.com>
Cc: "qemu-block@nongnu.org" <qemu-block@nongnu.org>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Fabio Fantoni <fabio.fantoni@m2r.biz>,
Stefano Stabellini <Stefano.Stabellini@citrix.com>,
Anthony Perard <anthony.perard@citrix.com>,
John Snow <jsnow@redhat.com>
Subject: Re: [Qemu-devel] Question about xen disk unplug support for ahci missed in qemu
Date: Fri, 16 Oct 2015 19:03:56 +0200 [thread overview]
Message-ID: <20151016170356.GI4185@noname.redhat.com> (raw)
In-Reply-To: <9AAE0902D5BC7E449B7C8E4E778ABCD02F616F4B@AMSPEX01CL01.citrite.net>
Am 16.10.2015 um 18:53 hat Paul Durrant geschrieben:
> > > > > > Just tell your admin what virtual hardware you really need. (Or tell
> > > > > > them to give you a proper interface to configure your VMs yourself.)
> > > > > >
> > > > >
> > > > > My point is that the virtual hardware that the OS user wants will
> > > > > change. Before they install PV drivers, they will need emulated
> > > > > device. After installing PV drivers they will want PV devices. Should
> > > > > they really have to contact their cloud provider to make the switch,
> > > > > when at the moment it happens automatically and transparently (the
> > > > > AHCI problem aside)?
> > > >
> > > > My point is that such a magic change shouldn't happen. It doesn't happen
> > > > on real hardware either and people still get things installed to non-IDE
> > > > disks.
> > > >
> > > > There is no reason to install the OS onto a different device than will
> > > > be used later. With Linux, it's no problem at all because the PV drivers
> > > > are already included on the installation media anyway, and on Windows
> > or
> > > > presumably any other OS you can load and install the drivers right from
> > > > the beginning.
> > > >
> > > > In fact, I would be surprised if using xendisk instead of IDE for
> > > > installing Windows didn't result in a noticably faster installation.
> > > >
> > >
> > > It most certainly would, but requiring users do it this way is likely to meet
> > some resistance I suspect.
> >
> > Why do you think so? Installing the PV drivers afterwards doesn't seem
> > easier than just providing them during the installation.
> >
>
> My experience of XenServer customers tells me that any form of manual
> intervention during guest install is likely to meet with resistance,
> unfortunately.
Do they consider the guest install complete before they manually
intervene for installing the PV drivers?
I'm no Windows expert, but I'm sure there is a way to automate
installation even when a driver disk is needed.
> > > > Now, if you really insist on providing a legacy interface even to guests
> > > > that eventually use PV drivers, there actually are sane ways to
> > > > implement this. It will be tricky to make that transition now without
> > > > breaking compatibility, but it could have been done from the start.
> > > >
> > > > Sane means for example that you don't open the same image twice (and
> > > > even read-write!) at the same time. This is a recipe for disaster and
> > > > it's surprising that you don't see corrupted images more often.
> > > >
> > >
> > > We don't because unplug is supposed to ensure the emulated device is
> > > gone before the PV frontend is started
> >
> > The important part is the backend, but it seems that you open the second
> > instance of the image only when starting the PV frontend?
>
> I believe this is the case, yes.
>
> >
> > As long as you don't enable the user to use most of qemu's functionality
> > like starting block jobs (which would keep the IDE instance around even
> > after unplugging the disk), it might actually be safe assuming that the
> > guest cooperates. Not sure what a malicious guest could do, though, as
> > nobody seems to check whether IDE is really unplugged before the second
> > instance is opened.
>
> The Windows drivers do check. After the unplug Windows is asked to
> re-enumerate the IDE buses and we make sure the disks we expect to be
> gone are really gone.
You can't use guest code to protect against malicious guests.
> > raw and qcow2 should be safe these days, but in
> > earlier times it would probably have been possible for the guest to
> > overwrite the image header and access arbitrary files on the host as
> > backing file. It might still be true for other image formats.
> >
> > > > So if you wanted to have a clean solution, try to think how real
> > > > hardware would solve the problem. If you want me to suggest something
> > > > off the top of my head, I would come up with an extended IDE device
> > (one
> > > > single device!) that provides the IDE I/O ports and additionally some
> > > > MMIO BAR that enables access to PV functionality.
> > > >
> > > > Once you enable PV functionality, the IDE ports stop working; device
> > > > reset disables the PV ring and goes back to IDE mode. No hard disk
> > > > suddenly disappearing from the machine, no image corruption if the IDE
> > > > device is written to before enabling PV, etc.
> > > >
> > >
> > > That's not sufficient though. The IDE device must not be enumerated by
> > > the OS and, in Windows at least, that enumeration occurs before the PV
> > > frontend has started up.
> >
> > The trick is that it's only a single device, so there is no second
> > device that must be prevented from being enumerated. You provide a
> > driver for this specific IDE controller, so Windows wouldn't even try
> > the generic IDE driver when your driver is available.
> >
>
> But the whole point is that we want Windows to use the generic IDE
> driver. If we had a driver in Windows from the outset then it would be
> pure PV and there'd be no problem :-)
And it would do that when your driver isn't available. This fallback is
the difference from a pure PV device. But as soon as your driver is
available, it will be preferred and the generic IDE driver won't be
used any more.
Kevin
> > It's kind of the same sort of IDE controller extension as Bus Master
> > DMA, which just added a new BAR. If you had an old driver, it would just
> > ignore the new registers. If you had a new one, it would use them. But
> > in no way would the old appearance of the device simply disappear, you
> > just use an extended register set on the same device.
> >
> > > > But it's your choice. You can keep your broken hack in IDE. Just don't
> > > > expect anyone to support adding new broken hacks to other devices.
> > > >
> > >
> > > I'd prefer to have a cleaner solution and I believe can achieve that in
> > Windows by obscuring the emulated disks using filter drivers, so that's the
> > way I'll probably go.
> >
> > I wouldn't consider anything that works with two distinct disk devices
> > and two separate BlockDriverStates for the same image file a clean
> > solution.
> >
> > Kevin
next prev parent reply other threads:[~2015-10-16 17:04 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-13 15:55 [Qemu-devel] Question about xen disk unplug support for ahci missed in qemu Fabio Fantoni
2015-10-13 16:45 ` John Snow
2015-10-13 17:10 ` Stefano Stabellini
2015-10-14 9:47 ` Kevin Wolf
2015-10-14 11:06 ` Stefano Stabellini
2015-10-14 11:27 ` [Qemu-devel] [Xen-devel] " Ian Campbell
2015-10-15 23:10 ` Laszlo Ersek
2015-10-16 2:38 ` Kevin O'Connor
2015-10-16 9:06 ` Stefano Stabellini
2015-10-16 9:21 ` Laszlo Ersek
2015-10-16 9:33 ` Stefano Stabellini
2015-10-16 9:34 ` Ian Campbell
2015-10-16 13:03 ` Kevin O'Connor
2015-10-16 9:13 ` Laszlo Ersek
2015-10-14 11:32 ` [Qemu-devel] " Kevin Wolf
2015-10-14 11:44 ` Stefano Stabellini
2015-10-15 16:27 ` Fabio Fantoni
2015-10-15 18:02 ` Anthony PERARD
2015-10-16 8:32 ` Fabio Fantoni
2015-10-16 10:13 ` Anthony PERARD
2015-10-16 10:23 ` Fabio Fantoni
2015-10-16 10:47 ` Stefano Stabellini
2015-10-16 11:34 ` Fabio Fantoni
2015-10-16 19:09 ` Laszlo Ersek
2015-10-19 20:32 ` Laszlo Ersek
2015-10-20 11:59 ` Stefano Stabellini
2015-10-20 12:45 ` Laszlo Ersek
2015-10-20 14:52 ` Stefano Stabellini
2015-10-14 11:11 ` Fabio Fantoni
2015-10-14 12:48 ` Paul Durrant
2015-10-15 23:35 ` Laszlo Ersek
2015-10-16 14:04 ` Kevin Wolf
2015-10-16 14:24 ` Paul Durrant
2015-10-16 15:02 ` Kevin Wolf
2015-10-16 15:10 ` Paul Durrant
2015-10-16 16:11 ` Kevin Wolf
2015-10-16 16:20 ` Paul Durrant
2015-10-16 16:42 ` Kevin Wolf
2015-10-16 16:53 ` Paul Durrant
2015-10-16 17:03 ` Kevin Wolf [this message]
2015-10-19 13:42 ` Fabio Fantoni
2015-10-16 16:53 ` Eric Blake
2015-10-16 20:40 ` John Snow
2015-10-19 10:18 ` Stefano Stabellini
2015-10-19 11:27 ` Gerd Hoffmann
2015-10-19 11:44 ` Stefano Stabellini
2015-10-19 16:54 ` John Snow
2015-10-19 16:57 ` Stefano Stabellini
2015-10-19 18:29 ` Fabio Fantoni
2015-10-19 19:55 ` Laszlo Ersek
2015-10-19 14:17 ` Fabio Fantoni
2015-10-19 14:57 ` Stefano Stabellini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151016170356.GI4185@noname.redhat.com \
--to=kwolf@redhat.com \
--cc=Paul.Durrant@citrix.com \
--cc=Stefano.Stabellini@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=fabio.fantoni@m2r.biz \
--cc=jsnow@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).