From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60110)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1Zr5S2-00006Q-Ru
	for qemu-devel@nongnu.org; Tue, 27 Oct 2015 10:42:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@redhat.com>) id 1Zr5Rz-0001Wk-Fo
	for qemu-devel@nongnu.org; Tue, 27 Oct 2015 10:42:14 -0400
Date: Tue, 27 Oct 2015 14:41:48 +0000
From: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20151027144148.GA5626@stefanha-x1.localdomain>
References: <1443161858-20533-1-git-send-email-wency@cn.fujitsu.com>
	<1443161858-20533-9-git-send-email-wency@cn.fujitsu.com>
	<20151012162714.GC4053@stefanha-thinkpad.redhat.com>
	<561CCA01.7000001@cn.fujitsu.com>
	<20151014142751.GD16162@stefanha-thinkpad.redhat.com>
	<561F0D25.9000409@cn.fujitsu.com>
	<20151015145558.GA21733@stefanha-thinkpad.redhat.com>
	<56205F4D.5030604@cn.fujitsu.com>
	<20151016113757.GA10205@stefanha-thinkpad.redhat.com>
	<562EE826.7000902@cn.fujitsu.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <562EE826.7000902@cn.fujitsu.com>
Subject: Re: [Qemu-devel] [Qemu-block] [PATCH v10 08/10] Implement new
 driver for block replication
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Wen Congyang <wency@cn.fujitsu.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Fam Zheng <famz@redhat.com>, zhanghailiang <zhang.zhanghailiang@huawei.com>, qemu block <qemu-block@nongnu.org>, Stefan Hajnoczi <stefanha@gmail.com>, Jeff Cody <jcody@redhat.com>, Jiang Yunhong <yunhong.jiang@intel.com>, Dong Eddie <eddie.dong@intel.com>, qemu devel <qemu-devel@nongnu.org>, "Michael R. Hines" <mrhines@linux.vnet.ibm.com>, Max Reitz <mreitz@redhat.com>, Gonglei <arei.gonglei@huawei.com>, Paolo Bonzini <pbonzini@redhat.com>, Yang Hongyang <yanghy@cn.fujitsu.com>, "Dr. David Alan Gilbert" <dgilbert@redhat.com>

On Tue, Oct 27, 2015 at 10:57:42AM +0800, Wen Congyang wrote:
> On 10/16/2015 07:37 PM, Stefan Hajnoczi wrote:
> > On Fri, Oct 16, 2015 at 10:22:05AM +0800, Wen Congyang wrote:
> >> On 10/15/2015 10:55 PM, Stefan Hajnoczi wrote:
> >>> On Thu, Oct 15, 2015 at 10:19:17AM +0800, Wen Congyang wrote:
> >>>> On 10/14/2015 10:27 PM, Stefan Hajnoczi wrote:
> >>>>> On Tue, Oct 13, 2015 at 05:08:17PM +0800, Wen Congyang wrote:
> >>>>>> On 10/13/2015 12:27 AM, Stefan Hajnoczi wrote:
> >>>>>>> On Fri, Sep 25, 2015 at 02:17:36PM +0800, Wen Congyang wrote:
> >>>>>>>> +        /* start backup job now */
> >>>>>>>> +        bdrv_op_unblock(s->hidden_disk, BLOCK_OP_TYPE_BACKUP_TARGET,
> >>>>>>>> +                        s->active_disk->backing_blocker);
> >>>>>>>> +        bdrv_op_unblock(s->secondary_disk, BLOCK_OP_TYPE_BACKUP_SOURCE,
> >>>>>>>> +                        s->hidden_disk->backing_blocker);
> >>>>>>>
> >>>>>>> Why is it safe to unblock these operations?
> >>>>>>>
> >>>>>>> Why do they have to be blocked for non-replication users?
> >>>>>>
> >>>>>> hidden_disk and secondary disk are opened as backing file, so it is blocked for
> >>>>>> non-replication users.
> >>>>>> What can I do if I don't unblock it and want to do backup?
> >>>>>
> >>>>> CCing Jeff Cody, block jobs maintainer
> >>>>>
> >>>>> You need to explain why it is safe remove this protection.  We can't
> >>>>> merge code that may be unsafe.
> >>>>>
> >>>>> I think we can investigate further by asking: when does QEMU code assume
> >>>>> the backing file is read-only?
> >>>>
> >>>> The backing file is opened in read-only mode. I want to reopen it in read-write
> >>>> mode here in the next version(So the patch 1 will be dropped)
> >>>>
> >>>>>
> >>>>> I haven't checked but these cases come to mind:
> >>>>>
> >>>>> Operations that move data between BDS in the backing chain (e.g. commit
> >>>>> and stream block jobs) will lose or overwrite data if the backing file
> >>>>> is being written to by another coroutine.
> >>>>>
> >>>>> We need to prevent users from running these operations at the same time.
> >>>>
> >>>> Yes, but qemu doesn't provide such API.
> >>>
> >>> This series can't be merged unless it is safe.
> >>>
> >>> Have you looked at op blockers and thought about how to prevent unsafe
> >>> operations?
> >>
> >> What about this solution:
> >> 1. unblock it in bdrv_set_backing_hd()
> >> 2. block it in qmp_block_commit(), qmp_block_stream(), qmp_block_backup()..., to
> >>    prevent unsafe operations
> > 
> > Come to think of it, currently QEMU only supports 1 block job per BDS.
> > 
> > This means that as long as COLO has a backup job running, no other block
> > jobs can interfere.
> > 
> > There still might be a risk with monitor commands like 'commit'.
> 
> What about this?
> diff --git a/block.c b/block.c
> index e9f40dc..b181d67 100644
> --- a/block.c
> +++ b/block.c
> @@ -1162,6 +1162,24 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd)
>      /* Otherwise we won't be able to commit due to check in bdrv_commit */
>      bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_COMMIT_TARGET,
>                      bs->backing_blocker);
> +    /*
> +     * We do backup in 3 ways:
> +     * 1. drive backup
> +     *    The target bs is new opened, and the source is top BDS
> +     * 2. blockdev backup
> +     *    Both the source and the target are top BDSes.
> +     * 3. internal backup(used for block replication)
> +     *    Both the source and the target are backing file
> +     *
> +     * In case 1, and 2, the backing file is neither the source nor
> +     * the target.
> +     * In case 3, we will block the top BDS, so there is only one block
> +     * job for the top BDS and its backing chain.
> +     */
> +    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_BACKUP_SOURCE,
> +                    bs->backing_blocker);

BLOCK_OP_TYPE_BACKUP_SOURCE does not modify the image so this should be
safe.

> +    bdrv_op_unblock(backing_hd, BLOCK_OP_TYPE_BACKUP_TARGET,
> +                    bs->backing_blocker);

This one is trickier since it means write access, but
BLOCK_OP_TYPE_COMMIT_TARGET is already unblocked above.  At least it
should be no worse than allowing BLOCK_OP_TYPE_COMMIT_TARGET.

Jeff?

Stefan