From: "Daniel P. Berrange" <berrange@redhat.com>
To: Fam Zheng <famz@redhat.com>
Cc: qemu-devel@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
Max Reitz <mreitz@redhat.com>, Jeff Cody <jcody@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
Eric Blake <eblake@redhat.com>, John Snow <jsnow@redhat.com>,
qemu-block@nongnu.org, pbonzini@redhat.com, den@openvz.org
Subject: Re: [Qemu-devel] [PATCH for-2.7 v2 00/17] block: Lock images when opening
Date: Mon, 18 Apr 2016 10:53:44 +0100 [thread overview]
Message-ID: <20160418095344.GD19600@redhat.com> (raw)
In-Reply-To: <1460690887-32751-1-git-send-email-famz@redhat.com>
On Fri, Apr 15, 2016 at 11:27:50AM +0800, Fam Zheng wrote:
> v2: Lock byte 1 in the image itself, no lock file. [Daniel]
> Fix migration (image are not locked in bdrv_open_common if
> BDRV_O_INACTIVE). [Denis]
> Simplify test case fixes because of the above.
> Add lock for RBD.
> Add "-L" option in "qemu-img" and "qemu-nbd" too. [Denis]
> Add test case for image locking.
>
> Too many troubles have been caused by two processes writing to the same image
> unexpectedly. This series introduces automatical image locking into QEMU to
> avoid such tragedy. With this, the user won't be able to open the image from
> two processes (e.g. using qemu-img when the image is attached to the guest).
>
> Underneath is the fcntl syscall that locks the local file, similar to what is
> already used in libvirt virtlockd. The difference is that libvirt locks byte 0,
> we lock byte 1. Read only openings are mapped to shared locks.
I'm afraid the way you are using fcntl is not actually safe, because
fcntl does not correctly deal with concurrent usage within the same
VM. I have tested your series with the following sequence of steps.
Consider I have a pair of disk images:
$ qemu-img create master.img 10G
Formatting 'master.img', fmt=raw size=10737418240
$ qemu-img create -f qcow2 -obacking_file=master.img overlay.img
Formatting 'overlay.img', fmt=qcow2 size=10737418240 backing_file='master.img' encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
Now I launch QEMU pointing it to overlay.img:
$ qemu-system-x86_64 -drive file=/home/berrange/VirtualMachines/overlay.img -monitor stdio
QEMU 2.5.91 monitor - type 'help' for more information
Looking at the locks held, everything is correct:
$lslocks | grep qemu
qemu-system-x86 28723 POSIX 192.5K WRITE 0 1 1 /home/berrange/VirtualMachines/overlay.img
qemu-system-x86 28723 POSIX 10G READ 0 1 1 /home/berrange/VirtualMachines/master.img
Now see what happens when I hotplug a second disk image pointing
to master.img in write mode - this should be denied since writing
to master.img will invalidate the backing store used by the currently
open overlay.img:
(qemu) drive_add 0:1:1 file=/home/berrange/VirtualMachines/master.img,if=none
WARNING: Image format was not specified for '/home/berrange/VirtualMachines/master.img' and probing guessed raw.
Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
Specify the 'raw' format explicitly to remove the restrictions.
OK
It was mistakenly allowed. We should not allow writing to a disk
image that is used as backing store for an overlay. Now look at
the locks held:
$ lslocks | grep qemu
qemu-system-x86 28723 POSIX 192.5K WRITE 0 1 1 /home/berrange/VirtualMachines/overlay.img
qemu-system-x86 28723 POSIX 10G WRITE 0 1 1 /home/berrange/VirtualMachines/master.img
The read lock on master.img has simply been "upgraded" to a write
lock. This is totally incorrect behaviour from POV of protecting
the disk images.
Now lets unplug the drive we just added:
(qemu) drive_del none0
And look at the locks held again:
$ lslocks | grep qemu
qemu-system-x86 28723 POSIX 192.5K WRITE 0 1 1 /home/berrange/VirtualMachines/overlay.img
So we've now lost the lock on msater.img, despite the fact that
it is still open for reading as a backing store of overlay.img.
This is all caused by the problems I've mentioned in previous
discussions whereby locks are scoped to the process, not the
file handle. eg opening a second file handle wil happily upgrde
the lock held by the first file handle from read to write.
Closing the second file handle will happily release the lock,
even though the first file handle is still open.
If you want todo locks inside of QEMU, you really can't rely
on delegating handling to each individual block driver instance.
You need to have a process global registry of which files you have
already locked, and check against that registry before even
attempting to open any file that might correspond to a disk image.
This registry needs to canonicalize the file path too, to allow
for possibility of QEMU being given differen paths to the same
file.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2016-04-18 9:53 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-15 3:27 [Qemu-devel] [PATCH for-2.7 v2 00/17] block: Lock images when opening Fam Zheng
2016-04-15 3:27 ` [Qemu-devel] [PATCH for-2.7 v2 01/17] block: Add BDRV_O_NO_LOCK Fam Zheng
2016-04-16 10:47 ` Denis V. Lunev
2016-04-15 3:27 ` [Qemu-devel] [PATCH for-2.7 v2 02/17] qapi: Add lock-image in blockdev-add options Fam Zheng
2016-04-16 10:48 ` Denis V. Lunev
2016-04-26 8:01 ` Fam Zheng
2016-04-15 3:27 ` [Qemu-devel] [PATCH for-2.7 v2 03/17] blockdev: Add and parse "lock-image" option for block devices Fam Zheng
2016-04-16 13:15 ` Denis V. Lunev
2016-04-19 13:00 ` Fam Zheng
2016-04-15 3:27 ` [Qemu-devel] [PATCH for-2.7 v2 04/17] block: Introduce image file locking Fam Zheng
2016-04-16 13:22 ` Denis V. Lunev
2016-04-18 1:43 ` Fam Zheng
2016-04-16 23:29 ` Max Reitz
2016-04-18 1:33 ` Fam Zheng
2016-04-18 5:34 ` Denis V. Lunev
2016-04-19 19:14 ` Max Reitz
2016-04-20 8:46 ` Denis V. Lunev
2016-04-19 19:13 ` Max Reitz
2016-04-25 23:55 ` Laszlo Ersek
2016-04-26 0:47 ` Fam Zheng
2016-04-15 3:27 ` [Qemu-devel] [PATCH for-2.7 v2 05/17] raw-posix: Implement .bdrv_lockf Fam Zheng
2016-04-16 13:29 ` Denis V. Lunev
2016-04-18 1:12 ` Fam Zheng
2016-04-18 5:30 ` Denis V. Lunev
2016-04-18 9:34 ` Daniel P. Berrange
2016-04-18 9:38 ` Denis V. Lunev
2016-04-17 19:27 ` Richard W.M. Jones
2016-04-18 1:10 ` Fam Zheng
2016-04-18 8:04 ` Richard W.M. Jones
2016-04-19 12:37 ` Fam Zheng
2016-04-19 13:07 ` Richard W.M. Jones
2016-04-19 13:19 ` Fam Zheng
2016-04-19 13:36 ` Richard W.M. Jones
2016-04-19 13:45 ` Daniel P. Berrange
2016-04-19 13:34 ` Daniel P. Berrange
2016-04-19 13:40 ` Richard W.M. Jones
2016-04-15 3:27 ` [Qemu-devel] [PATCH for-2.7 v2 06/17] gluster: " Fam Zheng
2016-04-15 12:24 ` [Qemu-devel] [Qemu-block] " Niels de Vos
2016-04-15 3:27 ` [Qemu-devel] [PATCH for-2.7 v2 07/17] rbd: Implement image locking Fam Zheng
2016-04-23 1:57 ` Jason Dillaman
2016-04-25 0:42 ` Fam Zheng
2016-04-26 15:42 ` Jason Dillaman
2016-04-27 0:20 ` Fam Zheng
2016-04-27 18:18 ` Jason Dillaman
2016-04-28 1:33 ` Fam Zheng
2016-04-15 3:27 ` [Qemu-devel] [PATCH for-2.7 v2 08/17] qemu-io: Add "-L" option for BDRV_O_NO_LOCK Fam Zheng
2016-04-16 13:46 ` Denis V. Lunev
2016-04-19 12:59 ` Fam Zheng
2016-04-15 3:27 ` [Qemu-devel] [PATCH for-2.7 v2 09/17] qemu-img: Add "-L" option to sub commands Fam Zheng
2016-04-16 14:29 ` Denis V. Lunev
2016-04-16 14:30 ` Denis V. Lunev
2016-04-19 12:59 ` Fam Zheng
2016-04-15 3:28 ` [Qemu-devel] [PATCH for-2.7 v2 10/17] qemu-img: Update documentation of "-L" option Fam Zheng
2016-04-15 3:28 ` [Qemu-devel] [PATCH for-2.7 v2 11/17] qemu-nbd: Add "--no-lock/-L" option Fam Zheng
2016-04-16 14:32 ` Denis V. Lunev
2016-04-19 12:58 ` Fam Zheng
2016-04-15 3:28 ` [Qemu-devel] [PATCH for-2.7 v2 12/17] qemu-iotests: 140: Disable image lock for qemu-io access Fam Zheng
2016-04-15 3:28 ` [Qemu-devel] [PATCH for-2.7 v2 13/17] qemu-iotests: 046: Move version detection out from verify_io Fam Zheng
2016-04-15 3:28 ` [Qemu-devel] [PATCH for-2.7 v2 14/17] qemu-iotests: Wait for QEMU processes before checking image in 091 Fam Zheng
2016-04-15 3:28 ` [Qemu-devel] [PATCH for-2.7 v2 15/17] qemu-iotests: Disable image lock when checking test image Fam Zheng
2016-04-15 3:28 ` [Qemu-devel] [PATCH for-2.7 v2 16/17] block: Turn on image locking by default Fam Zheng
2016-04-15 3:28 ` [Qemu-devel] [PATCH for-2.7 v2 17/17] qemu-iotests: Add test case 152 for image locking Fam Zheng
2016-04-16 14:33 ` [Qemu-devel] [PATCH for-2.7 v2 00/17] block: Lock images when opening Denis V. Lunev
2016-04-18 9:53 ` Daniel P. Berrange [this message]
2016-04-19 12:40 ` Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160418095344.GD19600@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=den@openvz.org \
--cc=eblake@redhat.com \
--cc=famz@redhat.com \
--cc=jcody@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).