From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NKrHU-0002NX-SV for qemu-devel@nongnu.org; Wed, 16 Dec 2009 05:38:56 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1NKrHP-0002If-H6 for qemu-devel@nongnu.org; Wed, 16 Dec 2009 05:38:55 -0500 Received: from [199.232.76.173] (port=42987 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NKrHP-0002IN-75 for qemu-devel@nongnu.org; Wed, 16 Dec 2009 05:38:51 -0500 Received: from mx1.redhat.com ([209.132.183.28]:53164) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1NKrHO-0007tE-PD for qemu-devel@nongnu.org; Wed, 16 Dec 2009 05:38:51 -0500 Message-ID: <4B28B876.6000905@redhat.com> Date: Wed, 16 Dec 2009 11:37:42 +0100 From: Kevin Wolf MIME-Version: 1.0 Subject: Re: [Qemu-devel] [PATCH VERSION 3] Disk image exclusive and shared locks. References: <20091215164238.GA24410@amd.home.annexia.org> <20091215183345.GA21298@shareable.org> In-Reply-To: <20091215183345.GA21298@shareable.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Jamie Lokier Cc: "Richard W.M. Jones" , qemu-devel@nongnu.org Am 15.12.2009 19:33, schrieb Jamie Lokier: > Shared backing disks aren't safe after "commit" anyway. Other VMs may > not be running at the time "commit" renders their image corrupt, so > locks don't offer adequate protection against the backing disk being changed. > > One strategy that would offer a bit more protection would be: backing > disks opened read-only, re-opened as writable at the time of "commit", > and (where the format supports it) have a generation number stored in > them which is incremented prior to the first write after writable > open. The generation number would be stored in the referring delta > image, which would complain if it found the backing file did not have > a matching generation. This would at least alert the user to > inconsistencies, and the exclusive lock arising from re-opening as > writable would block "commit" if there were actively running VMs. > > A different strategy would be to simply have a user-settable flag in > backing VM images meaning "shared therefore commit not allowed". Probably both suggestions are doable in qcow2 with an extended header. However, raw backing file are not uncommon and you'll have a hard time adding something there. Also I'm not sure if they are really helpful. Who would really set the user-settable flag after all? The generation number works automatically, but it only can recognize the damage afterwards when the image is already corrupted. > You might think the user could do that by setting the permissions to > read-only, but root ignores file permissions. (That's why we need a > "ro" option too). We do have readonly=on|off. Kevin