[libvirt] [RFC] Add flag for virsh undefine to remove/wipe the disk devices

Daniel P. Berrange berrange at redhat.com
Thu Mar 31 10:30:03 UTC 2011 

On Wed, Mar 30, 2011 at 09:50:19PM +0800, Daniel Veillard wrote:
> On Wed, Mar 30, 2011 at 09:39:14PM +0800, Osier Yang wrote:
> > Hi, All
> > 
> > I'm thinking to introduce a new flag (something like --remove-disks,
> > --wipe-disks) for "virsh undefine", so that the user can choose
> > whether to remove/wipe the disk devices or not, have seen this
> > requirement in many places, @libvirt-users, public #virt, and also
> > we have a bug of this function. So, IMHO this is a reasonable
> > requirement, following is the rough thoughts:
> > 
> > 1) General idea.
> >    As we don't have a API which can get all the disk devices of a
> >    domain, perhaps need to write functions to parse domain xml to
> >    extract the disks' path (this is annoyed, but seems don't other
> >    way), and then lookup them by storage volume API
> >    (virStorageVolLookupByPath), and then can remove or wipe
> >    the volume by (virStorageVolDelete/virStorageVolWipe).
> > 
> >    And for the disk path which doesn't belong to any storage pool,
> >    simply remove it by "unlink()"?
> 
>   Won't work for connection to remote hosts.
> 
> > 2) Which type of devices can not be removed/wiped.
> > 
> >    * Can't delete/wipe ISCSI/SCSI vol.
> >    * Vol doesn't exists (which will throw an warning when do
> >      virStorageVolLookupByPath).
> >    * Have no write permission on the parent directory of the
> >      disk path.
> >    * Can't delete/wipe the disk device which is passthrough'ed
> >      from host, (e.g. /dev/sr0 as a CDROM device for guest)
> >    * The storage pool which the disk device belongs to as a vol
> >      is marked as "share"
> >    * The storage pool which the disk device belongs as a vol is
> >      readonly
> >    * can't delete disk device of network type.
> >    * Any others?
> > 
> >    For these situations, we need to do checking and throw
> >    straightforward warnings to tell user why it can't be
> >    removed/wiped.
> 
>   I would rather make this a flag of virDomainUndefine(), except
> there is no flag argument for it :(

I don't think this is a good idea. Applications should directly call
the storage APIs for this, so that when we adding RBAC support to
our APIs, we get correct access control checks on *each* volume
being deleted / wiped. We won't want the 'undefine' API for a VM
to be side-stepping the volume access controls.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list