[libvirt] [PATCHv5 04/23] blockjob: add new API flags
Jiri Denemark
jdenemar at redhat.com
Wed Apr 18 14:18:54 UTC 2012
On Mon, Apr 16, 2012 at 23:05:55 -0600, Eric Blake wrote:
> This patch introduces a new block job, useful for live storage
> migration using pre-copy streaming. Justification for including
> this under virDomainBlockRebase rather than adding a new command
> includes: 1) there are now two possible block jobs in qemu, with
> virDomainBlockRebase starting either type of command, and
> virDomainBlockJobInfo and virDomainBlockJobAbort working to end
> either type; 2) reusing this command allows distros to backport
> this feature to the libvirt 0.9.10 API without a .so bump.
>
> Note that a future patch may add a more powerful interface named
> virDomainBlockJobCopy, dedicated to just the block copy job, in
> order to expose even more options (such as setting an arbitrary
> format type for the destination without having to probe it from a
> pre-existing destination file); adding a new command for targetting
> just block copy would be similar to how we already have
> virDomainBlockPull for targetting just the block pull job.
>
> Using a live VM with the backing chain:
> base <- snap1 <- snap2
> as the starting point, we have:
>
> - virDomainBlockRebase(dom, disk, "/path/to/copy", 0,
> VIR_DOMAIN_BLOCK_REBASE_COPY)
> creates /path/to/copy with the same format as snap2, with no backing
> file, so entire chain is copied and flattened
>
> - virDomainBlockRebase(dom, disk, "/path/to/copy", 0,
> VIR_DOMAIN_BLOCK_REBASE_COPY|VIR_DOMAIN_BLOCK_REBASE_COPY_RAW)
> creates /path/to/copy as a raw file, so entire chain is copied and
> flattened
>
> - virDomainBlockRebase(dom, disk, "/path/to/copy", 0,
> VIR_DOMAIN_BLOCK_REBASE_COPY|VIR_DOMAIN_BLOCK_REBASE_SHALLOW)
> creates /path/to/copy with the same format as snap2, but with snap1 as
> a backing file, so only snap2 is copied.
>
> - virDomainBlockRebase(dom, disk, "/path/to/copy", 0,
> VIR_DOMAIN_BLOCK_REBASE_COPY|VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT)
> reuse existing /path/to/copy (must have empty contents, and format is
> probed[*] from the metadata), and copy the full chain
>
> - virDomainBlockRebase(dom, disk, "/path/to/copy", 0,
> VIR_DOMAIN_BLOCK_REBASE_COPY|VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT|
> VIR_DOMAIN_BLOCK_REBASE_SHALLOW)
> reuse existing /path/to/copy (contents must be identical to snap1,
> and format is probed[*] from the metadata), and copy only the contents
> of snap2
>
> - virDomainBlockRebase(dom, disk, "/path/to/copy", 0,
> VIR_DOMAIN_BLOCK_REBASE_COPY|VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT|
> VIR_DOMAIN_BLOCK_REBASE_SHALLOW|VIR_DOMAIN_BLOCK_REBASE_COPY_RAW)
> reuse existing /path/to/copy (must be raw volume with contents
> identical to snap1), and copy only the contents of snap2
>
> Less useful combinations:
>
> - virDomainBlockRebase(dom, disk, "/path/to/copy", 0,
> VIR_DOMAIN_BLOCK_REBASE_COPY|VIR_DOMAIN_BLOCK_REBASE_SHALLOW|
> VIR_DOMAIN_BLOCK_REBASE_COPY_RAW)
> fail if source is not raw, otherwise create /path/to/copy as raw and
> the single file is copied (no chain involved)
>
> - virDomainBlockRebase(dom, disk, "/path/to/copy", 0,
> VIR_DOMAIN_BLOCK_REBASE_COPY|VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT|
> VIR_DOMAIN_BLOCK_REBASE_COPY_RAW)
> makes little sense: the destination must be raw but have no contents,
> meaning that it is an empty file, so there is nothing to reuse
>
> The other three flags are rejected without VIR_DOMAIN_BLOCK_COPY.
>
> [*] Note that probing an existing file for its format can be a security
> risk _if_ there is a possibility that the existing file is 'raw', in
> which case the guest can manipulate the file to appear like some other
> format. But, by virtue of the VIR_DOMAIN_BLOCK_REBASE_COPY_RAW flag,
> it is possible to avoid probing of raw files, at which point, probing
> of any remaining file type is no longer a security risk.
>
> It would be nice if we could issue an event when pivoting from phase 1
> to phase 2, but qemu hasn't implemented that, and we would have to poll
> in order to synthesize it ourselves. Meanwhile, qemu will give us a
> distinct job info and completion event when we either cancel or pivot
> to end the job. Pivoting is accomplished via the new:
>
> virDomainBlockJobAbort(dom, disk, VIR_DOMAIN_BLOCK_JOB_ABORT_PIVOT)
>
> Management applications can pre-create the copy with a relative
> backing file name, and use the VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT
> flag to have qemu reuse the metadata; if the management application
> also copies the backing files to a new location, this can be used
> to perform live storage migration of an entire backing chain.
>
> * include/libvirt/libvirt.h.in (VIR_DOMAIN_BLOCK_JOB_TYPE_COPY):
> New block job type.
> (virDomainBlockJobAbortFlags, virDomainBlockRebaseFlags): New enums.
> * src/libvirt.c (virDomainBlockRebase): Document the new flags,
> and implement general restrictions on flag combinations.
> (virDomainBlockJobAbort): Document the new flag.
> (virDomainSaveFlags, virDomainSnapshotCreateXML)
> (virDomainRevertToSnapshot, virDomainDetachDeviceFlags): Document
> restrictions.
> * include/libvirt/virterror.h (VIR_ERR_BLOCK_COPY_ACTIVE): New
> error.
> * src/util/virterror.c (virErrorMsg): Define it.
> ---
>
> was 5/18 in v4
> v5: enhance commit message, fix typos in docs
>
> include/libvirt/libvirt.h.in | 24 +++++++++-
> include/libvirt/virterror.h | 1 +
> src/libvirt.c | 100 ++++++++++++++++++++++++++++++++++++++----
> src/util/virterror.c | 6 +++
> 4 files changed, 120 insertions(+), 11 deletions(-)
OK, you addressed my comments and I didn't spot any additional issues here.
However, the question is whether we feel comfortable enough with pushing this
with the risk that qemu implementation is not upstream yet. I think the API is
sane but the history of pushing something that qemu ended up implementing in a
different way worries me a bit.
Jirka
More information about the libvir-list
mailing list