[libvirt] [PATCH v2] qemu: snapshot: Forbid internal snapshots with pflash firmware

Thu Mar 23 14:07:22 UTC 2017

On Thu, Mar 23, 2017 at 11:03:02 +0100, Laszlo Ersek wrote:
> On 03/23/17 10:54, Peter Krempa wrote:
> > On Thu, Mar 23, 2017 at 10:48:01 +0100, Laszlo Ersek wrote:
> >> On 03/23/17 10:29, Peter Krempa wrote:
> >>> If the variable store (<nvram>) file is raw qemu can't do a snapshot of
> >>> it and thus the snapshot would be incomplete. QEMU does no reject such
> >>> snapshot.
> >>>
> >>> Additionally allowing to use a qcow2 variable store backing file would
> >>> solve this issue but then it would become eligible to become target of
> >>> the memory dump.
> >>>
> >>> Offline internal snapshot would be incomplete too with either storage
> >>> format since libvirt does not handle the pflash file in this case.
> >>>
> >>> Forbid such snapshot so that we can avoid problems.

[...]

> > @@ -13873,8 +13873,14 @@ qemuDomainSnapshotPrepare(virConnectPtr conn,
> >          goto cleanup;
> >      }
> > 
> > -    /* Internal snapshots don't work with VMs with OVMF loader since qemu does
> > -     * not snapshot the variable store */
> > +    /* internal snapshots + pflash based loader have the following problems:
> > +     * - if the variable store is raw, the snapshot is incomplete
> > +     * - alowing a qcow2 image as the varstore would make it eligible to receive
> > +     *   the vmstate dump, which would make it huge
> > +     * - offline snapshot would not snapshot the varstore at all
> > +     *
> > +     * Avoid the issues by forbidding this completely.
> > +     */

I thought about this a bit more and I think that while there are the
above problems we still can have users of snapshots + OVMF which use it
successfully. Forbiding it would create a regression for them since they
did not observe anything bad despite the problems mentioned above:

The reasons are following:

1) internal snapshots are the default in virt-manager
2) guests usually don't re-write the varstore very often, usually only
at install
3) OSes usually don't modify anything besides the boot entry
4) snapshot of an online VM carries the varstore in the memory image
5) OSes are pretty good at restoring the boot entry if it fails

Due to the facts above I think that there are users that legitimately
think that snapshots with pflash loaders work as expected. It's mostly
due to the fact that the data are pretty static and OSes don't store
anything important there and are able to self-heal some of the problems.

I think we should not disallow this to avoid usability regressions. We
can add documentation that states that it's unsafe to do snapshots.
Additionally we will need to add support for external snapshots, which
currently have similar kind of problems, although fixable.

Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170323/2c8eedad/attachment-0001.sig>