31.05.2011 10:59, Harald Staub пишет: > When patching KVM hosts, our preferred way is to live migrate the VMs to > another host temporarily. > > I see that the fix for squeeze needed some backporting work. In > particular, it introduces a no_hotplug property.
That propery is internal for the device model, it is not exposed into the migration data stream. > I wonder if there are precautions to consider in this case. Live > migration looks fine both ways: start a VM on unpatched host and migrate > to patched host, and also the other way round. (Tried with just one VM.) > > Is there still a security hole through a migrated (from unpatched to > patched host) VM? Is it necessary to stop and start the VMs? On the receiving side of migration, all devices gets created and initialized first, including all their internal properties like this one, and the migration receive starts. So on the new host, the problem devices will behave correctly. I don't - unfortunately - have a definitive knowlege in this area, what I understand is that it _should_ work fine. Note that migration somehow works even between 0.12 and 0.14 versions (but in that case it's definitely better to restart the VMs because it often fails or is unreliable). But you raised a very good question indeed, I'll dig into some details. Something which I didn't think of when doing all the backporting. Thanks! /mjt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
