Am 07.04.2018 um 00:16 hat Eric Blake geschrieben: > Perhaps others have already known this, but I just realized that if you > mix internal and external snapshots, you can set yourself up for massive > failures when trying to use block-stream or block-commit to consolidate > data across the external backing chain, without also thinking about the > internal snapshots.
Yeah, internal and external snapshots don't mix well. Basically, the only thing that will work reliably is having a qcow2 image with internal snapshots at the top, and then an immutable backing chain without internal snapshots below it. > Here's a quick demonstration: > [...] > > The root cause to all of this is that right now, ALL internal snapshots > share the same backing file information in the file header; but > block-stream operations only modify the active snapshot. The actions of > changing the backing file or of rewriting the clusters in the backing > file don't break the active snapshot, but DO bleed through to the > internal snapshots, for any cluster where the internal snapshot was > relying on the backing file. > > Does this mean we should make it harder to perform external block > operations on a qcow2 file that has internal snapshots (either refuse > outright, or at least require a 'force' flag to let the user acknowledge > the risk)? Similarly, should it be harder to create an internal > snapshot when an image already has an external backing file, and/or > should we improve the qcow2 specification of internal snapshot > descriptors to record a per-snapshot backing file rather than the > current approach that all snapshots share the same backing file? > Whether or not we track a per-snapshot backing file, should the presence > of internal snapshots be used to request op-blockers for read > consistency on backing files? Op blockers can't really protect a node against itself. As far as the backing file node is concerned, nothing bad has happened. It is still fully consistent and it hasn't been written to. It just isn't used any more by its parent node. Possibly we can use a blocker to enforce that the backing file child isn't changed, but that would be something like a BLK_PERM_GRAPH_MOD permission that we failed to define precisely so far. Other than that, if you want to make the merge of the external snapshots fail, maybe the only thing you could do is returning an error in when trying to change the backing file link in qcow2_change_backing_file() while there are internal snapshots. I'm not sure that this will result in a good state, though, and it is only called at the very end of the block job (i.e. all data is already copied), so it's not a nice failure mode. Kevin
Description: PGP signature