> >> True, but that would happen only in case the host crashes. Even for > >> a QEMU crash the changes would be safe, I think. They would be > >> written back when the persistent dirty bitmap's mmap() area is > >> unmapped, during process exit. > > > > I'd err on the side of caution, mark the persistent dirty bitmap while > > QEMU is running. Discard the file if there was a power failure. > > Agreed. Though this is something that management must do manually, isn't it? > QEMU cannot distinguish a SIGKILL from a power failure, while management > can afford treating SIGKILL as a power failure. > > > It really depends what the dirty bitmap users are doing. It could be > > okay to have a tiny chance of missing a modification but it might not.
I just want to mention that there is another way to do incremental backups. Instead of using a dirty bitmap, you can compare the content, usually using a digest (SHA1) on clusters. That way you can also implement async replication to a remote site (like MS do).