* Michael S. Tsirkin (m...@redhat.com) wrote: > On Fri, May 31, 2019 at 07:45:13PM +0100, Dr. David Alan Gilbert wrote: > > * Michael S. Tsirkin (m...@redhat.com) wrote: > > > On Fri, May 31, 2019 at 02:01:54PM -0300, Eduardo Habkost wrote: > > > > > Yes. It's just lots of extremely low level interfaces > > > > > and all rather pointless. > > > > > > > > > > And down the road extensions like surprise removal support will make > > > > > it > > > > > all cleaner and more transparent. Floating things up to libvirt means > > > > > all these low level details will require more and more hacks. > > > > > > > > Why do you call it pointless? > > > > > > We'd need APIs to manipulate device visibility to guest, hotplug > > > controller state and separately manipulate the resources allocated. This > > > is low level stuff that users really have no idea what to do about. > > > Exposing such a level of detail to management is imho pointless. > > > We are better off with a high level API, see below. > > > > so I don't know much about vfio; but to me it strikes me that > > you wouldn't need that low level detail if we just reworked vfio > > to look more like all our other devices; something like: > > > > -vfiodev host=02:00.0,id=gpu > > -device vfio-pci,dev=gpu > > > > The 'vfiodev' would own the resources; so to do this trick, the > > management layer would: > > hotunplug the vfio-pci > > migrate > > > > if anything went wrong it would > > hotplug the vfio-pci backin > > > > you wouldn't have free'd up any resources because they belonged > > to the vfiodev. > > > IIUC that doesn't really work with passthrough > unless guests support surprise removal.
Why? The view from the guest here is just like what this series has added without the special hack. Dave > > > > > If we want this to work before > > > > surprise removal is implemented, we need to provide an API that > > > > works for management software. > > > > Don't we want to make this work > > > > without surprise removal too? > > > > > > This patchset adds an optional, off by default support for > > > migrating guests with an assigned network device. > > > If enabled this requires guest to allow migration. > > > > > > Of course this can be viewed as a security problem since it allows guest > > > to block migration. We can't detect a malicious guest reliably imho. > > > What we can do is report to management when guest allows migration. > > > Policy such what to do when this does not happen for a while and > > > what timeout to set would be up to management. > > > > > > The API in question would be a high level one, something > > > along the lines of a single "guest allowed migration" event. > > > > This is all fairly normal problems with hot unplugging - that's > > already dealt with at higher levels for normal hot unplugging. > > > > The question here is to try to avoid duplicating that fairly > > painful process in qemu. > > > > Dave > > > > > > -- > > > MST > > -- > > Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK -- Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
