Am 09.04.2020 um 17:56 hat Eric Blake geschrieben: > On 4/9/20 10:46 AM, Eric Blake wrote: > > > > > We don't support concurrent modification. But if the guest is running > > > > and unmaps things, then shuts off, then we edit the raw file offline, > > > > then we restart the guest, the guest should see the results of those > > > > offline edits. > > > > > > Should it? The specification doesn’t say anything about that. > > > > > > In fact, I think we have always said we explicitly discourage that > > > because this might lead to outdated metadata; even though we usually > > > meant “dirty bitmaps” by that. > > > > Hmm. Kevin, I'd really like your opinion here. The point of the > > raw-external-data flag is to state that "qemu MUST ensure that whatever > > is done to this image while the guest is running is reflected through to > > the raw file, so that after the guest stops, the raw file alone is still > > viable to see what the guest saw". But as you say, there's a difference > > between "the raw file will read what the guest saw" and "we can now edit > > the raw file without regards to the qcow2 wrapper but later reuse of the > > qcow2 wrapper won't be corrupted by those edits". > > Another random thought: Should we add a header extension that records the > timestamps of an external data file? That way, if the timestamps of the > file have changed from what we recorded in our optional header, then we can > flag to the user that our metadata may be stale because of what appears to > be external edits. But that's not always going to save us - timestamps on a > block device don't behave the same as timestamps on a POSIX file, and just > because timestamps change (such as when copying a file from one place to > another) does not imply that contents have changed. My personal take - > unless adding such a header can definitely add safety, it may not be worth > the cost of complicating the standard - this was more just documenting an > idea I had even if we don't choose to pursue it.
In the context of verifying backing file links, Jeff Cody once brought up an idea where we would have something like a generation counter in the header that would be increased every time you open the image read-write. Then you could store that counter value in the backing file and external data file links and detect if someone else wrote to the child image and invalidated it. Though obviously raw images still won't have a counter, and if they had one, nobody would increase it when writing to it externally, so it doesn't actually work for real-world external data files... I wouldn't rely on file timestamps, you already mentioned some good reasons. Kevin
