On 1/24/19 4:15 AM, Kevin Wolf wrote: >> But how to fix Qemu not to crash? May be, forbid some transitions >> (FINISH_MIGRATE -> RUNNING), >> or at least error-out qmp_cont if runstate is FINISH_MIGRATE? >
> I wonder whether the QAPI schema should have a field 'run-states' for > commands, and by default we would only include states where the VM has > ownership of its resources (e.g. images are activated) and which are not > temporary states that are automatically left, like finish-migrate. We already have 'allow-oob' and 'allow-preconfig' flags on a per-command basis; you're basically proposing that we extend this mechanism for marking other attributes of commands,... > > Then the default for commands is to be rejected in "unusual" runstates > where we're not expecting user intervention, and we must explicitly > allow them if they are okay, in fact. > > Instead of listing every obscure runstate, maybe we should really use > categories of runstates instead: > > 1. Running > 2. Paused, owns all resources (like disk images) > 3. Paused, doesn't own some resources (source VM after migration > completes, destination before migration completes) > 4. Paused temporarily for internal reasons (e.g. finish-migrate, > restore-vm, save-vm) > > Most commands should be okay with 1 and 2, but possibly not 3, and > almost never 4. ...then enforcing that commands are only executed according to the attributes they have (where the default attributes match categories 1 and 2, and commands have to opt-in if they are safe to run in category 3 or 4 just like they have to opt-in for preconfig or oob usage). -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
