Re: [libvirt] [PATCH v2] qemu: call drive_unplug in DetachPciDiskDevice

Currently libvirt doesn't confirm whether the guest has responded to the disk removal request. In some cases this can leave the guest with continued access to the device while the mgmt layer believes that it has been removed. With a recent qemu monitor command[1] we can deterministically revoke a guests access to the disk (on the QEMU side) to ensure no futher access is permitted. This patch adds support for the drive_unplug() command and introduces it in the disk removal paths. There is some discussion to be had about how to handle the case where the guest is running in a QEMU without this command (and the fact that we currently don't have a way of detecting what monitor commands are available). Changes since v1: - return > 0 when command isn't present, < 0 on command failure - detect when drive_unplug command isn't present and log error instead of failing entire command Signed-off-by: Ryan Harper <ryanh(a)us.ibm.com&gt; +int qemuMonitorJSONDriveUnplug(qemuMonitorPtr mon, + const char *drivestr) +{

+ + if (ret == 0) { + /* See if drive_unplug isn't supported */ + if (qemuMonitorJSONHasError(reply, "CommandNotFound")) { + qemuReportError(VIR_ERR_OPERATION_FAILED, "%s", + _("unplugging disk is not supported. " + "This may leak data if disk is reassigned")); + ret = 1; + goto cleanup; + } + ret = qemuMonitorJSONCheckError(cmd, reply); + }

+/* Attempts to unplug a drive. Returns 1 if unsupported, 0 if ok, and -1 on + * other failure */ +int qemuMonitorTextDriveUnplug(qemuMonitorPtr mon, + const char *drivestr) +{ +

+ if (strstr(reply, "unknown command:")) { + qemuReportError(VIR_ERR_OPERATION_FAILED, "%s", + _("unplugging disk is not supported. " + "This may leak data if disk is reassigned")); + ret = 1; + goto cleanup;