On 3/7/19 1:07 PM, Daniel P. Berrangé wrote:
On Thu, Mar 07, 2019 at 12:52:46PM +0100, Erik Skultety wrote:
However, looking at the bigger picture is this a safe thing to do? I mean, imagine the following scenario:
1) say there is capability X that affects certain part of cmd line. And assume that those two possibilities are incompatible. If cmd line is generated one way then migration to a qemu which has cmd line generated the other way fails.
2) in release R we deprecate X and thus do not format it in <capabilities/> in status XML.
3) user starts a domain D.
4) user saves D into a file
5) sysadmin downgrades libvirt to R-1
Do we even support downgrade this way? I know we migrate to older version but isn't that different?
Okay, forget about save+restore. Let's just keep the domain D running and then downgrade libvirt. Now, instead of X affecting cmd line let it affect how we talk to qemu on monitor. Since R assumed X always being there then X wouldn't be recorded in status XML. Later when R-1 daemon is starting and parsing the status XML it won't find X and thus might make wrong decissions. For instance, if X would be some capability that affects the way we generate PCI addresses for guest devices, then this would really harm the user. Worse, let just start the domain with R-1, then upgrade to R to test it, call an API over D (at which point the status XML is regenerated, now without X stored in it), find that it's not working so roll back to R-1 and puff. The capability is gone.
Yeah, downgrades of libvirt are not something we claim is supported. If will often work but we're not guaranteeing it & have broken it in the past, especially for running guests. You might be lucky if you have upgraded & immedaitely downgrade, but if you've made changes to guests while the new libvirt was running all bets are off.
Not even in the case I'm describing above? Michal