On Wed, Mar 30, 2011 at 09:50:19PM +0800, Daniel Veillard wrote:
On Wed, Mar 30, 2011 at 09:39:14PM +0800, Osier Yang wrote:
> Hi, All
>
> I'm thinking to introduce a new flag (something like --remove-disks,
> --wipe-disks) for "virsh undefine", so that the user can choose
> whether to remove/wipe the disk devices or not, have seen this
> requirement in many places, @libvirt-users, public #virt, and also
> we have a bug of this function. So, IMHO this is a reasonable
> requirement, following is the rough thoughts:
>
> 1) General idea.
> As we don't have a API which can get all the disk devices of a
> domain, perhaps need to write functions to parse domain xml to
> extract the disks' path (this is annoyed, but seems don't other
> way), and then lookup them by storage volume API
> (virStorageVolLookupByPath), and then can remove or wipe
> the volume by (virStorageVolDelete/virStorageVolWipe).
>
> And for the disk path which doesn't belong to any storage pool,
> simply remove it by "unlink()"?
Won't work for connection to remote hosts.
> 2) Which type of devices can not be removed/wiped.
>
> * Can't delete/wipe ISCSI/SCSI vol.
> * Vol doesn't exists (which will throw an warning when do
> virStorageVolLookupByPath).
> * Have no write permission on the parent directory of the
> disk path.
> * Can't delete/wipe the disk device which is passthrough'ed
> from host, (e.g. /dev/sr0 as a CDROM device for guest)
> * The storage pool which the disk device belongs to as a vol
> is marked as "share"
> * The storage pool which the disk device belongs as a vol is
> readonly
> * can't delete disk device of network type.
> * Any others?
>
> For these situations, we need to do checking and throw
> straightforward warnings to tell user why it can't be
> removed/wiped.
I would rather make this a flag of virDomainUndefine(), except
there is no flag argument for it :(
I don't think this is a good idea. Applications should directly call
the storage APIs for this, so that when we adding RBAC support to
our APIs, we get correct access control checks on *each* volume
being deleted / wiped. We won't want the 'undefine' API for a VM
to be side-stepping the volume access controls.
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|