On Sun, Aug 22, 2010 at 12:13:16PM -0400, Perry Myers wrote:
On 08/19/2010 01:23 PM, David Teigland wrote:
> On Thu, Aug 19, 2010 at 11:12:25AM -0400, David Teigland wrote:
>> I'm only aware of one goal, and the current plan is to implement it
>> correctly and completely. That goal is to lock vm images so if the vm
>> happens to run on two hosts, only one instance can access the image.
Ok. So for the first implementation of sync_manager it will still be
possible for someone to corrupt data by configuring two separate vms to
accidentally use the same storage volumes. That's fine for the first
pass, just something to keep in mind for later.
Ideally, hosts should be configured from a common central point where a
full view of the configuration is possible. Then it would be trivial to
detect that kind of error by just looking at the configuration.
If you don't have central configuration, then using a distributed system
(like disk leases) to detect image assignment errors could be done, but it
also pushes the problem down to the level of configuring the distributed
system correctly, i.e. host id or lease area assignment errors.
Dave