2:58 p.m.
Hello!
I had a hobby project where I needed to manipulate xen disk images on
remote systems, that used a model similar to libirt's remote support.
Based on what I learnt from it, I came up with a possible model for
libvirt's remote storage support. I present it here for discussion.
We typically store the images in volumes on LVM, or in dedicated file
system folders.
The folders and volume groups usable by libvirt can be limited in a
config file.
It is probably not neccessary to differentiate between defined and
created files, as you can not stop and start a file like a domain, you
either have it on disk, or not.
Libvirt should not store information on these files, everything should
be checked/listed on the fly, so that if you just copy an image to a
directory, libvirt can deduct all information (well, all it can) on it,
and handle it just as if the file was created by it.
The handle for the file is its path, plus its virConnect object (i.e.
the host it is on). For consistency, it may be possible to create an
object for it, but as disk images have no persistent properties apart
from what is on the disk, and it can always be checked from there, it
provides no extra functionality.
I think there is no need to support remote files explicitly, as the
domains mount local files/volumes. The file/volume may actually be
mounted from a NAS or SAN, of course, but it does not matter because we
use the local path names, and AFAIK all virtualization tools use local
files or local devices as blockdevs.
I have added compression to the mix because it is immensely useful.
I have used lzop in my project, and a full backup and restore was much
faster when using a compressed backup file, than with and uncrompessed
one. It conserves disk space, as well as cpu/bus capacity.
Zeroing out newly allocated files, helps with compressed backups, as
well as security. It also means that no holey files can be used.
The objects we are dealing with are disk images.
They have the following properties:
-Path: The unix path of the file ( /mnt/images/fc7.img or /dev/VG/fc7)
-Compression: Mountable/compressed
-Type: Plain file/LVM volume/ What else?
-Size
-Filesystem: swap/ext3/xfs/....
-Is it mounted?
We can do the following operations on the images:
Create
-connection
-filepath
-size
Allocates a new image of the given type, size, and name.
Libvirt should parse the filepath, and determine the base path, check if
it's a directory or a VG, check if libvirt is allowed to operate on the
path/VG, then create the file/volume.
For security reasons zeroing out the allocated space should be a
non-optional step of the allocation.
DirectoryList
-connection
-directorypath
Plain ls functionality, that returns the list of files, and any
subdirectories. If called on a VG, it returns the volumes in it.
Info
-connection
-filepath
Returns information on the given file/volume, including size, type,
filesystem (if
available), whether it is a snapshot (if a volume), and whether it is
mounted or not.
size can be determined by ls or lvinfo, filesystem by 'file' command.
Delete
-connection
-filepath
Delete the file/volume. Find out if it's a file or volume, and rm or
lvremove it.
Grow
-connection
-path
-filename
-newsize
Grows the specified image to the given size. The newly added space is zeroed
out.
Shrink?
-connection
-path
-filename
-newsize
Shrinks the specified image the the given size. It's very tricky,
because to avoid data loss, we need to analyze the file system size. Of
course, we can just say that it's the reponsibility of the user, after
all, we allow him to outright delete the file as well.
We may combine it with Grow, and call it Resize.
Growfs
-connection
-path
-filename
-newsize?
Grows the filesystem on the image to fill the size of the image, or the
given newsize.
Can only be used on umounted images.
It is neccesary because some filesystems may not be grown while mounted,
so the guest can not do it on its own.
Shrinkfs
-connection
-path
-filname
-newsize
Shrinks the filesystem to the given size. Same coniderations apply as
with growfs, may be combined to Resizefs?
Snapshot
-connection
-filepath
-filesize
Creates a snapshot of the given image. It is only possible with images
on LVM. Should return the snapshot image name. The snapshot can later be
deleted with Delete.
CopyTo
-connection
-source filepath
-target connection
-target filepath
-snapshot flag
-archive flag
-overwrite flag
Copy the source image to the target image.
If connection is on another machine, then it's a network copy.
If the snapshot flag is true, then first create a snapshot of the source
image, copy that, then delete the snapshot.
If the archive flag is active, then the target file will be archive file
(compressed).
If the overwite flag is active, then the target file is overwitten, if
it exists. Otherwise existing files are not changed.
Even if the source file is compressed, the target file is uncompressed,
unless the archive flag is set.
CopyContents
-connection
-source filepath
-target connection
-target filepath
-snapshot flag
Copies the contents of the source file to the target file. The target
file must already exist, and be no smaller than the source file. The
contents of the target file are overwitten, and any extra space is
zeroed out.
Archive
-connection
-filepath
compresses the given file. Makes sense only on files, not volumes.
Unarchive
-connection
-filepath
uncompresses the given file. Makes sense only on archved(compressed) files.
StorageInfo
- connection
Returns information on the node's storage configuration. What kind of
filesystems it can handle, What are the accessible file / VG paths,
what's the free space on them, etc.
A typical usage scenario could be something like this:
Aconn=getVirconn("ssh:Ahost"); //Open the connection to host A
Bconn=getVirconn("ssh:Bhost"); //Host B will hold our backup image
Ainfo=StorageInfo(Aconn); //Get Ainfo
AVGPath = <get the first usable VG path from VG info>
Newimage = Create(Aconn, concat("AVGPath", "newimage", 100000);
//A
100Mb volume is created and zeroed out.
CopyContents(Aconn, NewImage, Aconn, "/images/ghost/FC7default.img",
no); //Copy our pre-created FC7 image to the new image
Growfs(Aconn, NewImage, 0); //Grow the copied filesystem to fill the
whole volume.
<Here we define a new domain, and use NewImage as the name of the
backing image for the guest's block device>
<Start the new domain>
Copy(Aconn, NewImage, Bconn, "/mnt/backups/backup23image", snapshot=yes,
archive=yes, overwrite=no);
//Make an LVM snapshot of NewImage, and copy it to Host B on the given
filename, compressing it on the fly, then remove the snapshot
<Stop the domain>
CopyContents(Bconn, "/mnt/backups/backup23image", Aconn, NewImage,
snapshot=no); //Restore the backed-up image to NewImage, decompress it
on the fly.
<Start the domain>
<Stop the domain>
Grow(Aconn, NewImage, 200000); //Grow the volume to 200MBs
Growfs(Aconn, NewImage); //Grow the fs on the volume to fill the volume
<Start the domain>
.....
Best regards
István
7:53 a.m.
Tóth István wrote:
Hello!
I had a hobby project where I needed to manipulate xen disk images on
remote systems, that used a model similar to libirt's remote support.
Based on what I learnt from it, I came up with a possible model for
libvirt's remote storage support. I present it here for discussion.
We typically store the images in volumes on LVM, or in dedicated file
system folders.
The folders and volume groups usable by libvirt can be limited in a
config file.
It is probably not neccessary to differentiate between defined and
created files, as you can not stop and start a file like a domain, you
either have it on disk, or not.
Agreed.
Libvirt should not store information on these files, everything
should
be checked/listed on the fly, so that if you just copy an image to a
directory, libvirt can deduct all information (well, all it can) on it,
and handle it just as if the file was created by it.
Agreed.
The handle for the file is its path, plus its virConnect object
(i.e.
the host it is on). For consistency, it may be possible to create an
object for it, but as disk images have no persistent properties apart
from what is on the disk, and it can always be checked from there, it
provides no extra functionality.
Probably the 'handle' is its filename or device name + the virDomain object.
For example, here are the domains and their images running on my Xen
host at the moment. I got this by writing a simple script which parses
the domain XML:
fc6_0:
/var/lib/xen/images/fc6_0.img -> xvda
/var/lib/xen/images/home.disk -> xvdb
fc6_1:
/var/lib/xen/images/fc6_1.img -> xvda
debian32fv:
/var/lib/xen/images/debian32fv.img -> hda
f764pv:
/dev/Images/f764pv -> xvda
freebsd32fv:
/var/lib/xen/images/freebsd32fv.img -> hda
[CD] -> hdc
gentoo32fv:
/var/lib/xen/images/gentoo32fv.img -> hda
I think there is no need to support remote files explicitly, as the
domains mount local files/volumes. The file/volume may actually be
mounted from a NAS or SAN, of course, but it does not matter because we
use the local path names, and AFAIK all virtualization tools use local
files or local devices as blockdevs.
I have added compression to the mix because it is immensely useful.
I have used lzop in my project, and a full backup and restore was much
faster when using a compressed backup file, than with and uncrompessed
one. It conserves disk space, as well as cpu/bus capacity.
Zeroing out newly allocated files, helps with compressed backups, as
well as security. It also means that no holey files can be used.
The objects we are dealing with are disk images.
They have the following properties:
-Path: The unix path of the file ( /mnt/images/fc7.img or /dev/VG/fc7)
-Compression: Mountable/compressed
-Type: Plain file/LVM volume/ What else?
-Size
-Filesystem: swap/ext3/xfs/....
-Is it mounted?
This is where it gets very complicated. Files or partitions may
represent simple filesystems, or partitioned block devices, or LVM PVs,
or filesystems or partitions in formats that we have no chance of
understanding (eg. NTFS), or snapshots, or dm_crypt, or compressed and
so on and so on.
To do this in any feasible way, I'm sure we'll need a library, the
obvious one being gparted (http://www.gnu.org/software/parted/).
However parted has a lot of problems, and most specifically it doesn't
support LVM.
I am aware of a project to make LVM accessible as a library and to
include LVM library support in gparted/libparted, but I'm not sure how
it is progressing.
We can do the following operations on the images:
[...
operations ...]
I'd prefer to stick to the minimum set of operations needed now and add
to them later. But yes, the mix of operations looks OK.
Much of this work is needed by virt-p2v and virt-df
(http://et.redhat.com/~rjones/virt-p2v/ and virt-df to be released soon).
Rich.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
3:15 p.m.
OOps, my spam filter ate your reply, sorry for the delay.
Richard W.M. Jones wrote:
Tóth István wrote:
> Hello!
>
> I had a hobby project where I needed to manipulate xen disk images on
> remote systems, that used a model similar to libirt's remote support.
> Based on what I learnt from it, I came up with a possible model for
> libvirt's remote storage support. I present it here for discussion.
>
> We typically store the images in volumes on LVM, or in dedicated file
> system folders.
> The folders and volume groups usable by libvirt can be limited in a
> config file.
>
> It is probably not neccessary to differentiate between defined and
> created files, as you can not stop and start a file like a domain, you
> either have it on disk, or not.
Agreed.
> Libvirt should not store information on these files, everything should
> be checked/listed on the fly, so that if you just copy an image to a
> directory, libvirt can deduct all information (well, all it can) on it,
> and handle it just as if the file was created by it.
Agreed.
> The handle for the file is its path, plus its virConnect object (i.e.
> the host it is on). For consistency, it may be possible to create an
> object for it, but as disk images have no persistent properties apart
> from what is on the disk, and it can always be checked from there, it
> provides no extra functionality.
Probably the 'handle' is its filename or device name + the virDomain
object.
For example, here are the domains and their images running on my Xen
host at the moment. I got this by writing a simple script which
parses the domain XML:
fc6_0:
/var/lib/xen/images/fc6_0.img -> xvda
/var/lib/xen/images/home.disk -> xvdb
fc6_1:
/var/lib/xen/images/fc6_1.img -> xvda
debian32fv:
/var/lib/xen/images/debian32fv.img -> hda
f764pv:
/dev/Images/f764pv -> xvda
freebsd32fv:
/var/lib/xen/images/freebsd32fv.img -> hda
[CD] -> hdc
gentoo32fv:
/var/lib/xen/images/gentoo32fv.img -> hda
Well, this is a good handle
for the images that belong too an active domain.
But I can see other images laying around, backup images, snapshots,
virgin installed images for provisioning of new VMs, and you need to
refer to those as well.
Hence, I still think that it would be better to use host+path. For
example, you need to be able to say in effect: copy
"/var/lib/xen/images/fc6_0.img" to "/backups/fc6_xvda_1", and you have
to refer to target image somehow.
You could just use the local path in this case, but I think that being
able work with images on other libvirt hosts would be a bonus.
> I think there is no need to support remote files explicitly, as the
> domains mount local files/volumes. The file/volume may actually be
> mounted from a NAS or SAN, of course, but it does not matter because we
> use the local path names, and AFAIK all virtualization tools use local
> files or local devices as blockdevs.
>
> I have added compression to the mix because it is immensely useful.
> I have used lzop in my project, and a full backup and restore was much
> faster when using a compressed backup file, than with and uncrompessed
> one. It conserves disk space, as well as cpu/bus capacity.
>
> Zeroing out newly allocated files, helps with compressed backups, as
> well as security. It also means that no holey files can be used.
>
> The objects we are dealing with are disk images.
> They have the following properties:
> -Path: The unix path of the file ( /mnt/images/fc7.img or
> /dev/VG/fc7)
> -Compression: Mountable/compressed
> -Type: Plain file/LVM volume/ What else?
> -Size
> -Filesystem: swap/ext3/xfs/....
> -Is it mounted?
This is where it gets very complicated. Files or partitions may
represent simple filesystems, or partitioned block devices, or LVM
PVs, or filesystems or partitions in formats that we have no chance of
understanding (eg. NTFS), or snapshots, or dm_crypt, or compressed and
so on and so on.
To do this in any feasible way, I'm sure we'll need a library, the
obvious one being gparted (http://www.gnu.org/software/parted/).
However parted has a lot of problems, and most specifically it doesn't
support LVM.
I am aware of a project to make LVM accessible as a library and to
include LVM library support in gparted/libparted, but I'm not sure how
it is progressing.
Indeed, back when I created this specifications the supported mode for
Xen was to feed it partitions instead of whole disk images, and the
partitioning problem was not apparent.
I checked the LVM library project about a moth ago, but it does not seem
to be in a generally usable shape yet. The supported way is just to
write, call and parse the command lines.
In fact, the more I thought about it, and the more scenarios popped into
my mind (plus the ones you describe above), the more I think that at
least an initial implementation should not try to see into the
partition, exactly because of the problems you mention above.
Even if partition/filesystem handling is included in libvirt, it should
probably be somewhat orthogonal to the rest of the image handling functions.
i.e. the operations I detailed below (except for the growfs-related
ones) for creating, moving, backing up, etc. of raw images, and a
different set of operations that partitions, adds/removes paritions,
creates file systems, growfs-es, etc.
This limits the complexity to just supporting simple files, block
devices, and LVMs ( or the equivalent functionality on other platforms),
and the parted-like functionality can be added on top of it.
> We can do the following operations on the images:
[... operations ...]
I'd prefer to stick to the minimum set of operations needed now and
add to them later. But yes, the mix of operations looks OK.
Much of this work is needed by virt-p2v and virt-df
(http://et.redhat.com/~rjones/virt-p2v/ and virt-df to be released soon).
virt-p2v
looks immensely useful.
Rich.
7:31 a.m.
Tóth István wrote:
Richard W.M. Jones wrote:
> For example, here are the domains and their images running on my Xen
> host at the moment. I got this by writing a simple script which
> parses the domain XML:
>
> fc6_0:
> /var/lib/xen/images/fc6_0.img -> xvda
> /var/lib/xen/images/home.disk -> xvdb
> fc6_1:
> /var/lib/xen/images/fc6_1.img -> xvda
> debian32fv:
> /var/lib/xen/images/debian32fv.img -> hda
> f764pv:
> /dev/Images/f764pv -> xvda
> freebsd32fv:
> /var/lib/xen/images/freebsd32fv.img -> hda
> [CD] -> hdc
> gentoo32fv:
> /var/lib/xen/images/gentoo32fv.img -> hda
Well, this is a good handle for the images that belong too an active
domain.
But I can see other images laying around, backup images, snapshots,
virgin installed images for provisioning of new VMs, and you need to
refer to those as well.
Hence, I still think that it would be better to use host+path. For
example, you need to be able to say in effect: copy
"/var/lib/xen/images/fc6_0.img" to "/backups/fc6_xvda_1", and you
have
to refer to target image somehow.
You could just use the local path in this case, but I think that being
able work with images on other libvirt hosts would be a bonus.
There's an open-ended access control problem here. libvirtd runs as
root and host+path gives a way to read and write any file on the system.
Better might be to allow the system administrator to configure
directories where backup images, snapshots and so on may be located
(through /etc/libvirtd.conf), and have libvirtd check this, and also
have an additional level of enforcement through SELinux (as is done with
Xen images now).
For my rather limited needs with virt-df I was going to propose an API
like this:
virDomainPeekDevice (virDomainPtr domain,
const char *path,
off_t offset, off_t size,
char *result_buffer);
The security check would be something along these lines:
* path must be a source device (as returned in the domain XML)
* path must belong to the domain
* offset, size must be entirely within the path device/file
This check could be extended to allow path to be in the configured
backup / snapshot directories.
(This is not really thought through at the moment, however comments
welcome).
With that call we then need to look at "virtualising" libparted so that
instead of making direct read(2), lseek(2) etc. system calls, these may
be redirected through a VFS layer which would call virDomainPeekDevice.
(I'm sure I posted something about this to the list, but that was two
weeks ago, I've been on holiday, I'm jetlagged, and now I can't find it...)
[...]
In fact, the more I thought about it, and the more scenarios popped
into
my mind (plus the ones you describe above), the more I think that at
least an initial implementation should not try to see into the
partition, exactly because of the problems you mention above.
Even if partition/filesystem handling is included in libvirt, it should
probably be somewhat orthogonal to the rest of the image handling
functions.
i.e. the operations I detailed below (except for the growfs-related
ones) for creating, moving, backing up, etc. of raw images, and a
different set of operations that partitions, adds/removes paritions,
creates file systems, growfs-es, etc.
This limits the complexity to just supporting simple files, block
devices, and LVMs ( or the equivalent functionality on other platforms),
and the parted-like functionality can be added on top of it.
My thinking about this moved along a bit: What if we explicitly _don't_
think about supporting LVM operations and so on within libvirt. Making
a general-purpose solution is a big, intractable problem.
Instead we could allow the system administrator to create some
operations (again, through /etc/libvirtd.conf [1]):
----- /etc/libvirtd.conf -------------------
allocate partition: "lvcreate -L %size -n %name XenVolGroup"
list partitions: "lvs"
--------------------------------------------
On the libvirt side those turn into standard calls like:
virConnectListPartitions (...)
If the commands don't exist in libvirtd.conf then those calls fail with
a suitable error message.
We can set up suggested commands in the default configuration for Linux
+ LVM, Linux + partitions, Solaris, etc. but it defers the policy to
system administrators.
Rich.
[1] libvirtd.conf is only available in the remote case, so perhaps we
need also a libvirt.conf for the local case.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
11:02 a.m.
On Mon, Oct 15, 2007 at 01:31:47PM +0100, Richard W.M. Jones wrote:
There's an open-ended access control problem here. libvirtd runs
as
root and host+path gives a way to read and write any file on the system.
Better might be to allow the system administrator to configure
directories where backup images, snapshots and so on may be located
(through /etc/libvirtd.conf), and have libvirtd check this, and also
have an additional level of enforcement through SELinux (as is done with
Xen images now).
Yep, that is a good idea. Indeed some deployments pretty much require
that. When running with SELinux enforcing, only /var/lib/xen/images is
a valid location for example. Being able to create/manage files on any
part of the filesystem is rather overkill for our needs. Admin defined
directory locations should be more than sufficient.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
6246
days inactive
6278
days old
4 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Richard W.M. Jones -
Tóth István