Re: [Qemu-devel] [PATCH v7 0/3] 9p: Fix file ID collisions

From: Greg Kurz <groug@kaod.org>
To: Christian Schoenebeck <qemu_oss@crudebyte.com>
Cc: "Stefan Hajnoczi" <stefanha@gmail.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	qemu-devel@nongnu.org,
	"Antonios Motakis" <antonios.motakis@huawei.com>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v7 0/3] 9p: Fix file ID collisions
Date: Tue, 8 Oct 2019 11:14:59 +0200	[thread overview]
Message-ID: <20191008111459.048e659f@bahia.lan> (raw)
In-Reply-To: <1590425.yRI6RxI3rl@silver>

On Tue, 24 Sep 2019 11:31:06 +0200
Christian Schoenebeck <qemu_oss@crudebyte.com> wrote:

> On Montag, 23. September 2019 18:50:12 CEST Greg Kurz wrote:
> > > > > If yes, and since that would mean I was the only person ever having
> > > > > tested
> > > > > the actual fix, shouldn't --multidevs=remap|forbid better be marked as
> > > > > experimental (docs and runtime warning) for now? Maybe that would also
> > > > > anticipate receiving feedback from people actually using it later on.
> > > > 
> > > > Makes sense. I don't think it is worth having a runtime warning,
> > > > but I'll turn remap to x-remap and amend the docs.
> > > 
> > > Mwa, I would like to veto against your "x-remap" plan though. Keep in mind
> > > I also have to send out a patch for libvirt for this fix. Even I would
> > > not have read "x" to stand for "experimental". So I would definitely
> > > favor a runtime warning instead of renaming that parameter.
> > 
> > Hmmm... I don't see the point in adding a warning for a feature that
> > is only active if the user explicitly asks for it. 
> 
> Because many people might be using this option without ever reading the docs, 
> e.g. because of being suggested by copy & paste tutorials or any stack*.com 
> forum.
> 
> > And, anyway, this
> > still is an experimental feature, right ? 
> 
> No, it is not a feature. It is still a fix. :) I cannot use 9p without this 
> fix at all, so it is not some optional "feature" for me.
> 

I understand your need but this is still arguable. The 9p device has
a limitation with cross-device setups. The actual bug is to silently
cause inode number collisions in the guest. This is partly fixed by the
"9p: Treat multiple devices on one export as an error" patch. Thinking
again, it would even make sense to move "remap" from "9p: Added virtfs
option 'multidevs=remap|forbid|warn'" to its own patch. We could then
consider that the bug is fully fixed with "multidevs=forbid|warn".

Then comes the "remap" feature which is expected to lift the limitation
with cross-device setups, with a "not yet determined" performance cost
and light reviewing of the code.

> x-remap would just make things unnecessarily more complicated without adding 
> anything useful.
> 

Not really. This gives a crucial information to the user about the
level of confidence we have in this feature.

> A warning/info log could be used to motivate people providing feedback and 
> make them clearly aware about their current version still being an 
> experimental fix in their specific qemu version. That warning/info is just a 
> one line change that can easily be dropped at some point in future after this 
> qid fix proofed to be reliable (i.e. from users' feedback and test cases).
> 

The overwhelming majority of feedbacks I had on 9p the last few years
are CVEs. Antonios and you are the only users who ever seemed to care
for cross-device setups. So I don't expect much feedback on that area
and I don't buy the "motivate people" argument, especially since "remap"
won't be the default.

> > Not sure it is time to have
> > libvirt to support it yet.
> 
> Most people are using libvirt xml configs instead of calling qemu directly 
> with command line options. So of course I will suggest a libvirt patch as soon 
> as this patch set is pulled on qemu side.
> 

Yes and before a feature has a chance to be officially supported
in libvirt, people usually rely on the <qemu:commandline> domain
XML tag to pass extra arguments to QEMU.

https://blog.vmsplice.net/2011/04/how-to-pass-qemu-command-line-options.html

With the current fsdev implementation, we can only pass properties
to the -fsdev command line option. So this would require to not
use the <filesystem type='mount'> XML tag and manually _open-code_
the needed QEMU arguments:

<qemu:commandline>
  <qemu:arg value='-fsdev'/>
  <qemu:arg value='local,id=fsdev0,path=/var/tmp/virtfs,security_model=passthrough,multidevs=remap'/>
  <qemu:arg value='-device'/>
  <qemu:arg value='virtio-9p,id=virtio-9p0,mount_tag=host,fsdev=fsdev0'/>
</qemu:commandline>

And if fsdev is converted to be a proper QEMU device, it would as
easy as:

<qemu:commandline>
  <qemu:arg value='-set'/>
  <qemu:arg value='device.fsdev0.multidevs=remap'/>
</qemu:commandline>

This is unrelated but it would also allow to drop a lot
of code in fsdev that mimics what qdev would give us
for free. :)

> 
> 

Also, I strongly recommend you try out "virtio-fs" which is
going to be soon the production grade way of sharing files
between host and guest.

https://www.mail-archive.com/libvir-list@redhat.com/msg182457.html

Cheers,

--
Greg