On Mon, Jan 23, 2023 at 02:49:39PM -0500, Stefan Hajnoczi wrote: > The point of the migration blocker is to prevent breaking running > guests. Situations where a migration completes but results in a broken > guest are problematic for users (especially when they are not logged in > to guests and able to fix them interactively).
I thought it's the reverse - we block when we are sure it can't work. If we are not sure we should leave policy to orchestrators. You can always get into situations like this with stateful storage (as opposed to RO one). For example, naively scp the backend file then start migration. Will seem to work but corrupts the disk (I didn't try, for sure with raw but what about qcow2?) > If a command-line option is set to override the blocker, that's fine. > But there needs to be a blocker by default if external knowledge is > required to decide whether or not it's safe to migrate. If all the command line says is "I want migration to work" then that's more like shifting the blame than helping users. They just learn this one weird trick and it seems to work until it doesn't. Then we are like "we told you only to set this flag if you are sure" and they are like "well I was sure". -- MST
