On Fri, Aug 11, 2023 at 04:59:56PM +0200, David Hildenbrand wrote:
> On 10.08.23 23:24, Peter Xu wrote:
> > On Fri, Aug 11, 2023 at 01:06:12AM +0800, ThinerLogoer wrote:
> > > > I think we have the following options (there might be more)
> > > >
> > > > 1) This patch.
> > > >
> > > > 2) New flag for memory-backend-file. We already have "readonly" and
> > > > "share=". I'm having a hard time coming up with a good name that really
> > > > describes the subtle difference.
> > > >
> > > > 3) Glue behavior to the QEMU machine
> > > >
> > >
> > > 4) '-deny-private-discard' argv, or environment variable, or both
> >
> > I'd personally vote for (2). How about "fdperm"? To describe when we want
> > to use different rw permissions on the file (besides the access permission
> > of the memory we already provided with "readonly"=XXX). IIUC the only sane
> > value will be ro/rw/default, where "default" should just use the same rw
> > permission as the memory ("readonly"=XXX).
>
> Hmm, I'm not particularly happy about that.
>
> >
> > Would that be relatively clean and also work in this use case?
> >
>
> I get the feeling that we are over-engineering something that probably
> should never have been allowed: MAP_PRIVATE mapping of a file and opening it
> rw because someone might punch holes into it.
>
> Once we start adding new parameters just for that, I get a bit skeptical
> that this is what we want. The number of people that care about that are
> probably close to 0.
>
> The only real use case where this used to make sense (by accident I assume)
> was with hugetlb. And somehow, we decided that it was a good idea for
> "-mem-path" to use MAP_PRIVATE.
>
> So, what stops us from
>
> a) Leaving -mem-path alone. Keep opening files rw.
> b) Make memory-backend-file with shared=off,readonly=off open the file
> read-only
> c) Gluing that behavior to a QEMU compat machine
So we want to make all users with shared=off + readonly=off to only open
the file RO always, failing file write ops rather than crashing others.
Sounds reasonable to me.
In that case, do we even need a compat bit, if we're 100% sure it won't
break anyone but only help, with the fact that everything should be
transparent?
--
Peter Xu
