Re: [Qemu-devel] Adding Disk-Level Introspection to QEMU

[Wolfgang Richter]

On Tue, Apr 23, 2013 at 2:21 PM, Stefan Hajnoczi <address@hidden> wrote:

The tracing subsystem is geared towards tracepoint instrumentation
rather than binary dumps.

Can you share some specific applications?

Well, my main application is in exposing a "cloud-inotify" service by interpreting

sector writes in real-time and publishing the updates as file system manipulations.

By using introspection we don't need agents running inside the guest.

Example: guest writes to sector 5786907; I reverse-map that sector and notice

it belongs to '/etc/passwd' within that guest; I immediately emit a message

(currently using Redis pub-sub functionality) to any interested subscribers that

'/etc/passwd' changed within this guest running on a certain host within the

datacenter.

Other applications of VMI that I've seen are usually security-related: detecting

rootkits invisible to the guest etc., because once the guest is compromised 

agents running inside it can not be trusted.

 

Eric's suggestion to use NBD makes sense to me.  The block-backup code
can be extended fairly easier using sync mode=none (do not perform a
background copy of the entire disk) and by disabling the bitmap
(essentially "tap" mode).

This makes a lot of sense to me as well.  I'm glad there's a built-in mode

not to copy the whole disk.  I suppose I will have to customize the patch

to disable the bitmap?  Is there any chance we could also expose that as

an option to users?  As in, let them decide the granularity of their

snapshots/policies regarding snapshots in a streaming mode?

--
Wolf