|
| 1 | +--- |
| 2 | +title: patches in VDIs |
| 3 | +layout: default |
| 4 | +design_doc: true |
| 5 | +revision: 1 |
| 6 | +status: proposed |
| 7 | +--- |
| 8 | + |
| 9 | +"Patches" are signed binary blobs which can be queried and applied. |
| 10 | +They are stored in the dom0 filesystem under `/var/patch`. Unfortunately |
| 11 | +the patches can be quite large -- imagine a repo full of RPMs -- and |
| 12 | +the dom0 filesystem is usually quite small, so it can be difficult |
| 13 | +to upload and apply some patches. |
| 14 | + |
| 15 | +Instead of writing patches to the dom0 filesystem, we shall write them |
| 16 | +to disk images (VDIs) instead. We can then take advantage of features like |
| 17 | + |
| 18 | +- shared storage |
| 19 | +- cross-host `VDI.copy` |
| 20 | + |
| 21 | +to manage the patches. |
| 22 | + |
| 23 | +XenAPI changes |
| 24 | +============== |
| 25 | + |
| 26 | +1. Add a field `pool_patch.VDI` of type `Ref(VDI)`. When a new patch is |
| 27 | + stored in a VDI, it will be referenced here. Older patches and cleaned |
| 28 | + patches will have invalid references here. |
| 29 | + |
| 30 | +2. The HTTP handler for uploading patches will choose an SR to stream the |
| 31 | + patch into. It will prefer to use the `pool.default_SR` and fall back |
| 32 | + to choosing an SR on the master whose driver supports the `VDI_CLONE` |
| 33 | + capability: we want the ability to fast clone patches, one per host |
| 34 | + concurrently installing them. A VDI will be created whose size is 4x |
| 35 | + the apparent size of the patch, defaulting to 4GiB if we have no size |
| 36 | + information (i.e. no `content-length` header) |
| 37 | + |
| 38 | +3. `pool_patch.clean_on_host` will be deprecated. It will still try to |
| 39 | + clean a patch *from the local filesystem* but this is pointless for |
| 40 | + the new VDI patch uploads. |
| 41 | + |
| 42 | +4. `pool_patch.clean` will be deprecated. It will still try to clean a patch |
| 43 | + from the *local filesystem* of the master but this is pointless for the |
| 44 | + new VDI patch uploads. |
| 45 | + |
| 46 | +4. `pool_patch.pool_clean` will be deprecated. It will destroy any associated |
| 47 | + patch VDI. Users will be encouraged to call `VDI.destroy` instead. |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | +Changes beneath the XenAPI |
| 52 | +========================== |
| 53 | + |
| 54 | +1. `pool_patch` records will only be deleted if both the `filename` field |
| 55 | + refers to a missing file on the master *and* the `VDI` field is a dangling |
| 56 | + reference |
| 57 | + |
| 58 | +2. Patches stored in VDIs will be stored within a filesystem, like we used |
| 59 | + to do with suspend images. This is needed because (a) we want to execute |
| 60 | + the patches and block devices cannot be executed; and (b) we can use |
| 61 | + spare space in the VDI as temporary scratch space during the patch |
| 62 | + application process. Within the VDI we will call patches `patch` rather |
| 63 | + than using a complicated filename. |
| 64 | + |
| 65 | +3. When a host wishes to apply a patch it will call `VDI.copy` to duplicate |
| 66 | + the VDI to a locally-accessible SR, mount the filesystem and execute it. |
| 67 | + If the patch is still in the master's dom0 filesystem then it will fall |
| 68 | + back to the HTTP handler. |
| 69 | + |
| 70 | + |
| 71 | +Summary of the impact on the admin |
| 72 | +================================== |
| 73 | + |
| 74 | +- There will nolonger be a size limit on hotfixes imposed by the mechanism |
| 75 | + itself. |
| 76 | +- There must be enough free space in an SR connected to the host to be able |
| 77 | + to apply a patch on that host. |
0 commit comments