[Engine-devel] Clone VM from snapshot feature
Itamar Heim
iheim at redhat.com
Sun Feb 26 13:04:26 UTC 2012
On 02/26/2012 02:38 PM, Yair Zaslavsky wrote:
> On 02/26/2012 02:05 PM, Itamar Heim wrote:
>> On 02/14/2012 10:06 AM, Yair Zaslavsky wrote:
>>> Hi all,
>>> I modified the Wiki pages of this feature:
>>>
>>> http://www.ovirt.org/wiki/Features/CloneVmFromSnapshot
>>>
>>> http://www.ovirt.org/wiki/Features/DetailedCloneVmFromSnapshot
>>>
>>> Comments are more than welcome
>>
>> 1. "Shared disks and direct LUN diskes behavior - For shared disks and
>> direct LUN based disks, the user who performs the snapshot will specify
>> during snapshot creation whether the disk should be plugged or unplugged
>> upon performing the clone."
>>
>> direct lun - if it is not already in shared mode, cannot be used by more
>> than one VM, hence should not be cloned, unless already flagged as shared.
> Understood. What should be the behavior if shared flag is set to false?
warning to audit log that the disk isn't part of the clone.
>
>>
>> 2. it sounds like there should be some general code shared for import vm
>> and clone vm for handling items which can't be duplicate by default
>> (say, mac addresses).
> True, I will revisit this. Aren't we facing actually this issue also in
> creating a VM from template?
I assume it already has such logic. I'm suggesting to check how
redundant it is across the various commands (if it is), before creating
another care.
>>
>> 3. MLA - are you cloning the permissions on the VM as well, or only
>> creating an owner permission on the new entity?
>>
>> 4. MLA - what permission does one need to have on source VM/snapsot to
>> clone it?
>> if a non-owner can clone a VM/snapshot, and become owner of the new
>> entity, need to make sure no privilege escalation flows exist.
>> is the intent to share the code of clone VM with AddVm (which is what
>> clone is), with a task to clone the disks rather than create them
>> (otherwise you need to duplicate the code for quota and permission
>> handling?)
> If I understand you correctly - Cloning images commands
> (AddVmFromTemplate, cloning vm from snapshot, etc..) will invoke a
> CopyImage internal command.
iiuc, internal commands don't perform permission checks?
More information about the Engine-devel
mailing list