RFC: update better VM revert proposal (#6696)

This proposal is 11 years old and the architecture of xapi has changed
enough that the proposal needs changing.

In particular, SMAPIv3 has been introduced which means that there's an
xapi storage interface shared between the two SMAPI backend, and that
the fallback the logic that was done at SMAPI level now must be done at
the
level of xapi.

I've also elected to further restrict the fallback behaviour to VM
reverts, VDI revert will require backend support: it reduces the chances
of
failures during revert resulting in wrong fields in the database.

I'm still unsure about exposing VDI.revert, I would avoid it if at all
possible, maybe as an internal or hidden API? It might be useful to
exposed to use it in quicktests, like it was done in the initial
prototype.

Author: psafont

doc/content/design/snapshot-revert.md

@@ -1,85 +1,128 @@
 ---
-title: Improving snapshot revert behaviour
+title: Better VM revert
 layout: default
 design_doc: true
-revision: 1
+revision: 2
 status: confirmed
 ---
 
-Currently there is a XenAPI `VM.revert` which reverts a "VM" to the state it
-was in when a VM-level snapshot was taken. There is no `VDI.revert` so
-`VM.revert` uses `VDI.clone` to change the state of the disks.
+## Overview
 
-The use of `VDI.clone` has the side-effect of changing VDI refs and uuids.
-This causes the following problems:
+XenAPI allows users to rollback the state of a VM to a previous state, which is
+stored in a snapshot, using the call `VM.revert`. Because there is no
+`VDI.revert` call, `VM.revert` uses `VDI.clone` on the snapshot to duplicate
+the contents of that disk and then use the new clone as the storage for the VM.
 
-- It is difficult for clients
-  such as [Apache CloudStack](http://cloudstack.apache.org) to keep track
-  of the disks it is actively managing
-- VDI snapshot metadata (`VDI.snapshot_of` et al) has to be carefully
-  fixed up since all the old refs are now dangling
+Because `VDI.clone` creates new VDI refs and uuids, some problematic
+behaviours arise:
 
-We will fix these problems by:
+- Clients such as 
+  [Apache CloudStack](http://cloudstack.apache.org) need to include complex
+  logic to keep track of the disks they are actively managing
+- Because the snapshot is cloned and the original vdi is deleted, VDI
+  references to the VDI become invalid, like `VDI.snapshot_of`. This means
+  that the database has to be combed through to change these references. 
+  Because the database doesn't support transactions this operation is not atomic
+  and can produce inconsistent database states.
 
-1. adding a `VDI.revert` to the SMAPIv2 and calling this from `VM.revert`
-2. defining a new SMAPIv1 operation `vdi_revert` and a corresponding capability
-   `VDI_REVERT`
-3. the Xapi implementation of `VDI.revert` will first try the `vdi_revert`,
-   and fall back to `VDI.clone` if that fails
-4. implement `vdi_revert` for common storage types, including File and LVM-based
-   SRs.
+Additionally, some filesystems support snapshots natively, doing the clone
+procedure is much costlier than allowing the filesystem to do the revert.
 
-XenAPI changes
---------------
+We will fix these problems by:
 
-We will add the function `VDI.revert` with arguments:
+- introducing the new feature `VDI_REVERT` in SM interface (`xapi_smint`). This
+  allows backends to advertise that they support the new functionality
+- defining a new storage operation `VDI.revert` in storage_interface, which is
+  gated by the feature `VDI_REVERT`
+- proxying the storage operation to SMAPIv3 and SMAPv1 backends accordingly
+- adding `VDI.revert` to xapi_vdi which will call the storage operation if the
+  backend advertises it, and fallback to the previous method that uses
+  `VDI.clone` if it doesn't advertise it, or issues are detected at runtime
+  that prevent it
+- changing the Xapi implementation of `VM.revert` to use `VDI.revert`
+- implement `vdi_revert` for common storage types, including File and LVM-based
+  SRs
+- adding unit and quick tests to xapi to test that `VM.revert` does not regress
+
+## Current VM.revert behaviour
+
+The code that reverts the state of storage is located in 
+[update_vifs_vbds_vgpus_and_vusbs](https://github.com/xapi-project/xen-api/blob/bc0ba4e9dc8dc4b85b7cbdbf3e0ba5915b4ad76d/ocaml/xapi/xapi_vm_snapshot.ml#L211).
+The steps it does is:
+1. destroys the VM's VBDs (both disks and CDs)
+2. destroys the VM's VDI (disks only), referenced by the snapshot's VDIs using
+   `snapshot_of`; as well as the suspend VDI.
+3. clones the snapshot's VDIs (disks and CDs), if one clone fails none remain.
+4. searches the database for all `snapshot_of` references to the deleted VDIs
+   and replaces them with the referenced of the newly cloned snapshots.
+5. clones the snapshot's resume VDI
+6. creates copies of all the cloned VBDs and associates them with the cloned VDIs
+7. assigns the new resume VDI to the VM
+
+## XenAPI design
+
+### API
+
+The function `VDI.revert` will be added, with arguments:
 
 - in: `snapshot: Ref(VDI)`: the snapshot to which we want to revert
 - in: `driver_params: Map(String,String)`: optional extra parameters
-- out: `Ref(VDI)` the new VDI
+- out: `Ref(VDI)` reference to the new VDI with the reverted contents
+
+The function will extract the reference of VDI whose contents need to be
+replaced. This is the snapshot's `snapshot_of` field, then it will call the
+storage function function `VDI.revert` to have its contents replaced with the
+snapshot's. The VDI object will not be modified, and the reference returned is
+the VDI's original reference.
+If anything impedes the successful finish of an in-place revert, like the SM
+backend does not advertising the feature `VDI_REVERT`, not implement the
+feature, or the `snapshot_of` reference is invalid; an exception will be
+raised.
 
-The function will look up the VDI which this is a `snapshot_of`, and change
-the VDI to have the same contents as the snapshot. The snapshot will not be
-modified. If the implementation is able to revert in-place, then the reference
-returned will be the VDI this is a `snapshot_of`; otherwise it is a reference
-to a fresh VDI (created by the `VDI.clone` fallback path)
+### Xapi Storage
 
-References:
+The function `VDI.revert` is added, with the following arguments:
 
-- @johnelse's [pull request](https://github.com/xapi-project/xen-api/pull/1963)
-  which implements this
+- in: `dbg`: the task identifier, useful for tracing
+- in: `sr`: SR where the new VDI must be created
+- in: `snapshot_info`: metadata of the snapshot, the contents of which must be
+       made available in the VDI indicated by the `snapshot_of` field
 
-SMAPIv1 changes
----------------
+#### SMAPIv1
 
-We will define the function `vdi_revert` with arguments:
+The function `vdi_revert` is defined with the following arguments:
 
 - in: `sr_uuid`: the UUID of the SR containing both the VDI and the snapshot
-- in: `vdi_uuid`: the UUID of the snapshot whose contents should be duplicated
-- in: `target_uuid`: the UUID of the target whose contents should be replaced
+- in: `vdi_uuid`: the UUID of the snapshot whose contents must be duplicated
+- in: `target_uuid`: the UUID of the target whose contents must be replaced
 
 The function will replace the contents of the `target_uuid` VDI with the
 contents of the `vdi_uuid` VDI without changing the identify of the target
 (i.e. name-label, uuid and location are guaranteed to remain the same).
 The `vdi_uuid` is preserved by this operation. The operation is obvoiusly
 idempotent.
 
-Xapi changes
-------------
+#### SMAPIv3
 
-Xapi will
+In an analogous way to SMAPIv1, the function `Volume.revert` is defined with the
+following arguments:
 
-- use `VDI.revert` in the `VM.revert` code-path
-- expose a new `xe vdi-revert` CLI command
-- implement the `VDI.revert` by calling the SMAPIv1 function and falling back
-  to `VDI.clone` if a `Not_implemented` exception is thrown
+- in: `dbg`: the task identifier, useful for tracing
+- in: `sr`: the UUID of the SR containing both the VDI and the snapshot
+- in: `snapshot`: the UUID of the snapshot whose contents must be duplicated
+- in: `vdi`: the UUID of the VDI whose contents must be replaced
 
-References:
+### Xapi
 
-- @johnelse's [pull request](https://github.com/xapi-project/xen-api/pull/1963)
+- add the capability `VDI_REVERT` so backends can advertise it
+- use `VDI.revert` in the `VM.revert` after the VDIs have been destroyed, and
+  before the snapshot's VDIs have been cloned. If any of the reverts fail
+  because a `Not_implemented` exception is thrown, or the `snapshot_of`
+  contains an invalid reference, add the affected VDIs to the list to be cloned
+  and recovered, using the existing method
+- expose a new `xe vdi-revert` CLI command
 
-SM changes
-----------
+## SM changes
 
 We will modify
 
@@ -92,8 +135,7 @@ We will modify
   snapshot/clone machinery
 - LVHDoISCSISR.py and LVHDoHBASR.py to advertise the `VDI_REVERT` capability
 
-Prototype code
-==============
+# Prototype code from the previous proposal
 
 Prototype code exists here:
 

doc/content/xapi/storage/_index.md

@@ -26,57 +26,60 @@ D --> F[SMAPIv3 plugins]
 
 ## SMAPIv1
 
-These are the files related to SMAPIv1 in `xen-api/ocaml/xapi/`:
-
--   sm.ml: OCaml "bindings" for the SMAPIv1 Python "drivers" (SM)
--   sm_exec.ml:
-    support for implementing the above "bindings". The
-    parameters are converted to XML-RPC, passed to the relevant python
-    script ("driver"), and then the standard output of the program is
-    parsed as an XML-RPC response (we use
-    `xen-api-libs-transitional/http-svr/xMLRPC.ml` for parsing XML-RPC).
+These are the files related to SMAPIv1 in [`/ocaml/xapi/`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi):
+
+-   [`sm.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/sm.ml):
+    OCaml "bindings" for the SMAPIv1 Python "drivers" (SM)
+-   [`sm_exec.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/sm_exec.ml):
+    support for implementing the above "bindings".
+    The parameters are converted to XML-RPC, passed to the relevant python script ("driver"),
+    and then the standard output of the program is parsed as an XML-RPC response (we use
+    [`ocaml/libs/http-lib/xMLRPC.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/libs/http-lib/xMLRPC.ml)
+    for parsing XML-RPC).
     When adding new functionality, we can modify `type call` to add parameters,
     but when we don't add any common ones, we should just pass the new
     parameters in the args record.
--   `smint.ml`: Contains types, exceptions, ... for the SMAPIv1 OCaml
-    interface
--   `storage_smapiv1_wrapper.ml`: A state machine for SMAPIv1 operations. It computes
-    the required actions to reach the desired state from the current state.
--   `storage_smapiv1.ml`: Contains the actual translation of SMAPIv2 calls to SMAPIv1
-    calls, by calling the bindings provided in sm.ml.
+-   [`smint.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/smint.ml):
+    Contains types, exceptions, ... for the SMAPIv1 OCaml interface.
+-   [`storage_smapiv1_wrapper.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_smapiv1_wrapper.ml):
+    The [`Wrapper`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_smapiv1_wrapper.ml#L360)
+    module wraps a SMAPIv2 server (`Server_impl`) and takes care of
+    locking and datapaths (in case of multiple connections (=datapaths)
+    from VMs to the same VDI, using a state machine for SMAPIv1 operations.
+    It will use the superstate computed by the
+    [`vdi_automaton.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-idl/storage/vdi_automaton.ml)
+    in xapi-idl) to compute the required actions to reach the desired state from the current one.
+    It also implements some functionality, like the `DP` module, that is not implemented in lower layers.
+-   [`storage_smapiv1.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_smapiv1.ml):
+    a SMAPIv2 server that translates SMAPIv2 calls to SMAPIv1 ones, by calling
+    [`ocaml/xapi/sm.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/sm.ml).
+    It calls passes the XML-RPC requests as the first command-line argument to the
+    corresponding Python script, which returns an XML-RPC response on standard
+    output.
 
 ## SMAPIv2
 
 These are the files related to SMAPIv2, which need to be modified to
 implement new calls:
 
--   [xcp-idl/storage/storage\_interface.ml](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-idl/storage/storage_interface.ml):
+-   [`ocaml/xapi-idl/storage/storage_interface.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-idl/storage/storage_interface.ml):
     Contains the SMAPIv2 interface
--   [xcp-idl/storage/storage\_skeleton.ml](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-idl/storage/storage_skeleton.ml):
+-   [`ocaml/xapi-idl/storage/storage_skeleton.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-idl/storage/storage_skeleton.ml):
     A stub SMAPIv2 storage server implementation that matches the
     SMAPIv2 storage server interface (this is verified by
-    [storage\_skeleton\_test.ml](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-idl/storage/storage_skeleton_test.ml)),
+    [`storage_skeleton_test.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-idl/storage/storage_skeleton_test.ml)),
     each of its function just raise a `Storage_interface.Unimplemented`
     error. This skeleton is used to automatically fill the unimplemented
     methods of the below storage servers to satisfy the interface.
--   [xen-api/ocaml/xapi/storage\_smapiv1.ml](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_smapiv1.ml):
-    a SMAPIv2 server that does SMAPIv2 -> SMAPIv1 translation.
-    It passes the XML-RPC requests as the first command-line argument to the
-    corresponding Python script, which returns an XML-RPC response on standard
-    output.
--   [xen-api/ocaml/xapi/storage_smapiv1_wrapper.ml](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_smapiv1_wrapper.ml):
-    The [Wrapper](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_smapiv1_wrapper.ml#L360)
-    module wraps a SMAPIv2 server (Server\_impl) and takes care of
-    locking and datapaths (in case of multiple connections (=datapaths)
-    from VMs to the same VDI, it will use the superstate computed by the
-    [Vdi_automaton](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-idl/storage/vdi_automaton.ml)
-    in xcp-idl). It also implements some functionality, like the `DP`
-    module, that is not implemented in lower layers.
--   [xen-api/ocaml/xapi/storage\_mux.ml](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_mux.ml):
+-   [`ocaml/xapi/storage_mux.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_mux.ml):
     A SMAPIv2 server, which multiplexes between other servers. A
     different SMAPIv2 server can be registered for each SR. Then it
     forwards the calls for each SR to the "storage plugin" registered
     for that SR.
+-   [`ocaml/xapi/storage_smapiv1_wrapper.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_smapiv1_wrapper.ml):
+    Implements a state machine to compute SMAPIv1 actions needed to reach the desired state, see [SMAPIv1](#smapiv1).
+-   [`ocaml/xapi/storage_smapiv1.ml`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi/storage_smapiv1.ml):
+    Translates the SMAPIv2 calls to SMAPIv1, see [SMAPIv1](#smapiv1).
 
 ### How SMAPIv2 works:
 
@@ -211,31 +214,28 @@ It also implements the `Policy` module from the SMAPIv2 interface.
 
 ## SMAPIv3
 
-[SMAPIv3](https://xapi-project.github.io/xapi-storage/) has a slightly
-different interface from SMAPIv2.The
-[xapi-storage-script](https://github.com/xapi-project/xen-api/tree/v25.11.0/ocaml/xapi-storage-script)
-daemon is a SMAPIv2 plugin separate from xapi that is doing the SMAPIv2
-↔ SMAPIv3 translation. It keeps the plugins registered with xapi-idl
-(their message-switch queues) up to date as their files appear or
-disappear from the relevant directory.
+[SMAPIv3](https://xapi-project.github.io/xapi-storage/) has a slightly different interface from SMAPIv2.
+The
+[`xapi-storage-script`](https://github.com/xapi-project/xen-api/tree/v25.11.0/ocaml/xapi-storage-script)
+daemon is a SMAPIv2 plugin separate from xapi that is doing the SMAPIv2 ↔ SMAPIv3 translation.
+It keeps the plugins registered with xapi-idl (their message-switch queues)
+up to date as their files appear or disappear from the relevant directory.
 
 ### SMAPIv3 Interface
 
 The SMAPIv3 interface is defined using an OCaml-based IDL from the
-[ocaml-rpc](https://github.com/mirage/ocaml-rpc) library, and is in this
-repo: <https://github.com/xapi-project/xapi-storage>
+[`ocaml-rpc`](https://github.com/mirage/ocaml-rpc) library, and is located at
+[`xen-api/ocaml/xapi-storage`](https://github.com/xapi-project/xen-api/tree/v25.11.0/ocaml/xapi-storage)
 
 From this interface we generate
 
--   OCaml RPC client bindings used in
-    [xapi-storage-script](https://github.com/xapi-project/xapi-storage-script)
--   The [SMAPIv3 API
-    reference](https://xapi-project.github.io/xapi-storage)
+-   OCaml RPC client bindings used in `xapi-storage-script`
+-   The 
+    [SMAPIv3 API reference](https://xapi-project.github.io/xapi-storage)
 -   Python bindings, used by the SM scripts that implement the SMAPIv3
     interface.
-    -   These bindings are built by running "`make`" in the root
-        [xapi-storage](https://github.com/xapi-project/xapi-storage),
-        and appear in the` _build/default/python/xapi/storage/api/v5`
+    -   These bindings are built by running `make` at the root level,
+        and appear in the` _build/default/ocaml/xapi-storage/python/xapi/storage/api/v5/`
         directory.
     -   On a XenServer host, they are stored in the
         `/usr/lib/python3.6/site-packages/xapi/storage/api/v5/`
@@ -258,20 +258,20 @@ stored in subdirectories of the
 `/usr/libexec/xapi-storage-script/volume/` and
 `/usr/libexec/xapi-storage-script/datapath/` directories, respectively.
 When it finds a new datapath plugin, it adds the plugin to a lookup table and
-uses it the next time that datapath is required. When it finds a new volume
-plugin, it binds a new [message-switch](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-storage-script/main.ml#L2023) queue named after the plugin's
-subdirectory to a new server instance that uses these volume scripts.
+uses it the next time that datapath is required.
+When it finds a new volume plugin, it binds a new
+[`message-switch`](https://github.com/xapi-project/xen-api/blob/v25.11.0/ocaml/xapi-storage-script/main.ml#L2023)
+queue named after the plugin's subdirectory to a new server instance that uses these volume scripts.
 
 To invoke a SMAPIv3 method, it executes a program named
-`<Interface name>.<function name>` in the plugin's directory, for
-example
+`<Interface name>.<function name>` in the plugin's directory,
+for example
 `/usr/libexec/xapi-storage-script/volume/org.xen.xapi.storage.gfs2/SR.ls`.
 The inputs to each script can be passed as command-line arguments and
-are type-checked using the generated Python bindings, and so are the
-outputs. The URIs of the SRs that xapi-storage-script knows about are
-stored in the `/var/run/nonpersistent/xapi-storage-script/state.db`
-file, these URIs can be used on the command line when an sr argument is
-expected.
+are type-checked using the generated Python bindings, and so are the outputs.
+The URIs of the SRs that xapi-storage-script knows about are stored in the
+ `/var/run/nonpersistent/xapi-storage-script/state.db` file,
+these URIs can be used on the command line when an sr argument is expected.
 
 #### Registration of the various SMAPIv3 plugins