On Wed, Jan 23, 2013 at 09:44:43AM +0200, NoxDaFox
wrote:> Greetings,
>
> I'd like to monitor the FS activities (read/write) at runtime on
> several virtual disk images running on Qemu KVM.
> The aim is to periodically inspect these images to identify possible
> Windows registry modification, file creation and so on..
>
> What should be the optimal procedure? Shall I launch a new handler
> each time? It is a quite expensive procedure and it takes a lot of
> time on loaded systems.
> Would be enough to mount/unmount the disk at each read?
You would have to launch a new handle each time[*]. Obviously it is
essential that you pass the 'readonly' flag to add_drive (not doing so
will result in very real disk corruption).
Since the disks are being updated while you're trying to read them,
there's no guarantee that you won't see some sort of transient error
on the libguestfs side, which you can deal with by just closing the
handle and retrying.
Rich.
[*] Except if using libguestfs >= 1.20 + virtio-scsi + libvirt, in
which case it may be possible to call guestfs_remove_drive to hotplug
the disk. http://libguestfs.org/guestfs.3.html#hotplugging
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org