<fix>[kvm]: fail VM start when host file changed but sync fails

[zstack-robot-2]

When syncing VM host file from the origin host fails, check
whether the file has been updated (changeDate != null). If so,
it is unsafe to start the VM with stale cached content, so fail
the flow instead of silently continuing.

Also clean up VmHostBackupFileVO after a successful write to
avoid stale backup records.

Resolves: ZSV-11675
Related: ZSV-11310

Change-Id: I6a73636169727a6f7265766b696c6f6d70747676

sync from gitlab !9609

[coderabbitai]

Walkthrough

在 KvmSecureBootExtensions 中调整 VM 主机文件同步流程：新增 syncFromOriginHostSuccess 标志、改变源主机读取成功/失败处理、在同步失败时校验并可能丢弃缓存内容、以及在写入成功时清理备份记录（删除 VmHostBackupFileVO）。

Changes

Cohort / File(s)

Summary

KVM VM 主机文件流程 plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java

在 PrepareHostFileContext 新增布尔字段 syncFromOriginHostSuccess（默认 false）；在 read-vm-host-file-from-origin-host 成功时立即设为 true 并继续，失败时若已缓存且 vmHostFile.changeDate != null 则以 operr(...) 失败，否则保留原有警告并继续；初次加载的 VmHostFileVO 立即写入 context.vmHostFile；新增 NoRollbackFlow 步骤 check-content-for-vm-host-file-if-sync-failed（当同步失败且有缓存但无内容时将 context.vmHostFile 置空）；在 re-read-vm-host-file-from-dest-host 后新增 NoRollbackFlow 步骤 clean-backup，当 context.vmBackupFileVO != null 且 context.writeSuccess == true 时删除对应 VmHostBackupFileVO 记录。

Sequence Diagram(s)

sequenceDiagram
    participant Flow as FlowEngine
    participant Origin as OriginHost
    participant Dest as DestHost
    participant DB as Database

    Flow->>DB: 读取本地缓存 `VmHostFileVO`
    Flow->>Origin: 请求读取 VM 主机文件
    alt 读取成功
        Origin-->>Flow: 返回 VmHostFile
        Flow->>Flow: context.syncFromOriginHostSuccess = true
        Flow->>Flow: trigger.next()
    else 读取失败
        Origin-->>Flow: 返回错误
        Flow->>DB: 检查缓存 `VmHostFileVO.changeDate`
        alt changeDate != null
            Flow->>Flow: 返回 operr(...) 并失败流程
        else
            Flow->>Flow: 记录警告并 trigger.next()
            Flow->>DB: 若缓存存在但无内容，则将 context.vmHostFile 置空
        end
    end
    Flow->>Dest: 重新读取或写入至目标主机
    alt 写入成功 且 context.vmBackupFileVO != null
        Flow->>DB: 删除对应 VmHostBackupFileVO 记录
    end

Loading

评估代码审查工作量

🎯 4 (复杂) | ⏱️ ~60 分钟

诗句

🐰 新旗标记来报到，
源读若回立刻跳；
失败有痕需分辨，
缓存空缺则抛掉；
写成之后备份飘。

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: failing VM start when host file sync fails but the file has been updated, which is the core objective of this PR.
Description check	✅ Passed	The description directly relates to the changeset, explaining the rationale for checking changeDate on sync failure and cleaning up backup records, matching the code changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sync/wenhao.zhang/zsv-ldap-2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java (1)

321-326: ⚠️ Potential issue | 🟠 Major

不要在源主机同步成功前就把 context.vmHostFile 视为可用。

Line 321 先写入 context.vmHostFile 后，read-vm-host-file-from-backup 在 Lines 379-380 会被直接跳过。这样一旦源主机同步失败但 changeDate == null，而 MN 里又没有对应的 VmHostFileContentVO，Lines 425-429 只会记录 skip 并继续，最终可能带着缺失的 NVRAM/TPM 状态继续启动。这里应只在确认同步成功，或确认 MN 已有可用内容后，再设置 context.vmHostFile。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java`
around lines 321 - 326, The code assigns context.vmHostFile too early (in
KvmSecureBootExtensions) causing read-vm-host-file-from-backup to be skipped and
potentially allowing boot with missing NVRAM/TPM; change to first fetch into a
local VmHostFileVO (e.g., vmHostFileLocal) using
Q.New(VmHostFileVO.class)...find(), then perform the backup-read and existence
checks (inspect changeDate and lookup for corresponding VmHostFileContentVO) and
only after confirming the source sync succeeded or that MN already has valid
VmHostFileContentVO, assign context.vmHostFile = vmHostFileLocal; ensure the
error/skip branch (the logic around changeDate and VmHostFileContentVO presence)
fails or retries instead of leaving context.vmHostFile set.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java`:
- Around line 321-326: The code assigns context.vmHostFile too early (in
KvmSecureBootExtensions) causing read-vm-host-file-from-backup to be skipped and
potentially allowing boot with missing NVRAM/TPM; change to first fetch into a
local VmHostFileVO (e.g., vmHostFileLocal) using
Q.New(VmHostFileVO.class)...find(), then perform the backup-read and existence
checks (inspect changeDate and lookup for corresponding VmHostFileContentVO) and
only after confirming the source sync succeeded or that MN already has valid
VmHostFileContentVO, assign context.vmHostFile = vmHostFileLocal; ensure the
error/skip branch (the logic around changeDate and VmHostFileContentVO presence)
fails or retries instead of leaving context.vmHostFile set.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 23027116-6022-4ee5-9890-a782a4ce76dc

📥 Commits

Reviewing files that changed from the base of the PR and between ff216d7 and 6215e6d.

📒 Files selected for processing (1)

• plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java

[ZStack-Robot]

Comment from ye.zou:

Code Review

#	严重程度	分类	文件	问题描述	修复建议
1	🔴 Critical	回归/正确性	KvmSecureBootExtensions.java:321	backup fallback 路径被破坏。 改动把 context.vmHostFile 的赋值从 sync 成功回调里移到了 query 时（context.vmHostFile = Q.New(...)...find()）。这导致 read-vm-host-file-from-backup 的 skip 条件 context.vmHostFile != null（第 381 行）在 VmHostFileVO 存在时永远为 true——即使 sync 失败且 changeDate == null。旧代码中，sync 失败时 vmHostFile 为 null，会 fallback 到 backup；现在这条路径断了。场景：VM 原先在 host A 正常关机（changeDate=null），host A 宕机后 VM 在 host B 启动，sync 失败但 backup 有数据——旧代码用 backup 恢复，新代码直接跳过 backup，VM 启动时没有 NvRam/TpmState 内容。	把 skip 条件改为 context.syncFromOriginHostSuccess 或等价语义，确保 sync 失败时仍能 fallback 到 backup。
2	🟡 Major	回归/正确性	KvmSecureBootExtensions.java:414-416	write step 在 sync 失败时行为变化。 write-vm-host-file-to-dest-host 的 skip 条件检查 context.vmHostFile == null。现在 vmHostFile 始终非 null（只要 VO 存在），write step 不再被 skip，会用 vmHostFile.getUuid() 查 content。如果 sync 失败，content 可能是过期的或不存在的——虽然 content == null 时会 skip，但如果 content 存在且是旧版本，就会把 stale 内容写到目标 host。这和 MR 标题的安全意图矛盾。	在 write step 的 skip 条件中也考虑 syncFromOriginHostSuccess，只有 sync 成功或有 backup 时才执行 write。
3	🟠 Minor	死代码	KvmSecureBootExtensions.java:296	syncFromOriginHostSuccess 字段被赋值但从未被读取。看起来应该用在 read-vm-host-file-from-backup 的 skip 条件里（替代原来的 context.vmHostFile != null），但实际没有用上。这是 #1 的根因——字段加了但忘了用。	在 backup step 的 skip() 中使用 context.syncFromOriginHostSuccess 替代 context.vmHostFile != null。
4	🔵 Trivial	注释拼写	KvmSecureBootExtensions.java (clean-backup step)	"now we has lastest VmHostFileVO" → 语法错误 + 拼写错误。	"now we have the latest VmHostFileVO"

结论: BLOCK 🚫

回归风险: 高 — backup fallback 路径被无意中破坏，影响所有依赖 backup 恢复 NvRam/TpmState 的场景（host 宕机后 HA 启动、跨 host 启动等）。

修复建议: 核心问题是 context.vmHostFile 语义变了但下游 skip 条件没跟着改。syncFromOriginHostSuccess 字段已经加了，把它用上：

1. read-vm-host-file-from-backup 的 skip() 改为 return context.syncFromOriginHostSuccess;（而非 context.vmHostFile != null）
2. write-vm-host-file-to-dest-host 的 skip() 同步适配
3. 补充单测覆盖 "sync 失败 + changeDate=null + backup 存在" 场景

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java (1)

321-356: ⚠️ Potential issue | 🔴 Critical

同步成功后要重新查询最新的 VmHostFileVO。

Line 321 在 sync 之前就把 context.vmHostFile 固定成了旧记录，但同文件 Line 709-710 已经说明这类 sync 会创建新记录。现在 Line 355 成功后直接 trigger.next()，后面的 Line 440 仍会按旧 UUID 取内容，可能把旧缓存写回目标主机，等于把这次成功 sync 的结果丢掉了。建议在成功分支重新查询最新 VmHostFileVO，并同步更新 context.path。

🛠 建议修改

                 bus.send(syncMsg, new CloudBusCallBack(trigger) {
                     `@Override`
                     public void run(MessageReply reply) {
                         if (reply.isSuccess()) {
+                            context.vmHostFile = Q.New(VmHostFileVO.class)
+                                    .eq(VmHostFileVO_.type, context.type)
+                                    .eq(VmHostFileVO_.vmInstanceUuid, context.vmUuid)
+                                    .orderByDesc(VmHostFileVO_.lastOpDate)
+                                    .limit(1)
+                                    .find();
+                            if (context.vmHostFile == null) {
+                                trigger.fail(operr("failed to find latest %s vm host file for VM[vmUuid=%s] after sync",
+                                        context.type, context.vmUuid));
+                                return;
+                            }
+                            context.path = context.vmHostFile.getPath();
                             context.syncFromOriginHostSuccess = true;
                             trigger.next();
                             return;
                         }

另外建议补一条回归用例，覆盖“origin sync 成功并生成新 VO，后续必须使用新内容写目标主机”的场景。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java`
around lines 321 - 356, The callback success path currently leaves
context.vmHostFile pointing at the pre-sync record, so after reply.isSuccess()
re-query the latest VmHostFileVO for context.type and context.vmUuid (e.g.
Q.New(VmHostFileVO.class).eq(VmHostFileVO_.type,
context.type).eq(VmHostFileVO_.vmInstanceUuid,
context.vmUuid).orderByDesc(VmHostFileVO_.lastOpDate).limit(1).find()), update
context.vmHostFile and context.path from that fresh VO, then continue with
trigger.next(); also add a regression test covering “origin sync creates new VO
and subsequent write uses new VO/path” to prevent regressions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java`:
- Line 521: The inline comment in KvmSecureBootExtensions.java (around the code
handling VmHostFileVO/VmHostBackupFileVO in the method where the latest host
file is ensured) contains two typos: change "has" to "have" and "lastest" to
"latest" so the comment reads something like "// now we have latest
VmHostFileVO, and VmHostBackupFileVO should be cleaned." Update the comment near
the code that references VmHostFileVO and VmHostBackupFileVO in class
KvmSecureBootExtensions to improve readability.

---

Outside diff comments:
In `@plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java`:
- Around line 321-356: The callback success path currently leaves
context.vmHostFile pointing at the pre-sync record, so after reply.isSuccess()
re-query the latest VmHostFileVO for context.type and context.vmUuid (e.g.
Q.New(VmHostFileVO.class).eq(VmHostFileVO_.type,
context.type).eq(VmHostFileVO_.vmInstanceUuid,
context.vmUuid).orderByDesc(VmHostFileVO_.lastOpDate).limit(1).find()), update
context.vmHostFile and context.path from that fresh VO, then continue with
trigger.next(); also add a regression test covering “origin sync creates new VO
and subsequent write uses new VO/path” to prevent regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: f647ef3a-8e23-4339-8996-ba6df56a6083

📥 Commits

Reviewing files that changed from the base of the PR and between 6215e6d and 8837cd2.

📒 Files selected for processing (1)

• plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java`:
- Around line 519-526: In KvmSecureBootExtensions.run, you're only deleting the
VmHostBackupFileVO which leaves associated VmHostFileContentVO rows orphaned;
update the flow to also delete VmHostFileContentVO entries tied to
context.vmBackupFileVO.getUuid() (mirroring the pattern in
VmHostFileTracker.deleteBackupFileFromDb) by issuing a
SQL.New(VmHostFileContentVO.class).eq(...,
context.vmBackupFileVO.getUuid()).delete() before or alongside deleting
VmHostBackupFileVO, ensuring both deletions occur within this flow before
calling trigger.next().

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: c3ab4fe3-a3d4-40bc-bc79-22b638e675ed

📥 Commits

Reviewing files that changed from the base of the PR and between 8837cd2 and f1e4687.

📒 Files selected for processing (1)

• plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java

[coderabbitai]

⚠️ Potential issue | 🟠 Major

缺少关联 VmHostFileContentVO 的删除。

仅删除 VmHostBackupFileVO 会导致关联的 VmHostFileContentVO 记录孤立在数据库中。根据 VmHostFileTracker.deleteBackupFileFromDb 的实现模式（见相关代码片段 3），删除备份文件时应同时删除其内容记录。

🐛 建议修复：同时删除关联内容

             `@Override`
             public void run(FlowTrigger trigger, Map data) {
                 // now we have latest VmHostFileVO, and VmHostBackupFileVO should be cleaned.
-                SQL.New(VmHostBackupFileVO.class)
-                        .eq(VmHostBackupFileVO_.uuid, context.vmBackupFileVO.getUuid())
-                        .delete();
+                new SQLBatch() {
+                    `@Override`
+                    protected void scripts() {
+                        sql(VmHostFileContentVO.class)
+                                .eq(VmHostFileContentVO_.uuid, context.vmBackupFileVO.getUuid())
+                                .delete();
+                        sql(VmHostBackupFileVO.class)
+                                .eq(VmHostBackupFileVO_.uuid, context.vmBackupFileVO.getUuid())
+                                .delete();
+                    }
+                }.execute();
                 trigger.next();
             }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java`
around lines 519 - 526, In KvmSecureBootExtensions.run, you're only deleting the
VmHostBackupFileVO which leaves associated VmHostFileContentVO rows orphaned;
update the flow to also delete VmHostFileContentVO entries tied to
context.vmBackupFileVO.getUuid() (mirroring the pattern in
VmHostFileTracker.deleteBackupFileFromDb) by issuing a
SQL.New(VmHostFileContentVO.class).eq(...,
context.vmBackupFileVO.getUuid()).delete() before or alongside deleting
VmHostBackupFileVO, ensuring both deletions occur within this flow before
calling trigger.next().

[coderabbitai]

♻️ Duplicate comments (1)

plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java (1)

519-526: ⚠️ Potential issue | 🟡 Minor

缺少关联 VmHostFileContentVO 的删除。

当前仅删除 VmHostBackupFileVO，会导致关联的 VmHostFileContentVO 记录在数据库中变成孤立数据。根据 write-vm-host-file-to-dest-host 步骤（第 440-444 行）的查询逻辑，VmHostFileContentVO.uuid 与 VmHostBackupFileVO.uuid 共享相同的值。

🐛 建议修复：同时删除关联内容

             `@Override`
             public void run(FlowTrigger trigger, Map data) {
                 // now we have latest VmHostFileVO, and VmHostBackupFileVO should be cleaned.
-                SQL.New(VmHostBackupFileVO.class)
-                        .eq(VmHostBackupFileVO_.uuid, context.vmBackupFileVO.getUuid())
-                        .delete();
+                new SQLBatch() {
+                    `@Override`
+                    protected void scripts() {
+                        sql(VmHostFileContentVO.class)
+                                .eq(VmHostFileContentVO_.uuid, context.vmBackupFileVO.getUuid())
+                                .delete();
+                        sql(VmHostBackupFileVO.class)
+                                .eq(VmHostBackupFileVO_.uuid, context.vmBackupFileVO.getUuid())
+                                .delete();
+                    }
+                }.execute();
                 trigger.next();
             }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java`
around lines 519 - 526, The flow currently only deletes VmHostBackupFileVO and
leaves orphaned VmHostFileContentVO rows; update the run(...) block in
KvmSecureBootExtensions (the anonymous Flow implementation) to also delete
VmHostFileContentVO entries matching context.vmBackupFileVO.getUuid() by adding
a SQL.New(VmHostFileContentVO.class).eq(VmHostFileContentVO_.uuid,
context.vmBackupFileVO.getUuid()).delete() call alongside the existing
SQL.New(VmHostBackupFileVO.class)...delete() so both the backup file and its
associated file content are removed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java`:
- Around line 519-526: The flow currently only deletes VmHostBackupFileVO and
leaves orphaned VmHostFileContentVO rows; update the run(...) block in
KvmSecureBootExtensions (the anonymous Flow implementation) to also delete
VmHostFileContentVO entries matching context.vmBackupFileVO.getUuid() by adding
a SQL.New(VmHostFileContentVO.class).eq(VmHostFileContentVO_.uuid,
context.vmBackupFileVO.getUuid()).delete() call alongside the existing
SQL.New(VmHostBackupFileVO.class)...delete() so both the backup file and its
associated file content are removed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 92f78a3f-bb57-4041-a32c-0ea6821b45ed

📥 Commits

Reviewing files that changed from the base of the PR and between f1e4687 and 140a351.

📒 Files selected for processing (1)

• plugin/kvm/src/main/java/org/zstack/kvm/efi/KvmSecureBootExtensions.java