Gary asked if it is possible to examine a KVM snapshot or backing file and perhaps list out the files and so on that had changed between the backing file and the current image.
It’s possible to use libguestfs to examine the changes, and in this three part series I’ll show you how.
I want to examine the file and Windows registry changes that happen when I install Google Chrome for Windows.
I first set up a Windows guest with a backing file, and I made sure the backing file was committed just before Chrome was downloaded and installed:
$ ll win7.qcow2 backing.qcow2 -rw-r--r--. 1 qemu qemu 10099228672 Jun 3 10:40 backing.qcow2 -rw-r--r--. 1 root root 60555264 Jun 3 10:40 win7.qcow2
Then I installed Chrome in the guest, and as you can see the win7.qcow2 file (containing just changes) is much larger while the backing file has stayed the same:
$ ll win7.qcow2 backing.qcow2 -rw-r--r--. 1 qemu qemu 10099228672 Jun 3 10:40 backing.qcow2 -rw-r--r--. 1 root root 682164224 Jun 3 11:08 win7.qcow2
Getting a list of files that have been added or removed by installing Chrome is easy. Note that this does not show files that have been modified (we’ll get to that in the next part). Note #2 because of a bug in WordPress, you have to type “backslash zero” where it says “NUL” below.
$ guestfish --ro -i -a win7.qcow2 find0 / - |
tr 'NUL' '\n' | sort > files.with-chrome
$ guestfish --ro -i -a backing.qcow2 find0 / - |
tr 'NUL' '\n' | sort > files.without-chrome
$ diff -u files.without-chrome files.with-chrome |
less
[...]
+Users/rjones/AppData/Local/Google
+Users/rjones/AppData/Local/Google/Chrome
+Users/rjones/AppData/Local/Google/Chrome/Application
+Users/rjones/AppData/Local/Google/Chrome/Application/11.0.696.71
+Users/rjones/AppData/Local/Google/Chrome/Application/11.0.696.71/avcodec-52.dll
[...]
Users/rjones/Desktop
Users/rjones/Desktop/desktop.ini
+Users/rjones/Desktop/Google Chrome.lnk
Users/rjones/Documents
Users/rjones/Documents/desktop.ini
Google Chrome doesn’t (or can’t?) install anything under Program Files, instead preferring to install itself completely within AppData/Local in the user’s home directory.
In the next part I’ll show you how to find out when file contents, size or permissions have changed, and in the third part, we’ll look at Windows registry changes.
Richard WM Jones 