On 01/31/2012 02:53 AM, Daniel P. Berrange wrote:
> In the meantime, shouldn't we at least wait longer before
resorting
> to SIGKILL? (especially since it appears the current timeout is
> quite often too short). (If we don't at least do that, what we're
> saying is "the behavior of virDomainShutdown / virDomainDestroy is
> to lose your data unless you're lucky. If you don't want this
> behavior, you need to use virDomainXXXFlags, and specify the
> VIR_DOMAIN_DONT_TRASH_MY_DATA flag" :-P).
If you add a flag to trigger a graceful kill(SIGINT) only, then
we don't need to change the timeout. The application now has the
ability to wait as long as they like, before issuing another
virDomainDestroy()
The new flag only benefits new apps that are compiled to use the new
flag. I see nothing wrong with lengthening the timeout when no flag is
present, to also benefit the older apps that have not yet been
recompiled to use the new flag, since as was pointed out, the loop gives
up as soon as the process is gone, so in the common case, it won't
change behavior, and in the timeout case, we are waiting longer and thus
less likely to lose data. In other words, I'm in favor of both
approaches (new flag and longer default timeout when no flag is used).
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org