Daniel P. Berrange wrote:
On Wed, Sep 27, 2006 at 01:54:53PM -0500, Anthony Liguori wrote:
> Destroy is neither synchronous nor guaranteed. It's a request to the
> hypervisor that isn't completed until all of the memory is completely
> unmapped by any other domain that may be mapping it.
>
> If you want to be really robust, you shouldn't assume that the domain is
> actually destroyed after doing a destroy. The race conditions, in
> practice, are usually very small but they are still there.
>
So is there any better way to block on destroy here ? In the clustering
scenario its neccessary to 'fence' a misbehaving domain on a host before
bringing it back online. From what you're saying it would appear to be
neccessary to poll for completion of the destroy op before trying to
restart the domain.
The 3.0.4 API ought to have proper async/sync semantics. Polling is an
option.
Keep in mind, this problem isn't limited to destroy. It's true for
reboot, shutdown, etc. There are very few ops that are actually
synchronous in Xen today.
Regards,
Anthony Liguori
Regards,
Dan.