Paolo Bonzini <pbonzini(a)redhat.com> writes:
Il 22/08/2013 19:53, Laszlo Ersek ha scritto:
>> > We should just introduce a simple watchdog device based on virtio and
>> > call it a day. Then it's cross platform, solves the guest enumeration
>> > problem, and libvirt can detect the presence of the new device.
> If the guest doesn't initialize the proposed virtio-panic device, then
> it will lie dormant too, just like the current pvpanic device. That's good.
>
> However a new (standalone) virtio device will take up yet another PCI
> function (a full device if you want it to be hotpluggable). PCI
> functions are scarcer than ioports.
Not just that. Panic notifiers are called in a substantially unknown
environment, with locks taken or interrupts already set up.
If you make the panic notify a config space write, then on virtio-pci,
it's an outb to a fixed offset within a io address that after boot is
static.
So the address could be stored in a global and accessed without a lock.
This is why we went for a simple ISA device.
"Simple ISA device" doesn't exist outside of x86 and as we are learning,
it's not all that simple.
Configuration via ACPI
follows naturally from there, and anyway any other standard of the day
would have had the same problem with Windows. At some point we had ACPI
methods instead of a simple ioport write, but we had to remove that
because the ACPI subsystem might have had its lock taken.
The difference is that ACPI or platform devices in general are
unexpected to be added. By definition it means that the motherboard has
most likely been changed.
OTOH, a new PCI device is expected and most OSes will deal gracefully
with it.
Also, a virtio watchdog device makes little sense, IMHO. PV makes sense
if emulation has insufficient performance, excessive CPU usage, or
excessive complexity. We already have both an ISA and a PCI watchdog,
and they serve their purpose wonderfully.
Neither of which actually work with modern versions of Windows FWIW.
Plus emulated watchdogs do not take into account steal time or
overcommit in general. I've seen multiple cases where a naive watchdog
has a problem in the field when the system is under heavy load.
A PV watchdog actually makes sense because it can be defined based on
guest run time instead of wall clock time.
Regards,
Anthony Liguori
Paolo