3:59 p.m.
The attached patch fixes two issues
- It explicitly checks to see if the requested /usr/bin/qemu* binary
actually exists before fork()/exec()'ing it. While its technically
possible to catch the execve() failure of ENOENT, its a real pain to
feed this error back to the qemu daemon because we're in a sub-process
at that point. The obvious & easy solution is to thus check to see if
the binary exists before trying to fork.
- It only passes the -no-kqemu flag if we're running matching arch to
the host. Previously it would pass the -no-kqemu flag even if running
an x86_64 guest on i686 platform - QEMU then exited with error because
the -no-kqemu flag is not recognised on x86_64 when running on i686 host.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
4:16 p.m.
On Sun, Apr 15, 2007 at 09:59:35PM +0100, Daniel P. Berrange wrote:
The attached patch fixes two issues
- It explicitly checks to see if the requested /usr/bin/qemu* binary
actually exists before fork()/exec()'ing it. While its technically
possible to catch the execve() failure of ENOENT, its a real pain to
feed this error back to the qemu daemon because we're in a sub-process
at that point. The obvious & easy solution is to thus check to see if
the binary exists before trying to fork.
- It only passes the -no-kqemu flag if we're running matching arch to
the host. Previously it would pass the -no-kqemu flag even if running
an x86_64 guest on i686 platform - QEMU then exited with error because
the -no-kqemu flag is not recognised on x86_64 when running on i686 host.
Looking purely at the code this looks fine to me,
Daniel
--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard | virtualization library http://libvirt.org/
veillard(a)redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
5:49 a.m.
Daniel P. Berrange wrote:
The attached patch fixes two issues
- It explicitly checks to see if the requested /usr/bin/qemu* binary
actually exists before fork()/exec()'ing it. While its technically
possible to catch the execve() failure of ENOENT, its a real pain to
feed this error back to the qemu daemon because we're in a sub-process
at that point. The obvious & easy solution is to thus check to see if
the binary exists before trying to fork.
This is quite a hard problem to fix properly, as I'm sure you know.
If we were to change to use execvp, so making libvirt less dependent on
the precise location of qemu binaries[1] then a complete test would also
need to parse $PATH.
With SELinux an exec can fail for a lot more reasons than just lack of
the binary or lack of execute bit.
And additionally, just because we manage to execvp the qemu-* binary,
that doesn't mean that it initialises fully. In Real Life rpm ensures
that we can't install libvirt without having qemu, so qemu
initialisation failures are likely to be far more common than
cannot-exec-qemu failures.
Olwm (the old OpenLook window manager) solved both problems in this way.
From the olwm man page[2]:
-syncpid process-id
When olwm has completed its initialization, it will
send a signal (SIGALRM by default) to process-id. The
signal will be sent only if this option is present.
This is useful for running olwm from shell scripts
(such as .xinitrc) in such a way that the script waits
for olwm to finish its initialization, while leaving
olwm as a child process of the shell script. This can
be done using the following sh(1) construct:
sleep 15 & pid=$!
olwm -syncpid $pid &
wait $pid
-syncsignal signal
Specifies the signal to send instead of SIGALRM. The
signal is specified as a number, not symbolically.
(In the shell-script example shown there is no way to catch errors, but
you can easily extend this by sending SIGALRM to the parent --
indicating correct exec + initialisation -- or timing out).
OK, so this requires an upstream patch to qemu. Worth getting this in
now with the view that a few years down the line it'll be useful?
In the present, qemu has two features which seem to allow us to detect
partial or full initialisation.
The -daemonize flag in qemu explicitly allows you to do this. They use
a pipe from the child back to the parent which sends a signal back to
the parent after full initialisation has happened. Unfortunately this
means that qemu is not only not a child of libvirt, but also we no
longer have access to stdin/stdout (ie. console). We would need to make
another (good) change to allow qemu to write console sockets into a
well-known directory using qemu -monitor unix:/var/...
The -pidfile flag is a more immediate, partial solution. The pidfile is
written part way through initialisation -- the qemu process has been
exec'd and has done some work, and then works its way through the
command line arguments until it reaches this one, whereupon it creates
the file immediately. After parsing command line arguments, some
further initialisation is done, so this is not a full solution.
What do people think? Worth me working on fixing this problem properly?
Rich.
[1] It's arguable whether we should do that, or rely on configure-time
detection of the binaries. Perhaps configure-time configuration is more
secure.
[2] http://www.umanitoba.ca/cgi-bin/man.cgi?section=1&topic=olwm
6:30 a.m.
On Mon, 2007-04-16 at 11:49 +0100, Richard W.M. Jones wrote:
Olwm (the old OpenLook window manager) solved both problems in this
way.
From the olwm man page[2]:
-syncpid process-id
When olwm has completed its initialization, it will
send a signal (SIGALRM by default) to process-id.
X does something similar, in that if you set the signal handler to
SIG_IGN for USR1 before exec-ing it, then X will send a USR1 to its
parent once it has initialised.
This is solving a different problem, though - how does the parent
process know when the child process has initialised and is ready to e.g.
start accepting connections? That's why it has "sync" in the name -
it's
a synchronisation thing, rather than an error reporting thing.
i.e. for error handling, you don't want to have to block for this "I'm
ready" signal, you don't want to have to have timeout for the case where
you never get the signal, and you want to actually know what went wrong
if there was an error.
The best way for a child to report an errno from exec() is to pass it
back via a pipe which was created by the parent. That way the parent
doesn't have to block. Note, the child should mark its side of the pipe
with CLOEXEC.
Cheers,
Mark.
6430
days inactive
6431
days old
3 comments
4 participants
participants (4)
-
Daniel P. Berrange -
Daniel Veillard -
Mark McLoughlin -
Richard W.M. Jones