[libvirt] [PATCH v2 0/9] Resolve libvirtd hang on termination with connected long running client
v1: https://www.redhat.com/archives/libvir-list/2018-January/msg00624.html Cannot recall differences from v1. Since so much changed since v1, figured it'd be easier to just repost to continue the discussion. John Ferlan (9): libvirtd: Alter refcnt processing for domain server objects libvirtd: Alter refcnt processing for server program objects util: Introduce virThreadPoolQuitRequested rpc: Introduce virNetServerQuitRequested rpc: Introduce virNetServerWorkerCount daemon: Add quit_timeout period rpc: Alter virNetDaemonQuit processing docs: Add news article for libvirtd issue APPLY ONLY FOR TESTING PURPOSES docs/news.xml | 12 +++++ src/libvirt_private.syms | 1 + src/libvirt_remote.syms | 3 ++ src/qemu/qemu_driver.c | 5 ++ src/remote/libvirtd.aug | 1 + src/remote/libvirtd.conf | 8 +++ src/remote/remote_daemon.c | 40 ++++++++++----- src/remote/remote_daemon_config.c | 5 ++ src/remote/remote_daemon_config.h | 2 + src/remote/test_libvirtd.aug.in | 1 + src/rpc/virnetdaemon.c | 82 ++++++++++++++++++++++++++++++- src/rpc/virnetdaemon.h | 4 ++ src/rpc/virnetserver.c | 50 +++++++++++++++++++ src/rpc/virnetserver.h | 4 ++ src/util/virthreadpool.c | 51 ++++++++++++++++--- src/util/virthreadpool.h | 2 + 16 files changed, 250 insertions(+), 21 deletions(-) -- 2.17.1
Once virNetDaemonAddServer returns, the @srv or @srvAdm have either been added to the @dmn list increasing the refcnt or there was an error. In either case, we can lower the refcnt from virNetServerNew, but not set to NULL. Thus "using" the hash table reference when adding programs later or allowing the immediate free of the object on error. The @dmn dispose function (virNetDaemonDispose) will handle the Unref of each object during the virHashFree when the object is removed from the hash table. Signed-off-by: John Ferlan <jferlan@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com> --- src/remote/remote_daemon.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index 9f3a5f38ad..f61d58f3e5 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -1036,6 +1036,7 @@ int main(int argc, char **argv) { char *remote_config_file = NULL; int statuswrite = -1; int ret = 1; + int rc; int pid_file_fd = -1; char *pid_file = NULL; char *sock_file = NULL; @@ -1290,7 +1291,11 @@ int main(int argc, char **argv) { goto cleanup; } - if (virNetDaemonAddServer(dmn, srv) < 0) { + /* Add @srv to @dmn servers hash table and Unref to allow removal from + * hash table at @dmn disposal to decide when to free @srv */ + rc = virNetDaemonAddServer(dmn, srv); + virObjectUnref(srv); + if (rc < 0) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } @@ -1358,7 +1363,11 @@ int main(int argc, char **argv) { goto cleanup; } - if (virNetDaemonAddServer(dmn, srvAdm) < 0) { + /* Add @srvAdm to @dmn servers hash table and Unref to allow removal from + * hash table at @dmn disposal to decide when to free @srvAdm */ + rc = virNetDaemonAddServer(dmn, srvAdm); + virObjectUnref(srvAdm); + if (rc < 0) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } @@ -1479,11 +1488,9 @@ int main(int argc, char **argv) { } virObjectUnref(adminProgram); - virObjectUnref(srvAdm); virObjectUnref(qemuProgram); virObjectUnref(lxcProgram); virObjectUnref(remoteProgram); - virObjectUnref(srv); virObjectUnref(dmn); virNetlinkShutdown(); -- 2.17.1
Once virNetServerProgramNew returns, the program objects have either been added to the @srv or @srvAdm list increasing the refcnt or there was an error. In either case, we can lower the refcnt from virNetServerProgramNew and set the object to NULL since it won't be used any more. The @srv or @srvAdm dispose function (virNetServerDispose) will handle the Unref of each object during the virHashFree when the object is removed from the hash table. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/remote/remote_daemon.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index f61d58f3e5..dee634d7e1 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -1317,7 +1317,10 @@ int main(int argc, char **argv) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } - if (virNetServerAddProgram(srv, remoteProgram) < 0) { + + rc = virNetServerAddProgram(srv, remoteProgram); + virObjectUnref(remoteProgram); + if (rc < 0) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } @@ -1329,7 +1332,10 @@ int main(int argc, char **argv) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } - if (virNetServerAddProgram(srv, lxcProgram) < 0) { + + rc = virNetServerAddProgram(srv, lxcProgram); + virObjectUnref(lxcProgram); + if (rc < 0) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } @@ -1341,7 +1347,10 @@ int main(int argc, char **argv) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } - if (virNetServerAddProgram(srv, qemuProgram) < 0) { + + rc = virNetServerAddProgram(srv, qemuProgram); + virObjectUnref(qemuProgram); + if (rc < 0) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } @@ -1379,7 +1388,10 @@ int main(int argc, char **argv) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } - if (virNetServerAddProgram(srvAdm, adminProgram) < 0) { + + rc = virNetServerAddProgram(srvAdm, adminProgram); + virObjectUnref(adminProgram); + if (rc < 0) { ret = VIR_DAEMON_ERR_INIT; goto cleanup; } @@ -1487,10 +1499,6 @@ int main(int argc, char **argv) { virStateCleanup(); } - virObjectUnref(adminProgram); - virObjectUnref(qemuProgram); - virObjectUnref(lxcProgram); - virObjectUnref(remoteProgram); virObjectUnref(dmn); virNetlinkShutdown(); -- 2.17.1
Create a helper API to set the quit flag and wake up the worker threads when a quit has been requested such as via a signal handler. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/libvirt_private.syms | 1 + src/util/virthreadpool.c | 43 ++++++++++++++++++++++++++++++++++------ src/util/virthreadpool.h | 2 ++ 3 files changed, 40 insertions(+), 6 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 3e304907b9..af76c29928 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -3001,6 +3001,7 @@ virThreadPoolGetMaxWorkers; virThreadPoolGetMinWorkers; virThreadPoolGetPriorityWorkers; virThreadPoolNewFull; +virThreadPoolQuitRequested; virThreadPoolSendJob; virThreadPoolSetParameters; diff --git a/src/util/virthreadpool.c b/src/util/virthreadpool.c index 10f2bd2c3a..137c5d1746 100644 --- a/src/util/virthreadpool.c +++ b/src/util/virthreadpool.c @@ -30,9 +30,12 @@ #include "viralloc.h" #include "virthread.h" #include "virerror.h" +#include "virlog.h" #define VIR_FROM_THIS VIR_FROM_NONE +VIR_LOG_INIT("util.threadpool"); + typedef struct _virThreadPoolJob virThreadPoolJob; typedef virThreadPoolJob *virThreadPoolJobPtr; @@ -269,6 +272,18 @@ virThreadPoolNewFull(size_t minWorkers, } + +static void +virThreadPoolSetQuit(virThreadPoolPtr pool) +{ + pool->quit = true; + if (pool->nWorkers > 0) + virCondBroadcast(&pool->cond); + if (pool->nPrioWorkers > 0) + virCondBroadcast(&pool->prioCond); +} + + void virThreadPoolFree(virThreadPoolPtr pool) { virThreadPoolJobPtr job; @@ -278,13 +293,9 @@ void virThreadPoolFree(virThreadPoolPtr pool) return; virMutexLock(&pool->mutex); - pool->quit = true; - if (pool->nWorkers > 0) - virCondBroadcast(&pool->cond); - if (pool->nPrioWorkers > 0) { + if (pool->nPrioWorkers > 0) priority = true; - virCondBroadcast(&pool->prioCond); - } + virThreadPoolSetQuit(pool); while (pool->nWorkers > 0 || pool->nPrioWorkers > 0) ignore_value(virCondWait(&pool->quit_cond, &pool->mutex)); @@ -307,6 +318,26 @@ void virThreadPoolFree(virThreadPoolPtr pool) } +/* + * virThreadPoolQuitRequested: + * @pool: Pointer to thread pool + * + * When libvirtd quit is requested via the daemonShutdownHandler let's + * set the quit flag for current workers and wake them up. + */ +void +virThreadPoolQuitRequested(virThreadPoolPtr pool) +{ + virMutexLock(&pool->mutex); + + VIR_DEBUG("nWorkers=%zd, nPrioWorkers=%zd jobQueueDepth=%zd", + pool->nWorkers, pool->nPrioWorkers, pool->jobQueueDepth); + + virThreadPoolSetQuit(pool); + virMutexUnlock(&pool->mutex); +} + + size_t virThreadPoolGetMinWorkers(virThreadPoolPtr pool) { size_t ret; diff --git a/src/util/virthreadpool.h b/src/util/virthreadpool.h index e1f362f5bb..f2c8b2ae61 100644 --- a/src/util/virthreadpool.h +++ b/src/util/virthreadpool.h @@ -52,6 +52,8 @@ size_t virThreadPoolGetJobQueueDepth(virThreadPoolPtr pool); void virThreadPoolFree(virThreadPoolPtr pool); +void virThreadPoolQuitRequested(virThreadPoolPtr pool); + int virThreadPoolSendJob(virThreadPoolPtr pool, unsigned int priority, void *jobdata) ATTRIBUTE_NONNULL(1) -- 2.17.1
Create a helper API to disable new connections and request the worker threads to quit when a quit has been requested such as via a signal handler. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/libvirt_remote.syms | 1 + src/rpc/virnetdaemon.c | 13 +++++++++++++ src/rpc/virnetserver.c | 24 ++++++++++++++++++++++++ src/rpc/virnetserver.h | 2 ++ 4 files changed, 40 insertions(+) diff --git a/src/libvirt_remote.syms b/src/libvirt_remote.syms index 9a33626ec6..9ee983fdf2 100644 --- a/src/libvirt_remote.syms +++ b/src/libvirt_remote.syms @@ -129,6 +129,7 @@ virNetServerNewPostExecRestart; virNetServerNextClientID; virNetServerPreExecRestart; virNetServerProcessClients; +virNetServerQuitRequested; virNetServerSetClientAuthenticated; virNetServerSetClientLimits; virNetServerSetThreadPoolParameters; diff --git a/src/rpc/virnetdaemon.c b/src/rpc/virnetdaemon.c index 31b687de12..329f116a6c 100644 --- a/src/rpc/virnetdaemon.c +++ b/src/rpc/virnetdaemon.c @@ -862,6 +862,18 @@ virNetDaemonRun(virNetDaemonPtr dmn) } +static int +daemonServerQuitRequested(void *payload, + const void *key ATTRIBUTE_UNUSED, + void *opaque ATTRIBUTE_UNUSED) +{ + virNetServerPtr srv = payload; + + virNetServerQuitRequested(srv); + return 0; +} + + void virNetDaemonQuit(virNetDaemonPtr dmn) { @@ -869,6 +881,7 @@ virNetDaemonQuit(virNetDaemonPtr dmn) VIR_DEBUG("Quit requested %p", dmn); dmn->quit = true; + virHashForEach(dmn->servers, daemonServerQuitRequested, NULL); virObjectUnlock(dmn); } diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index 5c7f7dd08f..c426567d86 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -818,6 +818,30 @@ void virNetServerDispose(void *obj) virNetServerMDNSFree(srv->mdns); } + +/* virNetServerQuitRequested: + * @srv: Netserver pointer + * + * Disable new connections and let the worker threads know that + * a quit has been requested. + */ +void +virNetServerQuitRequested(virNetServerPtr srv) +{ + size_t i; + + if (!srv) + return; + + VIR_DEBUG("Quit server requested '%s'", srv->name); + + for (i = 0; i < srv->nservices; i++) + virNetServerServiceToggle(srv->services[i], false); + + virThreadPoolQuitRequested(srv->workers); +} + + void virNetServerClose(virNetServerPtr srv) { size_t i; diff --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h index 26cec43c22..fcaf48fe14 100644 --- a/src/rpc/virnetserver.h +++ b/src/rpc/virnetserver.h @@ -58,6 +58,8 @@ virNetServerPtr virNetServerNewPostExecRestart(virJSONValuePtr object, ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5) ATTRIBUTE_NONNULL(6); +void virNetServerQuitRequested(virNetServerPtr srv); + void virNetServerClose(virNetServerPtr srv); virJSONValuePtr virNetServerPreExecRestart(virNetServerPtr srv); -- 2.17.1
Get a count of the number of workers for all servers that are still processing a job. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/libvirt_remote.syms | 1 + src/rpc/virnetserver.c | 26 ++++++++++++++++++++++++++ src/rpc/virnetserver.h | 2 ++ 3 files changed, 29 insertions(+) diff --git a/src/libvirt_remote.syms b/src/libvirt_remote.syms index 9ee983fdf2..a8f937f32e 100644 --- a/src/libvirt_remote.syms +++ b/src/libvirt_remote.syms @@ -136,6 +136,7 @@ virNetServerSetThreadPoolParameters; virNetServerSetTLSContext; virNetServerStart; virNetServerUpdateServices; +virNetServerWorkerCount; # rpc/virnetserverclient.h diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index c426567d86..053ef8a5ab 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -842,6 +842,32 @@ virNetServerQuitRequested(virNetServerPtr srv) } +/* virNetServerWorkerCount: + * @srv: Netserver pointer + * + * Return the number of workers still waiting to be processed. This + * allows the quit requested code to wait for all worker jobs to be + * completed before actually quitting. + */ +size_t +virNetServerWorkerCount(virNetServerPtr srv) +{ + size_t workerCount; + + virObjectLock(srv); + + workerCount = virThreadPoolGetCurrentWorkers(srv->workers) + + virThreadPoolGetPriorityWorkers(srv->workers); + + if (workerCount > 0) + VIR_DEBUG("server '%s' still has %zd workers", srv->name, workerCount); + + virObjectUnlock(srv); + + return workerCount; +} + + void virNetServerClose(virNetServerPtr srv) { size_t i; diff --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h index fcaf48fe14..3b2582e15b 100644 --- a/src/rpc/virnetserver.h +++ b/src/rpc/virnetserver.h @@ -60,6 +60,8 @@ virNetServerPtr virNetServerNewPostExecRestart(virJSONValuePtr object, void virNetServerQuitRequested(virNetServerPtr srv); +size_t virNetServerWorkerCount(virNetServerPtr srv); + void virNetServerClose(virNetServerPtr srv); virJSONValuePtr virNetServerPreExecRestart(virNetServerPtr srv); -- 2.17.1
In order to prepare for the possibility to allow long running thread(s) to complete their task(s) when a quit signal is received by the daemon, create a configurable quit_timeout period in seconds. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/remote/libvirtd.aug | 1 + src/remote/libvirtd.conf | 8 ++++++++ src/remote/remote_daemon_config.c | 5 +++++ src/remote/remote_daemon_config.h | 2 ++ src/remote/test_libvirtd.aug.in | 1 + 5 files changed, 17 insertions(+) diff --git a/src/remote/libvirtd.aug b/src/remote/libvirtd.aug index 13333448a4..2c282e53e5 100644 --- a/src/remote/libvirtd.aug +++ b/src/remote/libvirtd.aug @@ -62,6 +62,7 @@ module Libvirtd = | int_entry "max_anonymous_clients" | int_entry "max_client_requests" | int_entry "prio_workers" + | int_entry "quit_timeout" let admin_processing_entry = int_entry "admin_min_workers" | int_entry "admin_max_workers" diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf index 92562ab7ae..cc9647391d 100644 --- a/src/remote/libvirtd.conf +++ b/src/remote/libvirtd.conf @@ -321,6 +321,14 @@ # parameter. #max_client_requests = 5 +# Approximate number of seconds to wait to allow worker threads to +# complete when a signal to quit (e.g. SIGINT, SIGQUIT, SIGTERM) is +# received by libvirtd. This is only for currently processing workers +# in order to allow them to potentially complete their long running +# task such as stats collection or migrations. The default is to +# not wait. +#quit_timeout = 0 + # Same processing controls, but this time for the admin interface. # For description of each option, be so kind to scroll few lines # upwards. diff --git a/src/remote/remote_daemon_config.c b/src/remote/remote_daemon_config.c index b1516befb4..d6b3575a9a 100644 --- a/src/remote/remote_daemon_config.c +++ b/src/remote/remote_daemon_config.c @@ -155,6 +155,8 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED) data->max_client_requests = 5; + data->quit_timeout = 0; + data->audit_level = 1; data->audit_logging = 0; @@ -350,6 +352,9 @@ daemonConfigLoadOptions(struct daemonConfig *data, if (virConfGetValueUInt(conf, "max_client_requests", &data->max_client_requests) < 0) goto error; + if (virConfGetValueUInt(conf, "quit_timeout", &data->quit_timeout) < 0) + goto error; + if (virConfGetValueUInt(conf, "admin_min_workers", &data->admin_min_workers) < 0) goto error; if (virConfGetValueUInt(conf, "admin_max_workers", &data->admin_max_workers) < 0) diff --git a/src/remote/remote_daemon_config.h b/src/remote/remote_daemon_config.h index 49ea80104b..0f27bf44c8 100644 --- a/src/remote/remote_daemon_config.h +++ b/src/remote/remote_daemon_config.h @@ -73,6 +73,8 @@ struct daemonConfig { unsigned int max_client_requests; + unsigned int quit_timeout; + unsigned int log_level; char *log_filters; char *log_outputs; diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug.in index 527e3d7d0d..c559696f58 100644 --- a/src/remote/test_libvirtd.aug.in +++ b/src/remote/test_libvirtd.aug.in @@ -43,6 +43,7 @@ module Test_libvirtd = { "max_workers" = "20" } { "prio_workers" = "5" } { "max_client_requests" = "5" } + { "quit_timeout" = "0" } { "admin_min_workers" = "1" } { "admin_max_workers" = "5" } { "admin_max_clients" = "5" } -- 2.17.1
When virNetDaemonQuit is called from libvirtd's shutdown handler (daemonShutdownHandler) we need to perform the quit in multiple steps. The first part is to "request" the quit and notify the NetServer's of the impending quit which causes the NetServers to inform their workers that a quit was requested. Still because we cannot guarantee a quit will happen or it's possible there's no workers pending, use a virNetDaemonQuitTimer to not only break the event loop but keep track of how long we're waiting and we've waited too long, force an ungraceful exit so that we don't hang waiting forever or cause some sort of SEGV because something is still pending and we Unref things. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/libvirt_remote.syms | 1 + src/remote/remote_daemon.c | 1 + src/rpc/virnetdaemon.c | 68 +++++++++++++++++++++++++++++++++++++- src/rpc/virnetdaemon.h | 4 +++ 4 files changed, 73 insertions(+), 1 deletion(-) diff --git a/src/libvirt_remote.syms b/src/libvirt_remote.syms index a8f937f32e..e416cfec44 100644 --- a/src/libvirt_remote.syms +++ b/src/libvirt_remote.syms @@ -87,6 +87,7 @@ virNetDaemonPreExecRestart; virNetDaemonQuit; virNetDaemonRemoveShutdownInhibition; virNetDaemonRun; +virNetDaemonSetQuitTimeout; virNetDaemonUpdateServices; diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index dee634d7e1..d11adf422f 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -1273,6 +1273,7 @@ int main(int argc, char **argv) { ret = VIR_DAEMON_ERR_DRIVER; goto cleanup; } + virNetDaemonSetQuitTimeout(dmn, config->quit_timeout); if (!(srv = virNetServerNew("libvirtd", 1, config->min_workers, diff --git a/src/rpc/virnetdaemon.c b/src/rpc/virnetdaemon.c index 329f116a6c..c6ed65c8c3 100644 --- a/src/rpc/virnetdaemon.c +++ b/src/rpc/virnetdaemon.c @@ -73,6 +73,8 @@ struct _virNetDaemon { virHashTablePtr servers; virJSONValuePtr srvObject; + unsigned int quitTimeout; + bool quitRequested; bool quit; unsigned int autoShutdownTimeout; @@ -153,6 +155,14 @@ virNetDaemonNew(void) } +void +virNetDaemonSetQuitTimeout(virNetDaemonPtr dmn, + unsigned int quitTimeout) +{ + dmn->quitTimeout = quitTimeout; +} + + int virNetDaemonAddServer(virNetDaemonPtr dmn, virNetServerPtr srv) @@ -791,11 +801,50 @@ daemonServerProcessClients(void *payload, return 0; } + +static int +daemonServerWorkerCount(void *payload, + const void *key ATTRIBUTE_UNUSED, + void *opaque) +{ + size_t *workerCount = opaque; + virNetServerPtr srv = payload; + + *workerCount += virNetServerWorkerCount(srv); + + return 0; +} + + +static bool +daemonServerWorkersDone(virNetDaemonPtr dmn) +{ + size_t workerCount = 0; + + virHashForEach(dmn->servers, daemonServerWorkerCount, &workerCount); + + return workerCount == 0; +} + + +static void +virNetDaemonQuitTimer(int timer ATTRIBUTE_UNUSED, + void *opaque) +{ + int *quitCount = opaque; + + (*quitCount)++; + VIR_DEBUG("quitCount=%d", *quitCount); +} + + void virNetDaemonRun(virNetDaemonPtr dmn) { int timerid = -1; bool timerActive = false; + int quitTimer = -1; + int quitCount = 0; virObjectLock(dmn); @@ -855,10 +904,27 @@ virNetDaemonRun(virNetDaemonPtr dmn) virObjectLock(dmn); virHashForEach(dmn->servers, daemonServerProcessClients, NULL); + + /* HACK: Add a dummy timeout to break event loop */ + if (dmn->quitRequested && quitTimer == -1) + quitTimer = virEventAddTimeout(500, virNetDaemonQuitTimer, + &quitCount, NULL); + + if (dmn->quitRequested && daemonServerWorkersDone(dmn)) { + dmn->quit = true; + } else { + /* Firing every 1/2 second and quitTimeout in seconds, force + * an exit when there are still worker threads running and we + * have waited long enough */ + if (quitCount > dmn->quitTimeout * 2) + _exit(EXIT_FAILURE); + } } cleanup: virObjectUnlock(dmn); + if (quitTimer != -1) + virEventRemoveTimeout(quitTimer); } @@ -880,7 +946,7 @@ virNetDaemonQuit(virNetDaemonPtr dmn) virObjectLock(dmn); VIR_DEBUG("Quit requested %p", dmn); - dmn->quit = true; + dmn->quitRequested = true; virHashForEach(dmn->servers, daemonServerQuitRequested, NULL); virObjectUnlock(dmn); diff --git a/src/rpc/virnetdaemon.h b/src/rpc/virnetdaemon.h index 09ed5adf36..8433d6a09d 100644 --- a/src/rpc/virnetdaemon.h +++ b/src/rpc/virnetdaemon.h @@ -35,6 +35,10 @@ virNetDaemonPtr virNetDaemonNew(void); +void +virNetDaemonSetQuitTimeout(virNetDaemonPtr dmn, + unsigned int quitTimeout); + int virNetDaemonAddServer(virNetDaemonPtr dmn, virNetServerPtr srv); -- 2.17.1
On Sat, Jul 07, 2018 at 08:11:05 -0400, John Ferlan wrote:
When virNetDaemonQuit is called from libvirtd's shutdown handler (daemonShutdownHandler) we need to perform the quit in multiple steps. The first part is to "request" the quit and notify the NetServer's of the impending quit which causes the NetServers to inform their workers that a quit was requested.
Still because we cannot guarantee a quit will happen or it's possible there's no workers pending, use a virNetDaemonQuitTimer to not only break the event loop but keep track of how long we're waiting and we've waited too long, force an ungraceful exit so that we don't hang waiting forever or cause some sort of SEGV because something is still pending and we Unref things.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/libvirt_remote.syms | 1 + src/remote/remote_daemon.c | 1 + src/rpc/virnetdaemon.c | 68 +++++++++++++++++++++++++++++++++++++- src/rpc/virnetdaemon.h | 4 +++ 4 files changed, 73 insertions(+), 1 deletion(-)
[...]
@@ -855,10 +904,27 @@ virNetDaemonRun(virNetDaemonPtr dmn) virObjectLock(dmn);
virHashForEach(dmn->servers, daemonServerProcessClients, NULL); + + /* HACK: Add a dummy timeout to break event loop */ + if (dmn->quitRequested && quitTimer == -1) + quitTimer = virEventAddTimeout(500, virNetDaemonQuitTimer, + &quitCount, NULL); + + if (dmn->quitRequested && daemonServerWorkersDone(dmn)) { + dmn->quit = true; + } else { + /* Firing every 1/2 second and quitTimeout in seconds, force + * an exit when there are still worker threads running and we + * have waited long enough */ + if (quitCount > dmn->quitTimeout * 2) + _exit(EXIT_FAILURE);
If you have a legitimate long-running job which would finish eventually and e.g. write an updated status XML this will break things. I'm not persuaded that this is a systematic solution to some API getting stuck. The commit message also does not help persuading me that this is a good idea. NACK
On 07/09/2018 03:11 AM, Peter Krempa wrote:
On Sat, Jul 07, 2018 at 08:11:05 -0400, John Ferlan wrote:
When virNetDaemonQuit is called from libvirtd's shutdown handler (daemonShutdownHandler) we need to perform the quit in multiple steps. The first part is to "request" the quit and notify the NetServer's of the impending quit which causes the NetServers to inform their workers that a quit was requested.
Still because we cannot guarantee a quit will happen or it's possible there's no workers pending, use a virNetDaemonQuitTimer to not only break the event loop but keep track of how long we're waiting and we've waited too long, force an ungraceful exit so that we don't hang waiting forever or cause some sort of SEGV because something is still pending and we Unref things.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/libvirt_remote.syms | 1 + src/remote/remote_daemon.c | 1 + src/rpc/virnetdaemon.c | 68 +++++++++++++++++++++++++++++++++++++- src/rpc/virnetdaemon.h | 4 +++ 4 files changed, 73 insertions(+), 1 deletion(-)
[...]
@@ -855,10 +904,27 @@ virNetDaemonRun(virNetDaemonPtr dmn) virObjectLock(dmn);
virHashForEach(dmn->servers, daemonServerProcessClients, NULL); + + /* HACK: Add a dummy timeout to break event loop */ + if (dmn->quitRequested && quitTimer == -1) + quitTimer = virEventAddTimeout(500, virNetDaemonQuitTimer, + &quitCount, NULL); + + if (dmn->quitRequested && daemonServerWorkersDone(dmn)) { + dmn->quit = true; + } else { + /* Firing every 1/2 second and quitTimeout in seconds, force + * an exit when there are still worker threads running and we + * have waited long enough */ + if (quitCount > dmn->quitTimeout * 2) + _exit(EXIT_FAILURE);
If you have a legitimate long-running job which would finish eventually and e.g. write an updated status XML this will break things. I'm not persuaded that this is a systematic solution to some API getting stuck.
The commit message also does not help persuading me that this is a good idea.
NACK
I understand the sentiment and this hasn't been a "top of the list" item for me to think about, but to a degree the purpose of re-posting the series was to try to come to a consensus over some solution. A naked NACK almost makes it appear as if you would prefer to not do anything in this situation, letting nature takes it's course (so to speak). Do you have any thoughts or suggestions related to what processing you believe is appropriate if someone issues a SIG{INT|QUIT|TERM} to a daemon (libvirtd|lockd|logd}? That is what to do if we reach the cleanup: label in main() of src/remote/remote_daemon.c and virNetDaemonClose() gets run? Right now IIRC it's either going to be a SEGV or possible long wait for some worker thread to complete. The latter is the don't apply this example to cause a wait in block stats fetch. Naturally the long term wait only matters up through the point while someone is patient before issuing a SIGKILL. Do you favor waiting forever for some worker thread to finish? To some degree if some signal is sent to libvirtd, then I would think the expectation is to not wait for some indeterminate time. And most definitely trying to avoid some sort of defunct state resolvable by a host reboot. Knowing exactly what a worker thread is doing may help, but that'd take a bit (;-)) of code to trace the stack. Perhaps providing a list of client/workers still active or even some indication that we're waiting on some worker rather than no feedback? How much is "too much"? Another option that was proposed, but didn't really gain any support was introduction of a stateShutdown in virStateDriver that would be run during libvirtd's cleanup: processing prior to virNetDaemonClose. That would be before virStateCleanup. For qemu, the priv->mon and priv->agent would be closed. That would seemingly generate an error and cause the worker to exit thus theoretically not needing any forced quit of the thread "if" the reason was some sort of hang as a result of monitor/agent processing. Doesn't mean there wouldn't be some other issue causing a hang. Refreshing my memory on this - there was some discussion or investigation related to using virStateStop, but I since that's gated by "WITH_DBUS" being defined, it wasn't clear if/how it could be used (daemonStop is only called/setup if daemonRunStateInit has set it up). John
On Thu, Jul 12, 2018 at 03:34:00PM -0400, John Ferlan wrote:
On 07/09/2018 03:11 AM, Peter Krempa wrote:
On Sat, Jul 07, 2018 at 08:11:05 -0400, John Ferlan wrote:
When virNetDaemonQuit is called from libvirtd's shutdown handler (daemonShutdownHandler) we need to perform the quit in multiple steps. The first part is to "request" the quit and notify the NetServer's of the impending quit which causes the NetServers to inform their workers that a quit was requested.
Still because we cannot guarantee a quit will happen or it's possible there's no workers pending, use a virNetDaemonQuitTimer to not only break the event loop but keep track of how long we're waiting and we've waited too long, force an ungraceful exit so that we don't hang waiting forever or cause some sort of SEGV because something is still pending and we Unref things.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/libvirt_remote.syms | 1 + src/remote/remote_daemon.c | 1 + src/rpc/virnetdaemon.c | 68 +++++++++++++++++++++++++++++++++++++- src/rpc/virnetdaemon.h | 4 +++ 4 files changed, 73 insertions(+), 1 deletion(-)
[...]
@@ -855,10 +904,27 @@ virNetDaemonRun(virNetDaemonPtr dmn) virObjectLock(dmn);
virHashForEach(dmn->servers, daemonServerProcessClients, NULL); + + /* HACK: Add a dummy timeout to break event loop */ + if (dmn->quitRequested && quitTimer == -1) + quitTimer = virEventAddTimeout(500, virNetDaemonQuitTimer, + &quitCount, NULL); + + if (dmn->quitRequested && daemonServerWorkersDone(dmn)) { + dmn->quit = true; + } else { + /* Firing every 1/2 second and quitTimeout in seconds, force + * an exit when there are still worker threads running and we + * have waited long enough */ + if (quitCount > dmn->quitTimeout * 2) + _exit(EXIT_FAILURE);
If you have a legitimate long-running job which would finish eventually and e.g. write an updated status XML this will break things. I'm not persuaded that this is a systematic solution to some API getting stuck.
The commit message also does not help persuading me that this is a good idea.
NACK
I understand the sentiment and this hasn't been a "top of the list" item for me to think about, but to a degree the purpose of re-posting the series was to try to come to a consensus over some solution. A naked NACK almost makes it appear as if you would prefer to not do anything in this situation, letting nature takes it's course (so to speak).
Do you have any thoughts or suggestions related to what processing you believe is appropriate if someone issues a SIG{INT|QUIT|TERM} to a daemon (libvirtd|lockd|logd}? That is what to do if we reach the cleanup: label in main() of src/remote/remote_daemon.c and virNetDaemonClose() gets run? Right now IIRC it's either going to be a SEGV or possible long wait for some worker thread to complete. The latter is the don't apply this example to cause a wait in block stats fetch. Naturally the long term wait only matters up through the point while someone is patient before issuing a SIGKILL.
Do you favor waiting forever for some worker thread to finish? To some degree if some signal is sent to libvirtd, then I would think the expectation is to not wait for some indeterminate time. And most definitely trying to avoid some sort of defunct state resolvable by a host reboot. Knowing exactly what a worker thread is doing may help, but that'd take a bit (;-)) of code to trace the stack. Perhaps providing a list of client/workers still active or even some indication that we're waiting on some worker rather than no feedback? How much is "too much"?
Another option that was proposed, but didn't really gain any support was introduction of a stateShutdown in virStateDriver that would be run during libvirtd's cleanup: processing prior to virNetDaemonClose. That would be before virStateCleanup. For qemu, the priv->mon and priv->agent would be closed. That would seemingly generate an error and cause the worker to exit thus theoretically not needing any forced quit of the thread "if" the reason was some sort of hang as a result of monitor/agent processing. Doesn't mean there wouldn't be some other issue causing a hang. Refreshing my memory on this - there was some discussion or investigation related to using virStateStop, but I since that's gated by "WITH_DBUS" being defined, it wasn't clear if/how it could be used (daemonStop is only called/setup if daemonRunStateInit has set it up).
I think the key thing to bear in mind is what is the benefit of what we are trying todo. ie why do we need todo a clean shutdown instead of just immediately exiting. The kernel will clean up all resources associated with the process when it exits. So we only need care about a clean shutdown if there is something needing cleanup that the kernel won't handle, or if we are trying to debug with valgrind & similar tools. I tend to think we put way too much time into worrying about getting perfect clean shutdown, for little real world benefit. IMHO, we should make a moderate effort to shutdown cleanly, but if there's something stuck after 15 seconds, we should just uncoditionally call exit(). Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Mon, Jul 16, 2018 at 10:18:59 +0100, Daniel Berrange wrote:
On Thu, Jul 12, 2018 at 03:34:00PM -0400, John Ferlan wrote:
On 07/09/2018 03:11 AM, Peter Krempa wrote:
On Sat, Jul 07, 2018 at 08:11:05 -0400, John Ferlan wrote:
I think the key thing to bear in mind is what is the benefit of what we are trying todo. ie why do we need todo a clean shutdown instead of just immediately exiting. The kernel will clean up all resources associated with the process when it exits. So we only need care about a clean shutdown if there is something needing cleanup that the kernel won't handle, or if we are trying to debug with valgrind & similar tools.
I tend to think we put way too much time into worrying about getting perfect clean shutdown, for little real world benefit.
IMHO, we should make a moderate effort to shutdown cleanly, but if there's something stuck after 15 seconds, we should just uncoditionally call exit().
I'm not really worried about the uncleannes of the shutdown but rather desynchronisation of qemu-libvirt state. If we exit during a modify job prior to writing the status XML to disk we might end up in an intermediate state which will not be recognized by libvirt afterwards. Just exit()-ing is not a systematic solution here because of the above. In my opinion a better solution is to close the monitor connections after some time and only in cases where we know it's safe. E.g. in QUERY type jobs. Some modify-type jobs may get stuck as well, but only a very few commands create this risk so annotating them and not allowing to break the monitor there should be way better. Currently I'm mostly worried about the 'transaction' command which is used for snapshots, as losing track of the new files is not recoverable. Other block jobs which modify the backing graph would be a problem normally but since we don't track the bakcing chain fully yet it's okay except for finishing step of the active block commit. For the blockjobs it will be possible to work this around by the new APIs in qemu which allow the jobs to linger until we retrieve the state. That means that the only problematic job probably will be 'transaction'/snapshot creation.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- docs/news.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/news.xml b/docs/news.xml index 773c95b0da..6cacded58f 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -46,6 +46,18 @@ </change> </section> <section title="Improvements"> + <change> + <summary> + Fix issues with unexpected libvirtd termination + </summary> + <description> + If there were outstanding worker threads when libvirtd + received a quit signal via SIGTERM, SIGINT, or SIGQUIT + then, libvirtd may have crashed or hung waiting for a + worker job to send a completion notification that cannot + be received because the event loop was stopped too soon. + </description> + </change> </section> <section title="Bug fixes"> </section> -- 2.17.1
Modify GetAllStats to generate a long enough pause in order to send a SIGTERM to libvirtd while a client connection is processing. In order to "set things up": 1. In one terminal window from a local branch built using these patches using a root account run libvirtd debug, e.g.: # ./run gdb src/libvirtd once running, type a 'c' (e.g. continue) and <return> 2. Start a domain (or have one running with the current libvirtd) virsh start $domain 3. Prepare a domstats command for that domain (but don't yet hit <return> in order run it): virsh domstats $domain 4. Prepare a kill command for the running libvirtd, e.g.: jferlan 4143 4107 0 09:51 pts/1 00:00:00 vim +1396 src/libvirtd.c root 30054 21195 6 11:17 pts/8 00:00:01 gdb /home/jferlan/git/libvirt.work/src/.libs/lt-libvirtd root 30087 30054 7 11:17 pts/8 00:00:01 /home/jferlan/git/libvirt.work/src/.libs/lt-libvirtd root 30385 19861 0 11:17 pts/17 00:00:00 grep --color=auto libvirtd but again don't hit <return> yet. 5. Align your stars perfectly now... a. Hit <return> on your domstats command b. Swap to the kill command window and hit <return> This should cause the libvirtd debug window to stop, but since you already typed 'c' it'll continue at least briefly, for example: ... [Thread 0x7fffc3231700 (LWP 30374) exited] Detaching after fork from child process 30376. Detaching after fork from child process 30377. Detaching after fork from child process 30378. [Thread 0x7fffc4445700 (LWP 30106) exited] c 2018-01-10 16:18:12.962+0000: 30094: info : libvirt version: 4.0.0 2018-01-10 16:18:12.962+0000: 30094: info : hostname: unknown4ceb42c824f4.attlocal.net 2018-01-10 16:18:12.962+0000: 30094: warning : qemuConnectGetAllDomainStats:20265 : k = -5340232226128654848 Thread 1 "lt-libvirtd" received signal SIGTERM, Terminated. 0x00007ffff3ae6d2d in poll () from /lib64/libc.so.6 ... (gdb) c Continuing. [Thread 0x7fffc5c48700 (LWP 30103) exited] [Thread 0x7fffc5447700 (LWP 30104) exited] [Thread 0x7fffc4c46700 (LWP 30105) exited] [Thread 0x7fffc6449700 (LWP 30102) exited] [Thread 0x7fffc6c4a700 (LWP 30101) exited] [Thread 0x7fffe3b57700 (LWP 30097) exited] [Thread 0x7fffe4358700 (LWP 30096) exited] [Thread 0x7fffe2354700 (LWP 30100) exited] [Thread 0x7fffe3356700 (LWP 30098) exited] [Thread 0x7fffe2b55700 (LWP 30099) exited] [Thread 0x7fffe535a700 (LWP 30094) exited] [Thread 0x7fffe5b5b700 (LWP 30093) exited] [Thread 0x7fffe635c700 (LWP 30092) exited] [Thread 0x7fffe6b5d700 (LWP 30091) exited] 2018-01-10 16:18:25.451+0000: 30095: warning : qemuConnectGetAllDomainStats:20265 : k = -5340232226128654848 [Thread 0x7fffe4b59700 (LWP 30095) exited] [Thread 0x7fffc3a32700 (LWP 30187) exited] [Inferior 1 (process 30087) exited normally] (gdb) c The program is not being run. (gdb) quit The virsh domstats window will "close" as follows: error: Disconnected from qemu:///system due to end of file error: End of file while reading data: Input/output error If something's wrong, then the libvirtd window may not exit those final two threads in which case you could interrupt it (^c) and check the threads (thread apply all bt) which will probably show some sort of hang... My testing shows that the hang no longer occurs with all the previous patches applied. The subsequent patch calling virHashRemoveAll from virNetDaemonClose does not seem to be necessary, although I suppose it cannot hurt as the same essential functionality occurs during the Dispose function Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/qemu/qemu_driver.c | 5 +++++ src/rpc/virnetdaemon.c | 3 ++- src/rpc/virnetserver.c | 4 ++-- src/util/virthreadpool.c | 10 +++++++--- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 9a35e04a85..fa725131a2 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -20454,6 +20454,7 @@ qemuConnectGetAllDomainStats(virConnectPtr conn, bool enforce = !!(flags & VIR_CONNECT_GET_ALL_DOMAINS_STATS_ENFORCE_STATS); int nstats = 0; size_t i; + size_t j, k = 0; int ret = -1; unsigned int privflags = 0; unsigned int domflags = 0; @@ -20492,6 +20493,10 @@ qemuConnectGetAllDomainStats(virConnectPtr conn, if (qemuDomainGetStatsNeedMonitor(stats)) privflags |= QEMU_DOMAIN_STATS_HAVE_JOB; + for (j = 0; j < 10000000000; j++) // Add one more zero for longer... + k = j + k; + VIR_WARN("k = %zd", k); + for (i = 0; i < nvms; i++) { virDomainStatsRecordPtr tmp = NULL; domflags = 0; diff --git a/src/rpc/virnetdaemon.c b/src/rpc/virnetdaemon.c index c6ed65c8c3..6cce4b7004 100644 --- a/src/rpc/virnetdaemon.c +++ b/src/rpc/virnetdaemon.c @@ -834,7 +834,7 @@ virNetDaemonQuitTimer(int timer ATTRIBUTE_UNUSED, int *quitCount = opaque; (*quitCount)++; - VIR_DEBUG("quitCount=%d", *quitCount); + VIR_WARN("quitCount=%d", *quitCount); } @@ -912,6 +912,7 @@ virNetDaemonRun(virNetDaemonPtr dmn) if (dmn->quitRequested && daemonServerWorkersDone(dmn)) { dmn->quit = true; + VIR_WARN ("quitRequested and no workers remain"); } else { /* Firing every 1/2 second and quitTimeout in seconds, force * an exit when there are still worker threads running and we diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index 053ef8a5ab..109f369bac 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -833,7 +833,7 @@ virNetServerQuitRequested(virNetServerPtr srv) if (!srv) return; - VIR_DEBUG("Quit server requested '%s'", srv->name); + VIR_WARN ("Quit server requested '%s'", srv->name); for (i = 0; i < srv->nservices; i++) virNetServerServiceToggle(srv->services[i], false); @@ -860,7 +860,7 @@ virNetServerWorkerCount(virNetServerPtr srv) virThreadPoolGetPriorityWorkers(srv->workers); if (workerCount > 0) - VIR_DEBUG("server '%s' still has %zd workers", srv->name, workerCount); + VIR_WARN ("server '%s' still has %zd workers", srv->name, workerCount); virObjectUnlock(srv); diff --git a/src/util/virthreadpool.c b/src/util/virthreadpool.c index 137c5d1746..fc7bc64fb5 100644 --- a/src/util/virthreadpool.c +++ b/src/util/virthreadpool.c @@ -136,8 +136,10 @@ static void virThreadPoolWorker(void *opaque) goto out; } - if (pool->quit) + if (pool->quit) { + VIR_WARN("Quit set"); break; + } if (priority) { job = pool->jobList.firstPrio; @@ -330,7 +332,7 @@ virThreadPoolQuitRequested(virThreadPoolPtr pool) { virMutexLock(&pool->mutex); - VIR_DEBUG("nWorkers=%zd, nPrioWorkers=%zd jobQueueDepth=%zd", + VIR_WARN ("nWorkers=%zd, nPrioWorkers=%zd jobQueueDepth=%zd", pool->nWorkers, pool->nPrioWorkers, pool->jobQueueDepth); virThreadPoolSetQuit(pool); @@ -415,8 +417,10 @@ int virThreadPoolSendJob(virThreadPoolPtr pool, virThreadPoolJobPtr job; virMutexLock(&pool->mutex); - if (pool->quit) + if (pool->quit) { + VIR_WARN("Quit set"); goto error; + } if (pool->freeWorkers - pool->jobQueueDepth <= 0 && pool->nWorkers < pool->maxWorkers && -- 2.17.1
participants (3)
-
Daniel P. Berrangé -
John Ferlan -
Peter Krempa