On Tue, Aug 10, 2010 at 12:44:06PM -0400, David Teigland wrote: There's two different, but related problems here: - Preventing 2 different VMs using the same disk - Preventing the same VM running on 2 hosts at once The first requires that there is a lease per configured disk (since a guest can have multiple disks). The latter requires a lease per VM and can ignore specifices of what disks are configured. IIUC, sync-manager is aiming for the latter. There are complications around migration we need to consider too. During migration, you actually need QEMU running on two hosts at once. IIRC the idea is that before starting the migration operation, we'd have to tell sync-manager to mark the lease as shared with a specific host. The destination QEMU would have to startup in shared mode, and upgrade this to an exclusive lock when migration completes, or quit when migration fails. For libvirt integration, this means we need to consider an approach that is much broader than just adding a wrapper process. Can you give some real examples of the lease arg ? I guess <path> must exclude the ':' character, or have some defined escaping scheme. The <host_id> is obviously needs to be in /etc/libvirt/sync-manager.conf since that's a per-host config. I assume the shared storage area is per host too ? That leaves just the VM name/uuid as a per-VM config option, and we obviously already have that in XML. Is there actually any extra attribute we need to track per-guest in the XML ? If not this will simplify life, because we won't have to track sync-manager specific attributes That's fine. Printing to stderr upon error is actually required. This is the only way we can get VM startup failure messages back up to the user. No docs ? In terms of integration with libvirt, I think it is desirable that we keep libvirt and sync-manager loosely coupled. ie We don't want to hardcode libvirt using sync-manager, nor do we want to hardcode sync-manager only working with libvirt. This says to me that we need to provide a well defined plugin system for providing a 'supervisor process' for QEMU guests. Essentially a dlopen() module that provides a handful (< 10) callbacks which are triggered in appropriate codepaths. At minimum I expect we need - A callback at ARGV building, to let extra sync-manager ARGV to be injected - A callback at VM startup. Not needed for sync-manager, but to allowfor alternate impls that aren't based around supervising. - A callback at VM shutdown. Just to cleanup resources - A callback in the VM destroy method, in case we need todo something different other than just kill($PID) the QEMU $PID. (eg to perhaps tell sync-manager to kill QEMU instead of killing it ourselves) - Several callbacks at various stages of migration to deal with lock downgrade/upgrade The one further complication is with the security drivers. IIUC, we will absolutely not want QEMU to have any access to the shared storage lease area. The problem is that if we just inject the wrapper process as is, sync-manager will end up running with exact same privileges as QEMU. ie same UID:GID, and same selinux context. I'm really not at all sure how to deal with this problem, because our core design is that the thing we spawn inherits the privileges we setup at fork() time. We don't want to delegate the security setup to sync-manager, because it introduces a huge variable condition in the security system. We need guarenteed consistent security setup for QEMU, regardless of supervisor process in use. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

On 08/11/10 - 03:37:12PM, David Teigland wrote: Unfortunately, this is not how migration works in qemu/kvm. Using your nomenclature above, it's more like the following: A guest is running on S. A migration is then initiated, at which point D fires up a qemu process with a -incoming argument. This is sort of a container process that will receive all of the migration data. Crucially for sync-manager, though, qemu completely starts up and "attaches" to all of the resources (including disks) *while* qemu at S is still running. Then it enters a sort of paused state (where the guest cannot run), and receives all of the migration data. Once all of the migration data has been received, the guest on S is destroyed, and the guest on D is unpaused. That's why Dan mentioned that we need two hosts to access the disk at once. -- Chris Lalancette

On Wed, Aug 11, 2010 at 03:07:29PM -0600, Eric Blake wrote: Even if sync_manager had read/write lease semantics, this use case wouldn't translate onto it, because S is in write mode the entire time that D is in read mode, and read locks are not compatible with write locks. sync_manager shouldn't be viewed as something that's trying to add any new protection to the migration case. It's just trying to accurately represent, on disk, where qemu is unpaused. Dave

On Wed, Aug 11, 2010 at 05:19:27PM -0400, David Teigland wrote: Yes that is correct The main hard bit here is that QEMU gives us no indication that migration has completed. We 'detect' it by issuing a 'cont' command to unpause the CPUs - this command blocks until migration is done. Clearly this won't work for SM, but this isn't SM's problem. We need to fix this in QEMU so that we get an async notification of migration completion, so we can then tell SM to upgrade the lease, before we then issue 'cont' to start CPUs. I think my other mail is in fact describing the same thing as you are, I was just using different terminology :-) Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

On 08/11/2010 05:27 PM, Daniel P. Berrange wrote: ... If we only aim for the latter, then there is no protection mechanism to prevent two sysadmins using the same storage from independently creating two vms that use the same backend disk accidentally. On the other hand, we also need to be able to support the concept of a single block device shared among multiple guests intentionally (i.e. clustered filesystems, or applications that know how to properly use shared storage) So in addition to per-disk exclusive-write leases, do we also need per-disk shared-write leases? Or do we just say that disks that are marked as 'shared' just don't get leases at all? I dunno, but if the end goal is the latter, then why not do it correct from the start rather than integrating halfway and then having a second round of integration to move from per-vm leasing to per-disk leasing. Perry

On Thu, Aug 19, 2010 at 11:12:25AM -0400, David Teigland wrote: (That's slightly misleading; technically, the lock prevents a second qemu process from even being started.)

On Sun, Aug 22, 2010 at 12:13:16PM -0400, Perry Myers wrote: Ideally, hosts should be configured from a common central point where a full view of the configuration is possible. Then it would be trivial to detect that kind of error by just looking at the configuration. If you don't have central configuration, then using a distributed system (like disk leases) to detect image assignment errors could be done, but it also pushes the problem down to the level of configuring the distributed system correctly, i.e. host id or lease area assignment errors. Dave