xend has a timeout such that if an ''xm shutdown'' request does not result in the domain shutting down within a certain time period, the domain is violently destroyed. This seems like a strange choice - if the domain isn''t responding properly to such requests, then it must be in a buggy state, and should surely be preserved for administrator action (dumping core, destroying, whatever). Is there any other purpose to this timeout? thanks john _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com lists.xensource.com/xen-devel
On 23/5/07 03:51, "John Levon" <levon@movementarian.org> wrote:> xend has a timeout such that if an ''xm shutdown'' request does not result > in the domain shutting down within a certain time period, the domain is > violently destroyed. > > This seems like a strange choice - if the domain isn''t responding > properly to such requests, then it must be in a buggy state, and should > surely be preserved for administrator action (dumping core, destroying, > whatever). > > Is there any other purpose to this timeout?There are a set of config options to choose what to do on various guest state transitions. I think these are probably what you''re looking for. See the final bit of tools/example/xmexample1. Hmmm... Actually it may be that we unconditionally kill the domain if it ignores shutdown. If that is the case, we should instead force it into whatever the the target of the ''sm shutdown'' command was, and then execute the action specified in the config file. We''d like a patch if this is the case. :-) -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com lists.xensource.com/xen-devel
On Wed, May 23, 2007 at 09:11:46AM +0100, Keir Fraser wrote:> > xend has a timeout such that if an ''xm shutdown'' request does not result > > in the domain shutting down within a certain time period, the domain is > > violently destroyed. > > > > This seems like a strange choice - if the domain isn''t responding > > properly to such requests, then it must be in a buggy state, and should > > surely be preserved for administrator action (dumping core, destroying, > > whatever). > > > > Is there any other purpose to this timeout? > > Hmmm... Actually it may be that we unconditionally kill the domain if it > ignores shutdown.if timeout < 0: log.info( "Domain shutdown timeout expired: name=%s id=%s", self.info[''name_label''], self.domid) self.destroy()> If that is the case, we should instead force it into whatever the the > target of the ''sm shutdown'' command was, and then execute the action > specified in the config file.But this still isn''t right. Normally I want the domain destroyed when I do a shutdown (it is, after all, a shutdown). However, if the domain /does not shutdown cleanly/, there are a number of things I might want: - I might want a core dump, so I can log a bug - I might want to keep the domain running so I can grab the console and poke around - it might be some known bug or some strange configuration, and I want it destroyed This is an abnormal situation and the default on_poweroff/on_reboot settings can''t cover it. I believe something along the lines of: -self.destroy() is exactly the correct thing to do. regards, john _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com lists.xensource.com/xen-devel
On 23/5/07 16:56, "John Levon" <levon@movementarian.org> wrote:> But this still isn''t right. Normally I want the domain destroyed when I > do a shutdown (it is, after all, a shutdown). However, if the domain > /does not shutdown cleanly/, there are a number of things I might want:Perhaps pushing into state ''crashed'' is the right thing to do, and treat that state as a catch-all for exceptional termination conditions? -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com lists.xensource.com/xen-devel
On 24/5/07 14:45, "John Levon" <levon@movementarian.org> wrote:>> Perhaps pushing into state ''crashed'' is the right thing to do, and treat >> that state as a catch-all for exceptional termination conditions? > > I considered that. Whilst it''s an improvement on what happens now, it > still seems like the wrong thing to me: typically a crash will dump core > and destroy, meaning I can''t then log in and look around (or debug it > live from the dom0). I imagine I could set ''preserve'', but then I have > to preserve real crashes too, which is not likely to be what I want. > Since we can''t have a new state, it seems like leaving it would be best. > Perhaps renaming it to indicate it won''t respond to a shutdown request?Why would you want to dump core and destroy for one type of bug, but not for another? Renaming the domain is an okay alternative. -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com lists.xensource.com/xen-devel
On Thu, May 24, 2007 at 09:41:56AM +0100, Keir Fraser wrote:> > But this still isn''t right. Normally I want the domain destroyed when I > > do a shutdown (it is, after all, a shutdown). However, if the domain > > /does not shutdown cleanly/, there are a number of things I might want: > > Perhaps pushing into state ''crashed'' is the right thing to do, and treat > that state as a catch-all for exceptional termination conditions?I considered that. Whilst it''s an improvement on what happens now, it still seems like the wrong thing to me: typically a crash will dump core and destroy, meaning I can''t then log in and look around (or debug it live from the dom0). I imagine I could set ''preserve'', but then I have to preserve real crashes too, which is not likely to be what I want. Since we can''t have a new state, it seems like leaving it would be best. Perhaps renaming it to indicate it won''t respond to a shutdown request? regards john _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com lists.xensource.com/xen-devel
> xend has a timeout such that if an ''xm shutdown'' request does not result > in the domain shutting down within a certain time period, the domain is > violently destroyed. > > This seems like a strange choice - if the domain isn''t responding > properly to such requests, then it must be in a buggy state, and should > surely be preserved for administrator action (dumping core, destroying, > whatever). > > Is there any other purpose to this timeout?As an educated guess: I suspect that the very original intent of this timeout was to put an upperbound on dom0''s shutdown time if the xendomains script is being used. This attempts to shutdown all the domains cleanly, but destroys them rudely if they take too long - similar to the usual attempts of init 0 to shut down processes with SIGTERM, following up with SIGKILL... It would be good to keep this behaviour for shutdown of domain 0, since otherwise there are denial-of-service issues with domUs holding up the reboot arbitrarily long. However, for other scenarios it would be nice not to do this... Cheers, Mark -- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com lists.xensource.com/xen-devel