From nobody Tue May 14 16:48:36 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1574698515; cv=pass; d=zohomail.com; s=zohoarc; b=UsyKG8SC/GcUZ4JJue+wzMcfsVPD/Bre7mXkR613A98ukLz49NwDY5Dn3EVKY6AkMIzU9rPi+FK2C4y4QvAGa0w4Bz6xbfDN+dIH8PTrzJp00q0SUeHntEXr9nBMfmHjNcmwuGCM8szjusowy80nTIfn6SVh3DnGCVrOasCBIsk= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1574698515; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=4IQ+iqQsj7K9CPcqWBTN7lcON0pDu1M3slUJZ6Myn0E=; b=CwFNFNg378sgAUsaz8KaQPrVwCiFMmC6yLzRPajvnXV0gJMNUtYhi4AFTiS4IslskIP3/l+Mvqvxo76ODU+5PkGGIRQ0XGdniXk9yBhiCpv3QpvC97PO0CrmsJkU8UjrFZLToXzDkge6/S7Iwm0GiI13Oh9dioWBzsKAu76fgYw= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1574698515127742.5673670726054; Mon, 25 Nov 2019 08:15:15 -0800 (PST) Received: from localhost ([::1]:46052 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iZH17-0003uH-9G for importer@patchew.org; Mon, 25 Nov 2019 11:15:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:38412) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iZH0G-0003US-RJ for qemu-devel@nongnu.org; Mon, 25 Nov 2019 11:14:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iZH0D-0001Vl-V2 for qemu-devel@nongnu.org; Mon, 25 Nov 2019 11:14:20 -0500 Received: from mx0a-002c1b01.pphosted.com ([148.163.151.68]:61934) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iZH0D-0001VM-LZ for qemu-devel@nongnu.org; Mon, 25 Nov 2019 11:14:17 -0500 Received: from pps.filterd (m0127838.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xAPG83ZR011984; Mon, 25 Nov 2019 08:14:15 -0800 Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2059.outbound.protection.outlook.com [104.47.36.59]) by mx0a-002c1b01.pphosted.com with ESMTP id 2wf574uypm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 25 Nov 2019 08:14:15 -0800 Received: from MWHPR02MB2656.namprd02.prod.outlook.com (10.168.206.142) by MWHPR02MB2239.namprd02.prod.outlook.com (10.168.244.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17; Mon, 25 Nov 2019 16:14:13 +0000 Received: from MWHPR02MB2656.namprd02.prod.outlook.com ([fe80::f801:763d:e7fc:6bf]) by MWHPR02MB2656.namprd02.prod.outlook.com ([fe80::f801:763d:e7fc:6bf%7]) with mapi id 15.20.2474.023; Mon, 25 Nov 2019 16:14:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=4IQ+iqQsj7K9CPcqWBTN7lcON0pDu1M3slUJZ6Myn0E=; b=1XAcq8WbMXWdfj3JL1OmJsGcc9Aqi3TzqXTjqmFgjfFzEZJ6vF+PxTCYfAGZj4ofCTvF zHmDWVEyNurBm+62xYVjhRLtHS3I1v4/pyONr8enpOCvm2CiNCHn93ACJvRp+bQeM7n1 08kx407Nbicf/opdmsZUL8tHUbArE6pJzDx3bPJULUuSt+JiXGvaQ++BUkdRV+WOzC3c +5iT+S66mMWARcH7CLnNAGw2Is7Gj3n1PRnGYY7N0bhiSPNwjVJczfFhnCXE5JIFNmA/ SbMQR5GIwpb7ZQqh8lR2RUzm1edXboR5+gspRSj1W0rqhlpasM3U/9tPU5NsTPWbT8Em Xw== ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WjFANh4jQS9Ux9H4+waqHJvpTXX2bIMslsAto/+jRQ+neTqe9Rf4NpRVOzLvPbdP5yGCXMf5JIzS0DUE7VSOkp2X/pr2CPhB0ZXGnxVy664nHMRRQ9a3PJTBFVfvU9S/ggprAigtqDZqUMt/dtP+aAtsXhoFf+i8TgvJFlGKVGVJe6whjMBt89caX4vnxU+CVDNBVvA5ltQopgpUc+TElVBv+YMO2VGTMcpGL/9208oDCKE+Tz5dXR4zc0GdwcQoRzoZ9lHnImrD91ibUDClAlvuIuqPladHJzK1Kb/kltMh8SFm5Lb0PlPYMPR/2VzuY8yxFutzzsjsxeqT6PHs1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4IQ+iqQsj7K9CPcqWBTN7lcON0pDu1M3slUJZ6Myn0E=; b=cP0ZPIJjNYO+gOa19NBso0jdD9Sz60oBey6ZY5LYpc/t9W9JB7UNu4dS+bu7pSS/CukrkH0Mh9fuzQb/dDYXpHLE4d08moXPvRRqtW8tpLVoQtXVTq5ShrFQE3PnJj5G53xLmflLyzSnxeujMujlAZA80fIf7ME8620fq9xoGQkgv+10PAA6+JgntZIe5Z6r3uu9X78gVLTjfmW0ZmiGMr6poDXE+IOgXf17bzxoPEy9lqb4YjsE3nEyhXGL9rE28dnvqJsHsYkSOM5FFbjnkQ3cWffNo6NYKJvnDc+5qq4QyJcedqviBQg15UFHWQBscAR9EVDtTA4R6PcR7KrCxw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none From: Felipe Franciosi To: Stefan Hajnoczi , Paolo Bonzini , Daniel Berrange , "Dr . David Alan Gilbert" Subject: [PATCH] fence: introduce a file-based self-fence mechanism Thread-Topic: [PATCH] fence: introduce a file-based self-fence mechanism Thread-Index: AQHVo6tgK6WTpsMO9UiL0xGIoXZMRg== Date: Mon, 25 Nov 2019 16:14:13 +0000 Message-ID: <20191125161356.108054-1-felipe@nutanix.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: AM3PR03CA0068.eurprd03.prod.outlook.com (2603:10a6:207:5::26) To MWHPR02MB2656.namprd02.prod.outlook.com (2603:10b6:300:45::14) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-originating-ip: [62.254.189.133] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 52dd4b86-8b27-4c2b-9af3-08d771c28312 x-ms-traffictypediagnostic: MWHPR02MB2239: x-ms-exchange-purlcount: 1 x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-proofpoint-crosstenant: true x-ms-oob-tlc-oobclassifiers: OLM:626; x-forefront-prvs: 0232B30BBC x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(376002)(396003)(366004)(136003)(199004)(189003)(6116002)(2616005)(71190400001)(36756003)(6506007)(478600001)(256004)(6486002)(6306002)(14454004)(102836004)(6512007)(14444005)(30864003)(71200400001)(386003)(2906002)(66066001)(99286004)(107886003)(1076003)(110136005)(54906003)(7736002)(186003)(4326008)(81166006)(81156014)(26005)(305945005)(50226002)(5660300002)(3846002)(8936002)(66556008)(66476007)(316002)(52116002)(66946007)(25786009)(86362001)(8676002)(6436002)(64756008)(66446008)(64030200001)(2004002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR02MB2239; H:MWHPR02MB2656.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: WFytVzBsM7qIa1bz60a7RDjWW+Qx1L4IE1BkxNK2WuBdxUVwu38ZBM78HVPNjrOW9i41AWDseixXHfYp//qDGsMjPC6yp1+BKytrH/3K7u6/7Ty+as24QHokp2jMp08erqGsBF1uzxGcEF6+dodw4N04Bli67sgaFeMKcpcIAb9sk/rz8Ymr33fjnq+rcV6YEJzWPfxvF31DjSNyE0P3UP6IrdfrXIdhm4G9v2oPu4fthNNf+rIJGJRiLpiWrMCvVcTy+a2vMcpYhqVAcrO2AOU2X72XUNTfZWFh5Qron7bJtNd23czYV5egLNgckmltryTCMWxeAfWFpYGgbeq3l305KMyZekPRpmbbkQirQ/UzaZO2MAkpU/T5OOM6dHWipR93e7PIuCQDmfVWuAxzSpCttqkbbUeKFS0vUAvuWAS9cVSuKQ6fqImQ1I/iMi7WKJzsIWxhYsRF9yO0hBzLT+llgaVGDxt0PDZW08dlNh8= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 52dd4b86-8b27-4c2b-9af3-08d771c28312 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Nov 2019 16:14:13.5941 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: RFqSiJyhqmSYA/tWvwkOarXIT5aiQnTy6QyBiVJFRvvtPtbD3ekiZxVYWmNhdSW/FzRts/LNUPwMoWVFT+ZfYlx76e+9POR9Y6vLtDLoON8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR02MB2239 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-25_04:2019-11-21,2019-11-25 signatures=0 X-Proofpoint-Spam-Reason: safe X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 148.163.151.68 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "qemu-devel@nongnu.org" , Felipe Franciosi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @nutanix.com) This introduces a self-fence mechanism to Qemu, causing it to die if a heartbeat condition is not met. Currently, a file-based heartbeat is available and can be configured as follows: -object file-fence,id=3Dff0,file=3D/foo,qtimeout=3D20,ktimeout=3D25,signal= =3Dkill Qemu will watch 'file' for attribute changes. Touching the file works as a heartbeat. This parameter is mandatory. Fencing happens after 'qtimeout' or 'ktimeout' seconds elapse without a heartbeat. At least one of these must be specified. Both may be used. When using 'qtimeout', an internal Qemu timer is used. Fencing with this method gives Qemu a chance to write a log message indicating which file caused the event. If Qemu's main loop is hung for whatever reason, this method won't successfully kill Qemu. When using 'ktimeout', a kernel timer is used. In this case, 'signal' can be 'kill' (for SIGKILL, default) or 'quit' (for SIGQUIT). Using SIGQUIT may be preferred for obtaining core dumps. If Qemu is hung (eg. uninterruptable sleep), this method won't successfully kill Qemu. It is worth noting that even successfully killing Qemu may not be sufficient to completely fence a VM as certain operations like network packets or block commands may be pending in the kernel. If that is a concern, systems should consider using further fencing mechanisms like hardware watchdogs either in addition or in conjunction with this for additional protection. Signed-off-by: Felipe Franciosi --- Based-on: <20191125153619.39893-2-felipe@nutanix.com> Makefile.objs | 1 + fence/Makefile.objs | 1 + fence/file_fence.c | 381 ++++++++++++++++++++++++++++++++++++++++++++ qemu-options.hx | 27 +++- 4 files changed, 409 insertions(+), 1 deletion(-) create mode 100644 fence/Makefile.objs create mode 100644 fence/file_fence.c diff --git a/Makefile.objs b/Makefile.objs index 11ba1a36bd..998eed4796 100644 --- a/Makefile.objs +++ b/Makefile.objs @@ -75,6 +75,7 @@ common-obj-$(CONFIG_TPM) +=3D tpm.o =20 common-obj-y +=3D backends/ common-obj-y +=3D chardev/ +common-obj-y +=3D fence/ =20 common-obj-$(CONFIG_SECCOMP) +=3D qemu-seccomp.o qemu-seccomp.o-cflags :=3D $(SECCOMP_CFLAGS) diff --git a/fence/Makefile.objs b/fence/Makefile.objs new file mode 100644 index 0000000000..2ed2092568 --- /dev/null +++ b/fence/Makefile.objs @@ -0,0 +1 @@ +common-obj-y +=3D file_fence.o diff --git a/fence/file_fence.c b/fence/file_fence.c new file mode 100644 index 0000000000..5b743e69d2 --- /dev/null +++ b/fence/file_fence.c @@ -0,0 +1,381 @@ +/* + * QEMU file-based self-fence mechanism + * + * Copyright (c) 2019 Nutanix Inc. All rights reserved. + * + * Authors: + * Felipe Franciosi + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see . + * + */ + +#include "qemu/osdep.h" +#include "qapi/error.h" +#include "qom/object_interfaces.h" +#include "qemu/filemonitor.h" +#include "qemu/timer.h" + +#include + +#define TYPE_FILE_FENCE "file-fence" + +typedef struct FileFence { + Object parent_obj; + + gchar *dir; + gchar *file; + uint32_t qtimeout; + uint32_t ktimeout; + int signal; + + timer_t ktimer; + QEMUTimer *qtimer; + + QFileMonitor *fm; + uint64_t id; +} FileFence; + +#define FILE_FENCE(obj) \ + OBJECT_CHECK(FileFence, (obj), TYPE_FILE_FENCE) + +static void +timer_update(FileFence *ff) +{ + struct itimerspec its =3D { + .it_value.tv_sec =3D ff->ktimeout, + }; + int err; + + if (ff->qtimeout) { + timer_mod(ff->qtimer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + + ff->qtimeout * 1000); + } + + if (ff->ktimeout) { + err =3D timer_settime(ff->ktimer, 0, &its, NULL); + g_assert(err =3D=3D 0); + } +} + +static void +file_fence_abort_cb(void *opaque) +{ + FileFence *ff =3D opaque; + printf("Fencing after %u seconds on '%s'\n", + ff->qtimeout, g_strconcat(ff->dir, "/", ff->file, NULL)); + abort(); +} + +static void +file_fence_watch_cb(int64_t id, QFileMonitorEvent ev, const char *file, + void *opaque) +{ + FileFence *ff =3D opaque; + + if (ev !=3D QFILE_MONITOR_EVENT_ATTRIBUTES) { + return; + } + + if (g_strcmp0(file, ff->file) !=3D 0) { + return; + } + + timer_update(ff); +} + +static void +ktimer_tear(FileFence *ff) +{ + int err; + + if (ff->ktimer) { + err =3D timer_delete(ff->ktimer); + g_assert(err =3D=3D 0); + ff->ktimer =3D NULL; + } +} + +static void +ktimer_setup(FileFence *ff, Error **errp) +{ + int err; + + struct sigevent sev =3D { + .sigev_notify =3D SIGEV_SIGNAL, + .sigev_signo =3D ff->signal ? ff->signal : SIGKILL, + }; + + if (ff->ktimeout =3D=3D 0) { + return; + } + + err =3D timer_create(CLOCK_MONOTONIC, &sev, &ff->ktimer); + if (err =3D=3D -1) { + error_setg(errp, "Error creating kernel timer: %m"); + return; + } +} + +static void +qtimer_tear(FileFence *ff) +{ + if (ff->qtimer) { + timer_del(ff->qtimer); + timer_free(ff->qtimer); + } + ff->qtimer =3D NULL; +} + +static void +qtimer_setup(FileFence *ff, Error **errp) +{ + QEMUTimer *qtimer; + + if (ff->qtimeout =3D=3D 0) { + return; + } + + qtimer =3D timer_new_ms(QEMU_CLOCK_REALTIME, file_fence_abort_cb, ff); + if (qtimer =3D=3D NULL) { + error_setg(errp, "Error creating Qemu timer"); + return; + } + + ff->qtimer =3D qtimer; +} + +static void +watch_tear(FileFence *ff) +{ + if (ff->fm) { + qemu_file_monitor_remove_watch(ff->fm, ff->dir, ff->id); + qemu_file_monitor_free(ff->fm); + ff->fm =3D NULL; + ff->id =3D 0; + } +} + +static void +watch_setup(FileFence *ff, Error **errp) +{ + QFileMonitor *fm; + int64_t id; + + fm =3D qemu_file_monitor_new(errp); + if (!fm) { + return; + } + + id =3D qemu_file_monitor_add_watch(fm, ff->dir, ff->file, + file_fence_watch_cb, ff, errp); + if (id < 0) { + qemu_file_monitor_free(fm); + return; + } + + ff->fm =3D fm; + ff->id =3D id; +} + +static void +file_fence_complete(UserCreatable *obj, Error **errp) +{ + FileFence *ff =3D FILE_FENCE(obj); + + if (ff->dir =3D=3D NULL) { + error_setg(errp, "A 'file' must be set"); + return; + } + + if (ff->signal !=3D 0 && ff->ktimeout =3D=3D 0) { + error_setg(errp, "Using 'signal' requires 'ktimeout' to be set"); + return; + } + + if (ff->ktimeout =3D=3D 0 && ff->qtimeout =3D=3D 0) { + error_setg(errp, "One or both of 'ktimeout' or 'qtimeout' must be = set"); + return; + } + + if (ff->qtimeout >=3D ff->ktimeout) { + error_setg(errp, "Using 'qtimeout' >=3D 'ktimeout' doesn't make se= nse"); + return; + } + + watch_setup(ff, errp); + if (*errp !=3D NULL) { + return; + } + + qtimer_setup(ff, errp); + if (*errp !=3D NULL) { + goto err_watch; + } + + ktimer_setup(ff, errp); + if (*errp !=3D NULL) { + goto err_qtimer; + } + + timer_update(ff); + + return; + +err_qtimer: + qtimer_tear(ff); +err_watch: + watch_tear(ff); +} + +static void +file_fence_set_signal(Object *obj, const char *value, Error **errp) +{ + FileFence *ff =3D FILE_FENCE(obj); + gchar *gsig; + + if (ff->signal) { + error_setg(errp, "Signal property already set"); + return; + } + + gsig =3D g_ascii_strup(value, -1); + + if (g_strcmp0(gsig, "QUIT") =3D=3D 0) { + ff->signal =3D SIGQUIT; + } else + if (g_strcmp0(gsig, "KILL") =3D=3D 0) { + ff->signal =3D SIGKILL; + } else { + error_setg(errp, "Invalid signal. Must be 'quit' or 'kill'"); + } + + g_free(gsig); +} + +static char * +file_fence_get_signal(Object *obj, Error **errp) +{ + FileFence *ff =3D FILE_FENCE(obj); + + switch (ff->signal) { + case SIGKILL: + return g_strdup("kill"); + case SIGQUIT: + return g_strdup("quit"); + } + + /* Unreachable */ + abort(); +} + +static void +file_fence_set_file(Object *obj, const char *value, Error **errp) +{ + FileFence *ff =3D FILE_FENCE(obj); + gchar *dir, *file; + + if (ff->dir) { + error_setg(errp, "File property already set"); + return; + } + + dir =3D g_path_get_dirname(value); + if (g_str_equal(dir, ".")) { + error_setg(errp, "Path for file-fence must be absolute"); + return; + } + + file =3D g_path_get_basename(value); + if (g_str_equal(file, ".")) { + error_setg(errp, "Path for file-fence must be a file"); + g_free(dir); + return; + } + + ff->dir =3D dir; + ff->file =3D file; +} + +static char * +file_fence_get_file(Object *obj, Error **errp) +{ + FileFence *ff =3D FILE_FENCE(obj); + + if (ff->file) { + return g_strconcat(ff->dir, "/", ff->file, NULL); + } + + return NULL; +} + +static void +file_fence_instance_finalize(Object *obj) +{ + FileFence *ff =3D FILE_FENCE(obj); + + ktimer_tear(ff); + qtimer_tear(ff); + watch_tear(ff); + + g_free(ff->file); + g_free(ff->dir); +} + +static void +file_fence_instance_init(Object *obj) +{ + FileFence *ff =3D FILE_FENCE(obj); + + object_property_add_str(obj, "file", + file_fence_get_file, + file_fence_set_file, + &error_abort); + object_property_add_str(obj, "signal", + file_fence_get_signal, + file_fence_set_signal, + &error_abort); + object_property_add_uint32_ptr(obj, "qtimeout", &ff->qtimeout, + false, &error_abort); + object_property_add_uint32_ptr(obj, "ktimeout", &ff->ktimeout, + false, &error_abort); +} + +static void +file_fence_class_init(ObjectClass *klass, void *class_data) +{ + UserCreatableClass *ucc =3D USER_CREATABLE_CLASS(klass); + ucc->complete =3D file_fence_complete; +} + +static const TypeInfo file_fence_info =3D { + .name =3D TYPE_FILE_FENCE, + .parent =3D TYPE_OBJECT, + .class_init =3D file_fence_class_init, + .instance_size =3D sizeof(FileFence), + .instance_init =3D file_fence_instance_init, + .instance_finalize =3D file_fence_instance_finalize, + .interfaces =3D (InterfaceInfo[]) { + { TYPE_USER_CREATABLE }, + { } + } +}; + +static void +register_types(void) +{ + type_register_static(&file_fence_info); +} + +type_init(register_types); diff --git a/qemu-options.hx b/qemu-options.hx index 65c9473b73..995d3d6abf 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4929,8 +4929,33 @@ CN=3Dlaptop.example.com,O=3DExample Home,L=3DLondon,= ST=3DLondon,C=3DGB =20 @end table =20 -ETEXI +@item -object file-fence,id=3D@var{id},file=3D@var{file},qtimeout=3D@var{q= timeout},ktimeout=3D@var{ktimeout},signal=3D@{signal} + +Self-fence Qemu if @var{file} is not modified within a given timeout. + +Qemu will watch @var{file} for attribute changes. Touching the file works = as a +heartbeat. This parameter is mandatory. + +Fencing happens after @var{qtimeout} or @var{ktimeout} seconds elapse +without a heartbeat. At least one of these must be specified. Both may be = used. =20 +When using @var{qtimeout}, an internal Qemu timer is used. Fencing with +this method gives Qemu a chance to write a log message indicating which fi= le +caused the event. If Qemu's main loop is hung for whatever reason, this me= thod +won't successfully kill Qemu. + +When using @var{ktimeout}, a kernel timer is used. In this case, @var{sign= al} +can be 'kill' (for SIGKILL, default) or 'quit' (for SIGQUIT). Using SIGQUI= T may +be preferred for obtaining core dumps. If Qemu is hung (eg. uninterruptable +sleep), this method won't successfully kill Qemu. + +It is worth noting that even successfully killing Qemu may not be sufficie= nt to +completely fence a VM as certain operations like network packets or block +commands may be pending in the kernel. If that is a concern, systems should +consider using further fencing mechanisms like hardware watchdogs either in +addition or in conjunction with this feature for additional protection. + +ETEXI =20 HXCOMM This is the last statement. Insert new options before this line! STEXI --=20 2.20.1