[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit
|
From: |
Daniel P . Berrangé |
|
Subject: |
Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded |
|
Date: |
Tue, 25 Jun 2024 20:12:46 +0100 |
|
User-agent: |
Mutt/2.2.12 (2023-09-09) |
On Fri, Jun 21, 2024 at 07:32:21AM -0700, Elena Ufimtseva wrote:
> During live migration, receive current downtime from source
> and start a downtime timer. When the destination dowtime
> and added source downtime exceeds downtime limit for more
> than switchover limit, abort live migration on destination.
>
> Signed-off-by: Elena Ufimtseva <elena.ufimtseva@oracle.com>
> ---
> migration/migration.c | 2 ++
> migration/migration.h | 15 ++++++++++
> migration/savevm.c | 68 ++++++++++++++++++++++++++++++++++++++++++
> migration/savevm.h | 2 ++
> migration/trace-events | 3 ++
> 5 files changed, 90 insertions(+)
>
> diff --git a/migration/migration.c b/migration/migration.c
> index 5cc304d2db..64d7290997 100644
> --- a/migration/migration.c
> +++ b/migration/migration.c
> @@ -240,6 +240,8 @@ void migration_object_init(void)
> current_incoming->page_requested = g_tree_new(page_request_addr_cmp);
>
> current_incoming->exit_on_error = INMIGRATE_DEFAULT_EXIT_ON_ERROR;
> + /* Downtime will start when source sends its current downtime. */
> + current_incoming->downtime_start = 0;
>
> migration_object_check(current_migration, &error_fatal);
>
> diff --git a/migration/migration.h b/migration/migration.h
> index aa56b70795..06f4ebe214 100644
> --- a/migration/migration.h
> +++ b/migration/migration.h
> @@ -230,6 +230,21 @@ struct MigrationIncomingState {
>
> /* Do exit on incoming migration failure */
> bool exit_on_error;
> +
> + /* Initial downtime on destination set by MIG_CMD_SEND_SRC_DOWNTIME */
> + uint64_t downtime_start;
> + /*
> + * Current donwtime on destination that initially set equal to source by
> + * MIG_CMD_SEND_SRC_DOWNTIME, then updated by destination itself.
> + */
> + uint64_t downtime_now;
> + /*
> + * Abort live migration on destination when current destination downtime
> + * exceeds the abort_limit. abort_limit is being set by
> + * MIG_CMD_SEND_SRC_DOWNTIME sent from source.
> + */
> + uint64_t abort_limit;
> + uint64_t src_downtime;
> };
>
> MigrationIncomingState *migration_incoming_get_current(void);
> diff --git a/migration/savevm.c b/migration/savevm.c
> index 031ab03915..f3b5ea98bf 100644
> --- a/migration/savevm.c
> +++ b/migration/savevm.c
> @@ -90,6 +90,7 @@ enum qemu_vm_cmd {
> MIG_CMD_ENABLE_COLO, /* Enable COLO */
> MIG_CMD_POSTCOPY_RESUME, /* resume postcopy on dest */
> MIG_CMD_RECV_BITMAP, /* Request for recved bitmap on dst */
> + MIG_CMD_SEND_SRC_DOWNTIME, /* Send current downtime to dst */
> MIG_CMD_MAX
> };
>
> @@ -109,6 +110,7 @@ static struct mig_cmd_args {
> [MIG_CMD_POSTCOPY_RESUME] = { .len = 0, .name = "POSTCOPY_RESUME" },
> [MIG_CMD_PACKAGED] = { .len = 4, .name = "PACKAGED" },
> [MIG_CMD_RECV_BITMAP] = { .len = -1, .name = "RECV_BITMAP" },
> + [MIG_CMD_SEND_SRC_DOWNTIME] = { .len = -1, .name = "SEND_SRC_DOWNTIME" },
> [MIG_CMD_MAX] = { .len = -1, .name = "MAX" },
> };
>
> @@ -1218,6 +1220,18 @@ void qemu_savevm_send_recv_bitmap(QEMUFile *f, char
> *block_name)
> qemu_savevm_command_send(f, MIG_CMD_RECV_BITMAP, len + 1, (uint8_t
> *)buf);
> }
>
> +void qemu_savevm_send_downtime(QEMUFile *f, int64_t abort_limit_ms,
> + int64_t source_downtime)
> +{
> + uint64_t tmp[2];
> + tmp[0] = cpu_to_be64(abort_limit_ms);
> + tmp[1] = cpu_to_be64(source_downtime);
> +
> + trace_qemu_savevm_send_downtime(abort_limit_ms, source_downtime);
> + qemu_savevm_command_send(f, MIG_CMD_SEND_SRC_DOWNTIME,
> + 16, (uint8_t *)tmp);
> +}
Is having both the src and dst responsible to tracking downtime limit
introducing extra failure points ?
We know the src QEMU is reliably operating, but we don't know that the
dst QEMU will do so. If we give the dst responsibility for checking its
own downtime then that perhaps isn't robust aganist the dst deadlocking
or live-locking itself.
Is it better have the src exclusively responsible for tracking the
downtime limit, and have it send an "abort" message to the dst when
the limit is exceeded ? This process would require an explicit ack
from the src before the dst is permited to start its CPUs too.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, (continued)
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Peter Xu, 2024/06/25
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Joao Martins, 2024/06/25
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Peter Xu, 2024/06/25
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Joao Martins, 2024/06/26
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Peter Xu, 2024/06/26
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Daniel P . Berrangé, 2024/06/25
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Joao Martins, 2024/06/26
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Daniel P . Berrangé, 2024/06/26
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Joao Martins, 2024/06/26
- Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded, Daniel P . Berrangé, 2024/06/26
Re: [PATCH RFC 2/2] migration: abort on destination if switchover limit exceeded,
Daniel P . Berrangé <=