Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-04-16 Thread Wen Congyang 
At 03/20/2012 11:45 PM, Gleb Natapov Wrote:
 On Tue, Mar 20, 2012 at 05:59:16PM +0800, Wen Congyang wrote:
 At 03/19/2012 03:33 PM, Wen Congyang Wrote:
 At 03/08/2012 03:57 PM, Wen Congyang Wrote:
 We can know the guest is paniced when the guest runs on xen.
 But we do not have such feature on kvm.

 Another purpose of this feature is: management app(for example:
 libvirt) can do auto dump when the guest is crashed. If management
 app does not do auto dump, the guest's user can do dump by hand if
 he sees the guest is paniced.

 I touch the hypervisor instead of using virtio-serial, because
 1. it is simple
 2. the virtio-serial is an optional device, and the guest may
not have such device.

 Changes from v2 to v3:
 1. correct spelling

 Changes from v1 to v2:
 1. split up host and guest-side changes
 2. introduce new request flag to avoid changing return values.
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/



 Hi all:

 we neet this feature, but we don't decide how to implement it.
 We have two solution:
 1. use vmcall
 2. use virtio-serial.

 I will not change this patch set before we decide how to do it.
 Can we make a decision recent days?

 Anybody can decide which solution to use?

 To make an informed decision we need to have at least raw idea how
 virtio-serial variant will look.

We have three solutions now:
1. use vmcall
2. use I/O port
3. use virtio-serial

I write a sample patch of solution 2 and 3:
patch 1: solution 2
patch 2: solution 3

Note, ther are only sample patches, and it can work. I send them, so we
can decide which solution will be used.

Thanks
Wen Congyang



 
 --
   Gleb.
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/
 

From 2c819655982a0b3043892e994fb87fd44fdca686 Mon Sep 17 00:00:00 2001
From: Wen Congyang we...@cn.fujitsu.com
Date: Tue, 17 Apr 2012 10:44:40 +0800
Subject: [PATCH] kvm: notify host when guest panicked

Signed-off-by: Wen Congyang we...@cn.fujitsu.com
---
 arch/ia64/include/asm/kvm_para.h|5 +
 arch/powerpc/include/asm/kvm_para.h |5 +
 arch/s390/include/asm/kvm_para.h|5 +
 arch/x86/include/asm/kvm_para.h |7 +++
 arch/x86/kernel/kvm.c   |   14 ++
 include/linux/kvm_para.h|   13 +
 6 files changed, 49 insertions(+), 0 deletions(-)

diff --git a/arch/ia64/include/asm/kvm_para.h b/arch/ia64/include/asm/kvm_para.h
index 1588aee..a890096 100644
--- a/arch/ia64/include/asm/kvm_para.h
+++ b/arch/ia64/include/asm/kvm_para.h
@@ -26,6 +26,11 @@ static inline unsigned int kvm_arch_para_features(void)
 	return 0;
 }
 
+static inline unsigned int kvm_arch_pv_features(void)
+{
+	return 0;
+}
+
 #endif
 
 #endif
diff --git a/arch/powerpc/include/asm/kvm_para.h b/arch/powerpc/include/asm/kvm_para.h
index 7b754e7..b5f7c35 100644
--- a/arch/powerpc/include/asm/kvm_para.h
+++ b/arch/powerpc/include/asm/kvm_para.h
@@ -206,6 +206,11 @@ static inline unsigned int kvm_arch_para_features(void)
 	return r;
 }
 
+static inline unsigned int kvm_arch_pv_features(void)
+{
+	return 0;
+}
+
 #endif /* __KERNEL__ */
 
 #endif /* __POWERPC_KVM_PARA_H__ */
diff --git a/arch/s390/include/asm/kvm_para.h b/arch/s390/include/asm/kvm_para.h
index 6964db2..21a8d18 100644
--- a/arch/s390/include/asm/kvm_para.h
+++ b/arch/s390/include/asm/kvm_para.h
@@ -149,6 +149,11 @@ static inline unsigned int kvm_arch_para_features(void)
 	return 0;
 }
 
+static inline unsigned int kvm_arch_pv_features(void)
+{
+	return 0;
+}
+
 #endif
 
 #endif /* __S390_KVM_PARA_H */
diff --git a/arch/x86/include/asm/kvm_para.h b/arch/x86/include/asm/kvm_para.h
index 734c376..02e214a 100644
--- a/arch/x86/include/asm/kvm_para.h
+++ b/arch/x86/include/asm/kvm_para.h
@@ -208,6 +208,13 @@ static inline void kvm_disable_steal_time(void)
 }
 #endif
 
+#define KVM_PV_PORT	(0x505UL)
+
+static inline unsigned int kvm_arch_pv_features(void)
+{
+	return inl(KVM_PV_PORT);
+}
+
 #endif /* __KERNEL__ */
 
 #endif /* _ASM_X86_KVM_PARA_H */
diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
index b8ba6e4..adfde45 100644
--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -335,6 +335,17 @@ static struct notifier_block kvm_pv_reboot_nb = {
 	.notifier_call = kvm_pv_reboot_notify,
 };
 
+static int
+kvm_pv_panic_notify(struct notifier_block *nb, unsigned long code, void *unused)
+{
+	outl(KVM_PV_PANICKED, KVM_PV_PORT);
+	return NOTIFY_DONE;
+}
+
+static struct notifier_block kvm_pv_panic_nb = {
+	.notifier_call = kvm_pv_panic_notify,
+};
+
 static u64 kvm_steal_clock(int cpu)
 {
 	u64 steal;
@@ -421,6 +432,9 @@ void

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-04-02 Thread Wen Congyang 
At 03/19/2012 03:33 PM, Wen Congyang Wrote:
 At 03/08/2012 03:57 PM, Wen Congyang Wrote:
 We can know the guest is paniced when the guest runs on xen.
 But we do not have such feature on kvm.

 Another purpose of this feature is: management app(for example:
 libvirt) can do auto dump when the guest is crashed. If management
 app does not do auto dump, the guest's user can do dump by hand if
 he sees the guest is paniced.

 I touch the hypervisor instead of using virtio-serial, because
 1. it is simple
 2. the virtio-serial is an optional device, and the guest may
not have such device.

 Changes from v2 to v3:
 1. correct spelling

 Changes from v1 to v2:
 1. split up host and guest-side changes
 2. introduce new request flag to avoid changing return values.
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/

 
 
 Hi all:
 
 we neet this feature, but we don't decide how to implement it.
 We have two solution:
 1. use vmcall
 2. use virtio-serial.

Hi, all

There are three solutions now:
1. use vmcall
2. use I/O port
3. use virtio-serial.

I think 1 and 2 are more simple than 3.

I am reading virtio-serial's driver recent days. It seems that
if the virtio serial port is not opened at the host side, the
data writen into this port will be discarded, and we will have
no chance to know the guest is panicked.

To Amit:

Can we write message to a virtio serial port like this directly in
the kernel space?
send_buf(panicked_port, message, message's length, true);

if port-outvq_full is true, is it OK to do this?

Thanks
Wen Congyang
 
 I will not change this patch set before we decide how to do it.
 Can we make a decision recent days?
 
 Thanks
 Wen Congyang
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/
 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-04-02 Thread Amit Shah 
On (Mon) 02 Apr 2012 [18:05:45], Wen Congyang wrote:
 At 03/19/2012 03:33 PM, Wen Congyang Wrote:
  At 03/08/2012 03:57 PM, Wen Congyang Wrote:
  We can know the guest is paniced when the guest runs on xen.
  But we do not have such feature on kvm.
 
  Another purpose of this feature is: management app(for example:
  libvirt) can do auto dump when the guest is crashed. If management
  app does not do auto dump, the guest's user can do dump by hand if
  he sees the guest is paniced.
 
  I touch the hypervisor instead of using virtio-serial, because
  1. it is simple
  2. the virtio-serial is an optional device, and the guest may
 not have such device.
 
  Changes from v2 to v3:
  1. correct spelling
 
  Changes from v1 to v2:
  1. split up host and guest-side changes
  2. introduce new request flag to avoid changing return values.
  
  Hi all:
  
  we neet this feature, but we don't decide how to implement it.
  We have two solution:
  1. use vmcall
  2. use virtio-serial.
 
 Hi, all
 
 There are three solutions now:
 1. use vmcall
 2. use I/O port
 3. use virtio-serial.
 
 I think 1 and 2 are more simple than 3.
 
 I am reading virtio-serial's driver recent days. It seems that
 if the virtio serial port is not opened at the host side, the
 data writen into this port will be discarded, and we will have
 no chance to know the guest is panicked.

The qemu-side implementation should exist within qemu itself; i.e. the
consumer of the data from the kernel-side will always have a
listener.  In this case, you don't have to worry about port not being
opened on the host side.

 To Amit:
 
 Can we write message to a virtio serial port like this directly in
 the kernel space?

As I had mentioned earlier, an in-kernel API is currently missing, but
it will be very simple to add one.

 send_buf(panicked_port, message, message's length, true);
 
 if port-outvq_full is true, is it OK to do this?

port-outvq_full means guest has sent out data to the host, but the
host has not consumed the data yet, and has not released the buffers
back to the guest.

If you indeed reach such a situation (essentially you should never,
there are enough buffers already to account for scheduling delays),
then newer data will be discarded, or you will have to wait to write
the newer data till the host-side frees up buffers in the virtqueues.

This isn't really different from other approaches -- if you use a
shared buffer between guest and host, and if the guest has new data
before the host has had a chance to read off the older buffer
contents, you either overwrite or wait for the host to read the older
stuff.


Amit
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-21 Thread Gleb Natapov 
On Wed, Mar 21, 2012 at 08:56:03AM +0800, Wen Congyang wrote:
 At 03/20/2012 11:45 PM, Gleb Natapov Wrote:
  On Tue, Mar 20, 2012 at 05:59:16PM +0800, Wen Congyang wrote:
  At 03/19/2012 03:33 PM, Wen Congyang Wrote:
  At 03/08/2012 03:57 PM, Wen Congyang Wrote:
  We can know the guest is paniced when the guest runs on xen.
  But we do not have such feature on kvm.
 
  Another purpose of this feature is: management app(for example:
  libvirt) can do auto dump when the guest is crashed. If management
  app does not do auto dump, the guest's user can do dump by hand if
  he sees the guest is paniced.
 
  I touch the hypervisor instead of using virtio-serial, because
  1. it is simple
  2. the virtio-serial is an optional device, and the guest may
 not have such device.
 
  Changes from v2 to v3:
  1. correct spelling
 
  Changes from v1 to v2:
  1. split up host and guest-side changes
  2. introduce new request flag to avoid changing return values.
  --
  To unsubscribe from this list: send the line unsubscribe linux-kernel 
  in
  the body of a message to majord...@vger.kernel.org
  More majordomo info at  http://vger.kernel.org/majordomo-info.html
  Please read the FAQ at  http://www.tux.org/lkml/
 
 
 
  Hi all:
 
  we neet this feature, but we don't decide how to implement it.
  We have two solution:
  1. use vmcall
  2. use virtio-serial.
 
  I will not change this patch set before we decide how to do it.
  Can we make a decision recent days?
 
  Anybody can decide which solution to use?
 
  To make an informed decision we need to have at least raw idea how
  virtio-serial variant will look.
 
 Hmm, I think we can do this:
 1. reset the virtio-serial device or reset the port we use to notice
the host that guest is panicked.
 2. write some specific messages to the port
 
 So the port should have fixed name. If this port is opened by the userspace
 before the guest is paniced, I am not sure whether we can use it(because a
 port only can be opened once at the same time).
Yes, IMO we should dedicate one virtio-serial port for panic
notifications. Just like we dedicate one for a console.

 We cannot call any function in the module, so we may need to write a simple
 driver for virtio-serial(like diskdump's disk driver).
 
netconsole uses standard NIC drivers in polling mode to send OOPSes
over the network and it mostly works. So I think using virtio-serial
driver is not out of question, but with IRQ disabled of course.

 I donot know how to implement it now. But I guess that it may be complicated.
 
Look at drivers/char/ipmi/ipmi_msghandler.c. It has code to send panic
event over IMPI. The code is pretty complex. Of course if we a going to
implement something more complex than simple hypercall for panic
notification we better do something more interesting with it than just
saying panic happened, like sending stack traces on all cpus for
instance.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-21 Thread Wen Congyang 
At 03/21/2012 05:11 PM, Gleb Natapov Wrote:
 On Wed, Mar 21, 2012 at 08:56:03AM +0800, Wen Congyang wrote:
 At 03/20/2012 11:45 PM, Gleb Natapov Wrote:
 On Tue, Mar 20, 2012 at 05:59:16PM +0800, Wen Congyang wrote:
 At 03/19/2012 03:33 PM, Wen Congyang Wrote:
 At 03/08/2012 03:57 PM, Wen Congyang Wrote:
 We can know the guest is paniced when the guest runs on xen.
 But we do not have such feature on kvm.

 Another purpose of this feature is: management app(for example:
 libvirt) can do auto dump when the guest is crashed. If management
 app does not do auto dump, the guest's user can do dump by hand if
 he sees the guest is paniced.

 I touch the hypervisor instead of using virtio-serial, because
 1. it is simple
 2. the virtio-serial is an optional device, and the guest may
not have such device.

 Changes from v2 to v3:
 1. correct spelling

 Changes from v1 to v2:
 1. split up host and guest-side changes
 2. introduce new request flag to avoid changing return values.
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel 
 in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/



 Hi all:

 we neet this feature, but we don't decide how to implement it.
 We have two solution:
 1. use vmcall
 2. use virtio-serial.

 I will not change this patch set before we decide how to do it.
 Can we make a decision recent days?

 Anybody can decide which solution to use?

 To make an informed decision we need to have at least raw idea how
 virtio-serial variant will look.

 Hmm, I think we can do this:
 1. reset the virtio-serial device or reset the port we use to notice
the host that guest is panicked.
 2. write some specific messages to the port

 So the port should have fixed name. If this port is opened by the userspace
 before the guest is paniced, I am not sure whether we can use it(because a
 port only can be opened once at the same time).
 Yes, IMO we should dedicate one virtio-serial port for panic
 notifications. Just like we dedicate one for a console.
 
 We cannot call any function in the module, so we may need to write a simple
 driver for virtio-serial(like diskdump's disk driver).

 netconsole uses standard NIC drivers in polling mode to send OOPSes
 over the network and it mostly works. So I think using virtio-serial
 driver is not out of question, but with IRQ disabled of course.

The code for netconsole is in which file?
Another question: we cannot call the function in the module directly in the
kernel.

 
 I donot know how to implement it now. But I guess that it may be complicated.

 Look at drivers/char/ipmi/ipmi_msghandler.c. It has code to send panic
 event over IMPI. The code is pretty complex. Of course if we a going to
 implement something more complex than simple hypercall for panic
 notification we better do something more interesting with it than just
 saying panic happened, like sending stack traces on all cpus for
 instance.

If we implement it by virtio-serial, I agree with passing more useful message
to host.

Thanks
Wen Congyang

 
 --
   Gleb.
 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-21 Thread Gleb Natapov 
On Wed, Mar 21, 2012 at 05:35:49PM +0800, Wen Congyang wrote:
 At 03/21/2012 05:11 PM, Gleb Natapov Wrote:
  On Wed, Mar 21, 2012 at 08:56:03AM +0800, Wen Congyang wrote:
  At 03/20/2012 11:45 PM, Gleb Natapov Wrote:
  On Tue, Mar 20, 2012 at 05:59:16PM +0800, Wen Congyang wrote:
  At 03/19/2012 03:33 PM, Wen Congyang Wrote:
  At 03/08/2012 03:57 PM, Wen Congyang Wrote:
  We can know the guest is paniced when the guest runs on xen.
  But we do not have such feature on kvm.
 
  Another purpose of this feature is: management app(for example:
  libvirt) can do auto dump when the guest is crashed. If management
  app does not do auto dump, the guest's user can do dump by hand if
  he sees the guest is paniced.
 
  I touch the hypervisor instead of using virtio-serial, because
  1. it is simple
  2. the virtio-serial is an optional device, and the guest may
 not have such device.
 
  Changes from v2 to v3:
  1. correct spelling
 
  Changes from v1 to v2:
  1. split up host and guest-side changes
  2. introduce new request flag to avoid changing return values.
  --
  To unsubscribe from this list: send the line unsubscribe 
  linux-kernel in
  the body of a message to majord...@vger.kernel.org
  More majordomo info at  http://vger.kernel.org/majordomo-info.html
  Please read the FAQ at  http://www.tux.org/lkml/
 
 
 
  Hi all:
 
  we neet this feature, but we don't decide how to implement it.
  We have two solution:
  1. use vmcall
  2. use virtio-serial.
 
  I will not change this patch set before we decide how to do it.
  Can we make a decision recent days?
 
  Anybody can decide which solution to use?
 
  To make an informed decision we need to have at least raw idea how
  virtio-serial variant will look.
 
  Hmm, I think we can do this:
  1. reset the virtio-serial device or reset the port we use to notice
 the host that guest is panicked.
  2. write some specific messages to the port
 
  So the port should have fixed name. If this port is opened by the userspace
  before the guest is paniced, I am not sure whether we can use it(because a
  port only can be opened once at the same time).
  Yes, IMO we should dedicate one virtio-serial port for panic
  notifications. Just like we dedicate one for a console.
  
  We cannot call any function in the module, so we may need to write a simple
  driver for virtio-serial(like diskdump's disk driver).
 
  netconsole uses standard NIC drivers in polling mode to send OOPSes
  over the network and it mostly works. So I think using virtio-serial
  driver is not out of question, but with IRQ disabled of course.
 
 The code for netconsole is in which file?
drivers/net/netconsole.c naturally.

 Another question: we cannot call the function in the module directly in the
 kernel.
True I think. netconsole and actual NIC driver have a layer of abstraction
between them. Modules can call functions from other modules. Your
module can register to panic_notifier_list (like IPMI does) and call
functions from virtio-serial. Or panic handling can be added directly
to virtio-serial since it will have to be modified anyway. Something
like netpoll API will have to be added to it.

  
  I donot know how to implement it now. But I guess that it may be 
  complicated.
 
  Look at drivers/char/ipmi/ipmi_msghandler.c. It has code to send panic
  event over IMPI. The code is pretty complex. Of course if we a going to
  implement something more complex than simple hypercall for panic
  notification we better do something more interesting with it than just
  saying panic happened, like sending stack traces on all cpus for
  instance.
 
 If we implement it by virtio-serial, I agree with passing more useful message
 to host.
 

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-21 Thread Corey Minyard 



Look at drivers/char/ipmi/ipmi_msghandler.c. It has code to send panic
event over IMPI. The code is pretty complex. Of course if we a going to
implement something more complex than simple hypercall for panic
notification we better do something more interesting with it than just
saying panic happened, like sending stack traces on all cpus for
instance.


I doubt that's the best example, unfortunately.  The IPMI event log has 
limited space and it has to be send a little piece at a time since each 
log entry is 14 bytes.  It just prints the panic string, nothing else.  
Not that it isn't useful, it has saved my butt before.


You have lots of interesting options with paravirtualization.  You 
could, for instance, create a console driver that delivered all console 
output efficiently through a hypercall.  That would be really easy.  Or, 
as you mention, a custom way to deliver panic information.  Collecting 
information like stack traces would be harder to accomplish, as I don't 
think there is currently a way to get it except by sending it to printk.


-corey
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-21 Thread Gleb Natapov 
On Wed, Mar 21, 2012 at 11:18:16AM -0500, Corey Minyard wrote:
 
 Look at drivers/char/ipmi/ipmi_msghandler.c. It has code to send panic
 event over IMPI. The code is pretty complex. Of course if we a going to
 implement something more complex than simple hypercall for panic
 notification we better do something more interesting with it than just
 saying panic happened, like sending stack traces on all cpus for
 instance.
 
 I doubt that's the best example, unfortunately.  The IPMI event log
 has limited space and it has to be send a little piece at a time
 since each log entry is 14 bytes.  It just prints the panic string,
 nothing else.  Not that it isn't useful, it has saved my butt
 before.
 
I gave ipmi example just to show that others do complex things on panic,
not as an example of what we should do on a guest panic.

 You have lots of interesting options with paravirtualization.  You
 could, for instance, create a console driver that delivered all
 console output efficiently through a hypercall.  That would be
 really easy.  Or, as you mention, a custom way to deliver panic
 information.  Collecting information like stack traces would be
 harder to accomplish, as I don't think there is currently a way to
 get it except by sending it to printk.
 
Why using hypercall for that though? You can do that with
virtio-console. Make it zero config: virtio-console detected - send
console output there.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-21 Thread Avi Kivity 
On 03/21/2012 06:18 PM, Corey Minyard wrote:

 Look at drivers/char/ipmi/ipmi_msghandler.c. It has code to send panic
 event over IMPI. The code is pretty complex. Of course if we a going to
 implement something more complex than simple hypercall for panic
 notification we better do something more interesting with it than just
 saying panic happened, like sending stack traces on all cpus for
 instance.

 I doubt that's the best example, unfortunately.  The IPMI event log
 has limited space and it has to be send a little piece at a time since
 each log entry is 14 bytes.  It just prints the panic string, nothing
 else.  Not that it isn't useful, it has saved my butt before.

 You have lots of interesting options with paravirtualization.  You
 could, for instance, create a console driver that delivered all
 console output efficiently through a hypercall.  That would be really
 easy.  Or, as you mention, a custom way to deliver panic information. 
 Collecting information like stack traces would be harder to
 accomplish, as I don't think there is currently a way to get it except
 by sending it to printk.

That already exists; virtio-console (or serial console emulation) can do
the job.

In fact the feature can be implemented 100% host side by searching for a
panic string signature in the console logs.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-21 Thread Daniel P. Berrange 
On Wed, Mar 21, 2012 at 06:25:16PM +0200, Avi Kivity wrote:
 On 03/21/2012 06:18 PM, Corey Minyard wrote:
 
  Look at drivers/char/ipmi/ipmi_msghandler.c. It has code to send panic
  event over IMPI. The code is pretty complex. Of course if we a going to
  implement something more complex than simple hypercall for panic
  notification we better do something more interesting with it than just
  saying panic happened, like sending stack traces on all cpus for
  instance.
 
  I doubt that's the best example, unfortunately.  The IPMI event log
  has limited space and it has to be send a little piece at a time since
  each log entry is 14 bytes.  It just prints the panic string, nothing
  else.  Not that it isn't useful, it has saved my butt before.
 
  You have lots of interesting options with paravirtualization.  You
  could, for instance, create a console driver that delivered all
  console output efficiently through a hypercall.  That would be really
  easy.  Or, as you mention, a custom way to deliver panic information. 
  Collecting information like stack traces would be harder to
  accomplish, as I don't think there is currently a way to get it except
  by sending it to printk.
 
 That already exists; virtio-console (or serial console emulation) can do
 the job.
 
 In fact the feature can be implemented 100% host side by searching for a
 panic string signature in the console logs.

You can even go one better and search for the panic string in the
guest memory directly, which is what virt-dmesg does :-)

  http://people.redhat.com/~rjones/virt-dmesg/

Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-21 Thread Avi Kivity 
On 03/21/2012 07:04 PM, Daniel P. Berrange wrote:
  
  In fact the feature can be implemented 100% host side by searching for a
  panic string signature in the console logs.

 You can even go one better and search for the panic string in the
 guest memory directly, which is what virt-dmesg does :-)

   http://people.redhat.com/~rjones/virt-dmesg/


-ETOOHACKY

Any guest change will break this, no?

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-21 Thread Jan Kiszka 
On 2012-03-21 18:34, Avi Kivity wrote:
 On 03/21/2012 07:04 PM, Daniel P. Berrange wrote:

 In fact the feature can be implemented 100% host side by searching for a
 panic string signature in the console logs.

 You can even go one better and search for the panic string in the
 guest memory directly, which is what virt-dmesg does :-)

   http://people.redhat.com/~rjones/virt-dmesg/

 
 -ETOOHACKY
 
 Any guest change will break this, no?

/me has a simple python script (a few ten lines) to do this during
runtime (kgdb, qemu gdbstub) or post-portem (gdb -c vmcore). Ideally,
that will once come with the Linux sources where it can be kept in sync
with the kernel data structures.

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-20 Thread Wen Congyang 
At 03/19/2012 03:33 PM, Wen Congyang Wrote:
 At 03/08/2012 03:57 PM, Wen Congyang Wrote:
 We can know the guest is paniced when the guest runs on xen.
 But we do not have such feature on kvm.

 Another purpose of this feature is: management app(for example:
 libvirt) can do auto dump when the guest is crashed. If management
 app does not do auto dump, the guest's user can do dump by hand if
 he sees the guest is paniced.

 I touch the hypervisor instead of using virtio-serial, because
 1. it is simple
 2. the virtio-serial is an optional device, and the guest may
not have such device.

 Changes from v2 to v3:
 1. correct spelling

 Changes from v1 to v2:
 1. split up host and guest-side changes
 2. introduce new request flag to avoid changing return values.
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/

 
 
 Hi all:
 
 we neet this feature, but we don't decide how to implement it.
 We have two solution:
 1. use vmcall
 2. use virtio-serial.
 
 I will not change this patch set before we decide how to do it.
 Can we make a decision recent days?

Anybody can decide which solution to use?

Thanks
Wen Congyang

 
 Thanks
 Wen Congyang
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/
 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-20 Thread Gleb Natapov 
On Tue, Mar 20, 2012 at 05:59:16PM +0800, Wen Congyang wrote:
 At 03/19/2012 03:33 PM, Wen Congyang Wrote:
  At 03/08/2012 03:57 PM, Wen Congyang Wrote:
  We can know the guest is paniced when the guest runs on xen.
  But we do not have such feature on kvm.
 
  Another purpose of this feature is: management app(for example:
  libvirt) can do auto dump when the guest is crashed. If management
  app does not do auto dump, the guest's user can do dump by hand if
  he sees the guest is paniced.
 
  I touch the hypervisor instead of using virtio-serial, because
  1. it is simple
  2. the virtio-serial is an optional device, and the guest may
 not have such device.
 
  Changes from v2 to v3:
  1. correct spelling
 
  Changes from v1 to v2:
  1. split up host and guest-side changes
  2. introduce new request flag to avoid changing return values.
  --
  To unsubscribe from this list: send the line unsubscribe linux-kernel in
  the body of a message to majord...@vger.kernel.org
  More majordomo info at  http://vger.kernel.org/majordomo-info.html
  Please read the FAQ at  http://www.tux.org/lkml/
 
  
  
  Hi all:
  
  we neet this feature, but we don't decide how to implement it.
  We have two solution:
  1. use vmcall
  2. use virtio-serial.
  
  I will not change this patch set before we decide how to do it.
  Can we make a decision recent days?
 
 Anybody can decide which solution to use?
 
To make an informed decision we need to have at least raw idea how
virtio-serial variant will look.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-20 Thread Wen Congyang 
At 03/20/2012 11:45 PM, Gleb Natapov Wrote:
 On Tue, Mar 20, 2012 at 05:59:16PM +0800, Wen Congyang wrote:
 At 03/19/2012 03:33 PM, Wen Congyang Wrote:
 At 03/08/2012 03:57 PM, Wen Congyang Wrote:
 We can know the guest is paniced when the guest runs on xen.
 But we do not have such feature on kvm.

 Another purpose of this feature is: management app(for example:
 libvirt) can do auto dump when the guest is crashed. If management
 app does not do auto dump, the guest's user can do dump by hand if
 he sees the guest is paniced.

 I touch the hypervisor instead of using virtio-serial, because
 1. it is simple
 2. the virtio-serial is an optional device, and the guest may
not have such device.

 Changes from v2 to v3:
 1. correct spelling

 Changes from v1 to v2:
 1. split up host and guest-side changes
 2. introduce new request flag to avoid changing return values.
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/



 Hi all:

 we neet this feature, but we don't decide how to implement it.
 We have two solution:
 1. use vmcall
 2. use virtio-serial.

 I will not change this patch set before we decide how to do it.
 Can we make a decision recent days?

 Anybody can decide which solution to use?

 To make an informed decision we need to have at least raw idea how
 virtio-serial variant will look.

Hmm, I think we can do this:
1. reset the virtio-serial device or reset the port we use to notice
   the host that guest is panicked.
2. write some specific messages to the port

So the port should have fixed name. If this port is opened by the userspace
before the guest is paniced, I am not sure whether we can use it(because a
port only can be opened once at the same time).
We cannot call any function in the module, so we may need to write a simple
driver for virtio-serial(like diskdump's disk driver).

I donot know how to implement it now. But I guess that it may be complicated.

Thanks
Wen Congyang

 
 --
   Gleb.
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/
 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-19 Thread Wen Congyang 
At 03/08/2012 03:57 PM, Wen Congyang Wrote:
 We can know the guest is paniced when the guest runs on xen.
 But we do not have such feature on kvm.
 
 Another purpose of this feature is: management app(for example:
 libvirt) can do auto dump when the guest is crashed. If management
 app does not do auto dump, the guest's user can do dump by hand if
 he sees the guest is paniced.
 
 I touch the hypervisor instead of using virtio-serial, because
 1. it is simple
 2. the virtio-serial is an optional device, and the guest may
not have such device.
 
 Changes from v2 to v3:
 1. correct spelling
 
 Changes from v1 to v2:
 1. split up host and guest-side changes
 2. introduce new request flag to avoid changing return values.
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/
 


Hi all:

we neet this feature, but we don't decide how to implement it.
We have two solution:
1. use vmcall
2. use virtio-serial.

I will not change this patch set before we decide how to do it.
Can we make a decision recent days?

Thanks
Wen Congyang
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-15 Thread Wen Congyang 
At 03/15/2012 02:46 AM, Eric Northup Wrote:
 On Wed, Mar 14, 2012 at 6:25 AM, Gleb Natapov g...@redhat.com wrote:
 
 On Wed, Mar 14, 2012 at 03:16:05PM +0200, Avi Kivity wrote:
 On 03/14/2012 03:14 PM, Gleb Natapov wrote:
 On Wed, Mar 14, 2012 at 03:07:46PM +0200, Avi Kivity wrote:
 On 03/14/2012 01:11 PM, Wen Congyang wrote:

 I don't think we want to use the driver.  Instead, have a small
 piece of
 code that resets the device and pushes out a string (the panic
 message?)
 without any interrupts etc.

 It's still going to be less reliable than a hypercall, I agree.

 Do you still want to use complicated and less reliable way?

 Are you willing to try it out and see how complicated it really is?

 While it's more complicated, it's also more flexible.  You can
 communicate the panic message, whether the guest is attempting a
 kdump
 and its own recovery or whether it wants the host to do it, etc., you
 can communicate less severe failures like oopses.

 hypercall can take arguments to achieve the same.

 It has to be designed in advance; and every time we notice something's
 missing we have to update the host kernel.


 We and in the designed stage now. Not to late to design something flexible
 :) Panic hypercall can take GPA of a buffer where host puts panic info
 as a parameter.  This buffer can be read by QEMU and passed to management.

 
 If a host kernel change is in the works, I think it might be cleanest to
 have the host kernel export a new kind of VCPU exit for unhandled-by-KVM
 hypercalls.  Then usermode can respond to the hypercall as appropriate.
  This would permit adding or changing future hypercalls without host kernel
 changes.
 
 Guest panic is almost the definition of not-a-fast-path, and so what's
 the reason to handle it in the host kernel.
 
 Punting to user-space wouldn't be a magic bullet for getting good
 interfaces designed, but in my opinion it is a better place to be doing
 them.
 

Do you mean that: the guest execute vmcall instruction, and the host kernel
exits to userspace. The userspace will deal with the vmexit?

Thanks
Wen Congyang
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-15 Thread Gleb Natapov 
On Wed, Mar 14, 2012 at 11:46:08AM -0700, Eric Northup wrote:
 On Wed, Mar 14, 2012 at 6:25 AM, Gleb Natapov g...@redhat.com wrote:
 
  On Wed, Mar 14, 2012 at 03:16:05PM +0200, Avi Kivity wrote:
   On 03/14/2012 03:14 PM, Gleb Natapov wrote:
On Wed, Mar 14, 2012 at 03:07:46PM +0200, Avi Kivity wrote:
 On 03/14/2012 01:11 PM, Wen Congyang wrote:
  
   I don't think we want to use the driver.  Instead, have a small
  piece of
   code that resets the device and pushes out a string (the panic
  message?)
   without any interrupts etc.
  
   It's still going to be less reliable than a hypercall, I agree.
 
  Do you still want to use complicated and less reliable way?

 Are you willing to try it out and see how complicated it really is?

 While it's more complicated, it's also more flexible.  You can
 communicate the panic message, whether the guest is attempting a
  kdump
 and its own recovery or whether it wants the host to do it, etc., you
 can communicate less severe failures like oopses.

hypercall can take arguments to achieve the same.
  
   It has to be designed in advance; and every time we notice something's
   missing we have to update the host kernel.
  
 
  We and in the designed stage now. Not to late to design something flexible
  :) Panic hypercall can take GPA of a buffer where host puts panic info
  as a parameter.  This buffer can be read by QEMU and passed to management.
 
 
 If a host kernel change is in the works, I think it might be cleanest to
 have the host kernel export a new kind of VCPU exit for unhandled-by-KVM
 hypercalls.  Then usermode can respond to the hypercall as appropriate.
  This would permit adding or changing future hypercalls without host kernel
 changes.
 
There was such vm exit (KVM_EXIT_HYPERCALL), but it was deemed to be a
bad idea.

 Guest panic is almost the definition of not-a-fast-path, and so what's
 the reason to handle it in the host kernel.
The only handling that kernel does is maps hypercall to panic exit.

 
 Punting to user-space wouldn't be a magic bullet for getting good
 interfaces designed, but in my opinion it is a better place to be doing
 them.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-15 Thread Jan Kiszka 
On 2012-03-15 11:39, Gleb Natapov wrote:
 On Wed, Mar 14, 2012 at 11:46:08AM -0700, Eric Northup wrote:
 On Wed, Mar 14, 2012 at 6:25 AM, Gleb Natapov g...@redhat.com wrote:

 On Wed, Mar 14, 2012 at 03:16:05PM +0200, Avi Kivity wrote:
 On 03/14/2012 03:14 PM, Gleb Natapov wrote:
 On Wed, Mar 14, 2012 at 03:07:46PM +0200, Avi Kivity wrote:
 On 03/14/2012 01:11 PM, Wen Congyang wrote:

 I don't think we want to use the driver.  Instead, have a small
 piece of
 code that resets the device and pushes out a string (the panic
 message?)
 without any interrupts etc.

 It's still going to be less reliable than a hypercall, I agree.

 Do you still want to use complicated and less reliable way?

 Are you willing to try it out and see how complicated it really is?

 While it's more complicated, it's also more flexible.  You can
 communicate the panic message, whether the guest is attempting a
 kdump
 and its own recovery or whether it wants the host to do it, etc., you
 can communicate less severe failures like oopses.

 hypercall can take arguments to achieve the same.

 It has to be designed in advance; and every time we notice something's
 missing we have to update the host kernel.


 We and in the designed stage now. Not to late to design something flexible
 :) Panic hypercall can take GPA of a buffer where host puts panic info
 as a parameter.  This buffer can be read by QEMU and passed to management.


 If a host kernel change is in the works, I think it might be cleanest to
 have the host kernel export a new kind of VCPU exit for unhandled-by-KVM
 hypercalls.  Then usermode can respond to the hypercall as appropriate.
  This would permit adding or changing future hypercalls without host kernel
 changes.

 There was such vm exit (KVM_EXIT_HYPERCALL), but it was deemed to be a
 bad idea.

BTW, this would help a lot in emulating hypercalls of other hypervisors
(or of KVM's VAPIC in the absence of in-kernel irqchip - I had to jump
through hoops therefore) in user space. Not all those hypercall handlers
actually have to reside in the KVM module.

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-15 Thread Avi Kivity 
On 03/15/2012 01:25 PM, Jan Kiszka wrote:
 
  There was such vm exit (KVM_EXIT_HYPERCALL), but it was deemed to be a
  bad idea.

 BTW, this would help a lot in emulating hypercalls of other hypervisors
 (or of KVM's VAPIC in the absence of in-kernel irqchip - I had to jump
 through hoops therefore) in user space. Not all those hypercall handlers
 actually have to reside in the KVM module.


That is true.  On the other hand the hypercall ABI might go to pieces if
there was no central implementation.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/13/2012 06:47 PM, Avi Kivity Wrote:
 On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
 On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?


 Not really, but I'm not 100% convinced the patch is worthwhile.  It's
 likely to only be used by Linux, which has kexec facilities, and you can
 put talk to management via virtio-serial and describe the crash in more
 details than a simple hypercall.

 As mentioned before, I don't think virtio-serial is a good fit for this.
 We want something that is simple  guaranteed always available. Using
 virtio-serial requires significant setup work on both the host and guest.
 
 So what?  It needs to be done anyway for the guest agent.
 
 Many management application won't know to make a vioserial device available
 to all guests they create. 
 
 Then they won't know to deal with the panic event either.
 
 Most administrators won't even configure kexec,
 let alone virtio serial on top of it. 
 
 It should be done by the OS vendor, not the individual admin.
 
 The hypercall requires zero host
 side config, and zero guest side config, which IMHO is what we need for
 this feature.
 
 If it was this one feature, yes.  But we keep getting more and more
 features like that and we bloat the hypervisor.  There's a reason we
 have a host-to-guest channel, we should use it.
 

I donot know how to use virtio-serial.

I start vm like this:
qemu ...\
   -device virtio-serial \
  -chardev socket,path=/tmp/foo,server,nowait,id=foo \
  -device virtserialport,chardev=foo,name=port1 ...

You said that there are too many channels. Does it mean /tmp/foo is a channel?

Thanks
Wen Congyang
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Avi Kivity 
On 03/14/2012 10:29 AM, Wen Congyang wrote:
 At 03/13/2012 06:47 PM, Avi Kivity Wrote:
  On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
  On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
 
  Not really, but I'm not 100% convinced the patch is worthwhile.  It's
  likely to only be used by Linux, which has kexec facilities, and you can
  put talk to management via virtio-serial and describe the crash in more
  details than a simple hypercall.
 
  As mentioned before, I don't think virtio-serial is a good fit for this.
  We want something that is simple  guaranteed always available. Using
  virtio-serial requires significant setup work on both the host and guest.
  
  So what?  It needs to be done anyway for the guest agent.
  
  Many management application won't know to make a vioserial device available
  to all guests they create. 
  
  Then they won't know to deal with the panic event either.
  
  Most administrators won't even configure kexec,
  let alone virtio serial on top of it. 
  
  It should be done by the OS vendor, not the individual admin.
  
  The hypercall requires zero host
  side config, and zero guest side config, which IMHO is what we need for
  this feature.
  
  If it was this one feature, yes.  But we keep getting more and more
  features like that and we bloat the hypervisor.  There's a reason we
  have a host-to-guest channel, we should use it.
  

 I donot know how to use virtio-serial.

I don't either, copying Amit.

 I start vm like this:
 qemu ...\
-device virtio-serial \
   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
   -device virtserialport,chardev=foo,name=port1 ...

 You said that there are too many channels. Does it mean /tmp/foo is a channel?

Probably.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Amit Shah 
On (Wed) 14 Mar 2012 [16:29:50], Wen Congyang wrote:
 At 03/13/2012 06:47 PM, Avi Kivity Wrote:
  On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
  On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
 
  Not really, but I'm not 100% convinced the patch is worthwhile.  It's
  likely to only be used by Linux, which has kexec facilities, and you can
  put talk to management via virtio-serial and describe the crash in more
  details than a simple hypercall.
 
  As mentioned before, I don't think virtio-serial is a good fit for this.
  We want something that is simple  guaranteed always available. Using
  virtio-serial requires significant setup work on both the host and guest.
  
  So what?  It needs to be done anyway for the guest agent.
  
  Many management application won't know to make a vioserial device available
  to all guests they create. 
  
  Then they won't know to deal with the panic event either.
  
  Most administrators won't even configure kexec,
  let alone virtio serial on top of it. 
  
  It should be done by the OS vendor, not the individual admin.
  
  The hypercall requires zero host
  side config, and zero guest side config, which IMHO is what we need for
  this feature.
  
  If it was this one feature, yes.  But we keep getting more and more
  features like that and we bloat the hypervisor.  There's a reason we
  have a host-to-guest channel, we should use it.
  
 
 I donot know how to use virtio-serial.
 
 I start vm like this:
 qemu ...\
-device virtio-serial \
   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
   -device virtserialport,chardev=foo,name=port1 ...

This is sufficient.  On the host, you can open /tmp/foo using a custom
program or nc (nc -U /tmp/foo).  On the guest, you can just open
/dev/virtio-ports/port1 and read/write into it.

See the following links for more details.

https://fedoraproject.org/wiki/Features/VirtioSerial#How_To_Test
http://www.linux-kvm.org/page/Virtio-serial_API

 You said that there are too many channels. Does it mean /tmp/foo is a channel?

You can have several such -device virtserialport.  The -device part
describes what the guest will see.  The -chardev part ties that to the
host-side part of the channel.

/tmp/foo is the host end-point for the channel, in the example above,
and /dev/virtio-ports/port1 is the guest-side end-point.

Amit
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 05:24 PM, Avi Kivity Wrote:
 On 03/14/2012 10:29 AM, Wen Congyang wrote:
 At 03/13/2012 06:47 PM, Avi Kivity Wrote:
 On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
 On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?


 Not really, but I'm not 100% convinced the patch is worthwhile.  It's
 likely to only be used by Linux, which has kexec facilities, and you can
 put talk to management via virtio-serial and describe the crash in more
 details than a simple hypercall.

 As mentioned before, I don't think virtio-serial is a good fit for this.
 We want something that is simple  guaranteed always available. Using
 virtio-serial requires significant setup work on both the host and guest.

 So what?  It needs to be done anyway for the guest agent.

 Many management application won't know to make a vioserial device available
 to all guests they create. 

 Then they won't know to deal with the panic event either.

 Most administrators won't even configure kexec,
 let alone virtio serial on top of it. 

 It should be done by the OS vendor, not the individual admin.

 The hypercall requires zero host
 side config, and zero guest side config, which IMHO is what we need for
 this feature.

 If it was this one feature, yes.  But we keep getting more and more
 features like that and we bloat the hypervisor.  There's a reason we
 have a host-to-guest channel, we should use it.


 I donot know how to use virtio-serial.
 
 I don't either, copying Amit.
 
 I start vm like this:
 qemu ...\
-device virtio-serial \
   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
   -device virtserialport,chardev=foo,name=port1 ...

 You said that there are too many channels. Does it mean /tmp/foo is a 
 channel?
 
 Probably.

Hmm, if we use virtio-serial, the guest kernel writes something into the 
channel when
the os is panicked. Is it right?

If so, is this channel visible to guest userspace? If the channle is visible to 
guest
userspace, the program running in userspace may write the same message to the 
channel.

Thanks
Wen Congyang

 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 05:51 PM, Amit Shah Wrote:
 On (Wed) 14 Mar 2012 [16:29:50], Wen Congyang wrote:
 At 03/13/2012 06:47 PM, Avi Kivity Wrote:
 On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
 On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?


 Not really, but I'm not 100% convinced the patch is worthwhile.  It's
 likely to only be used by Linux, which has kexec facilities, and you can
 put talk to management via virtio-serial and describe the crash in more
 details than a simple hypercall.

 As mentioned before, I don't think virtio-serial is a good fit for this.
 We want something that is simple  guaranteed always available. Using
 virtio-serial requires significant setup work on both the host and guest.

 So what?  It needs to be done anyway for the guest agent.

 Many management application won't know to make a vioserial device available
 to all guests they create. 

 Then they won't know to deal with the panic event either.

 Most administrators won't even configure kexec,
 let alone virtio serial on top of it. 

 It should be done by the OS vendor, not the individual admin.

 The hypercall requires zero host
 side config, and zero guest side config, which IMHO is what we need for
 this feature.

 If it was this one feature, yes.  But we keep getting more and more
 features like that and we bloat the hypervisor.  There's a reason we
 have a host-to-guest channel, we should use it.


 I donot know how to use virtio-serial.

 I start vm like this:
 qemu ...\
-device virtio-serial \
   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
   -device virtserialport,chardev=foo,name=port1 ...
 
 This is sufficient.  On the host, you can open /tmp/foo using a custom
 program or nc (nc -U /tmp/foo).  On the guest, you can just open
 /dev/virtio-ports/port1 and read/write into it.

I have two questions:
1. does it OK to open this device when the guest is panicked?
2. how to prevent the userspace's program using this device?

Thanks
Wen Congyang

 
 See the following links for more details.
 
 https://fedoraproject.org/wiki/Features/VirtioSerial#How_To_Test
 http://www.linux-kvm.org/page/Virtio-serial_API
 
 You said that there are too many channels. Does it mean /tmp/foo is a 
 channel?
 
 You can have several such -device virtserialport.  The -device part
 describes what the guest will see.  The -chardev part ties that to the
 host-side part of the channel.
 
 /tmp/foo is the host end-point for the channel, in the example above,
 and /dev/virtio-ports/port1 is the guest-side end-point.
 
   Amit
 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Avi Kivity 
On 03/14/2012 11:53 AM, Wen Congyang wrote:
 At 03/14/2012 05:24 PM, Avi Kivity Wrote:
  On 03/14/2012 10:29 AM, Wen Congyang wrote:
  At 03/13/2012 06:47 PM, Avi Kivity Wrote:
  On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
  On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
 
  Not really, but I'm not 100% convinced the patch is worthwhile.  It's
  likely to only be used by Linux, which has kexec facilities, and you can
  put talk to management via virtio-serial and describe the crash in more
  details than a simple hypercall.
 
  As mentioned before, I don't think virtio-serial is a good fit for this.
  We want something that is simple  guaranteed always available. Using
  virtio-serial requires significant setup work on both the host and guest.
 
  So what?  It needs to be done anyway for the guest agent.
 
  Many management application won't know to make a vioserial device 
  available
  to all guests they create. 
 
  Then they won't know to deal with the panic event either.
 
  Most administrators won't even configure kexec,
  let alone virtio serial on top of it. 
 
  It should be done by the OS vendor, not the individual admin.
 
  The hypercall requires zero host
  side config, and zero guest side config, which IMHO is what we need for
  this feature.
 
  If it was this one feature, yes.  But we keep getting more and more
  features like that and we bloat the hypervisor.  There's a reason we
  have a host-to-guest channel, we should use it.
 
 
  I donot know how to use virtio-serial.
  
  I don't either, copying Amit.
  
  I start vm like this:
  qemu ...\
 -device virtio-serial \
-chardev socket,path=/tmp/foo,server,nowait,id=foo \
-device virtserialport,chardev=foo,name=port1 ...
 
  You said that there are too many channels. Does it mean /tmp/foo is a 
  channel?
  
  Probably.

 Hmm, if we use virtio-serial, the guest kernel writes something into the 
 channel when
 the os is panicked. Is it right?

Right.

 If so, is this channel visible to guest userspace? If the channle is visible 
 to guest
 userspace, the program running in userspace may write the same message to the 
 channel.


Surely there's some kind of access control on channels.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Avi Kivity 
On 03/14/2012 12:04 PM, Wen Congyang wrote:
  
  This is sufficient.  On the host, you can open /tmp/foo using a custom
  program or nc (nc -U /tmp/foo).  On the guest, you can just open
  /dev/virtio-ports/port1 and read/write into it.

 I have two questions:
 1. does it OK to open this device when the guest is panicked?


On panic, I think it's best to reset the device and drive it directly
from the panic handler.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 06:07 PM, Avi Kivity Wrote:
 On 03/14/2012 11:53 AM, Wen Congyang wrote:
 At 03/14/2012 05:24 PM, Avi Kivity Wrote:
 On 03/14/2012 10:29 AM, Wen Congyang wrote:
 At 03/13/2012 06:47 PM, Avi Kivity Wrote:
 On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
 On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?


 Not really, but I'm not 100% convinced the patch is worthwhile.  It's
 likely to only be used by Linux, which has kexec facilities, and you can
 put talk to management via virtio-serial and describe the crash in more
 details than a simple hypercall.

 As mentioned before, I don't think virtio-serial is a good fit for this.
 We want something that is simple  guaranteed always available. Using
 virtio-serial requires significant setup work on both the host and guest.

 So what?  It needs to be done anyway for the guest agent.

 Many management application won't know to make a vioserial device 
 available
 to all guests they create. 

 Then they won't know to deal with the panic event either.

 Most administrators won't even configure kexec,
 let alone virtio serial on top of it. 

 It should be done by the OS vendor, not the individual admin.

 The hypercall requires zero host
 side config, and zero guest side config, which IMHO is what we need for
 this feature.

 If it was this one feature, yes.  But we keep getting more and more
 features like that and we bloat the hypervisor.  There's a reason we
 have a host-to-guest channel, we should use it.


 I donot know how to use virtio-serial.

 I don't either, copying Amit.

 I start vm like this:
 qemu ...\
-device virtio-serial \
   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
   -device virtserialport,chardev=foo,name=port1 ...

 You said that there are too many channels. Does it mean /tmp/foo is a 
 channel?

 Probably.

 Hmm, if we use virtio-serial, the guest kernel writes something into the 
 channel when
 the os is panicked. Is it right?
 
 Right.
 
 If so, is this channel visible to guest userspace? If the channle is visible 
 to guest
 userspace, the program running in userspace may write the same message to 
 the channel.

 
 Surely there's some kind of access control on channels.

The virtio-serial depends on more things than touching the hypervisor. So I 
think touching
the hypervisor is more reliable than using virtio-serial device, and it is very 
simple and
easy to use.

If we pass something from guest userspace to host, we can use virtio-serial. 
But If we pass
something from guest kernelspace to host, I still prefer to touch the 
hypervisor.

Thanks
Wen Congyang
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Avi Kivity 
On 03/14/2012 12:26 PM, Wen Congyang wrote:
  If so, is this channel visible to guest userspace? If the channle is 
  visible to guest
  userspace, the program running in userspace may write the same message to 
  the channel.
 
  
  Surely there's some kind of access control on channels.

 The virtio-serial depends on more things than touching the hypervisor. So I 
 think touching
 the hypervisor is more reliable than using virtio-serial device, and it is 
 very simple and
 easy to use.

 If we pass something from guest userspace to host, we can use virtio-serial. 
 But If we pass
 something from guest kernelspace to host, I still prefer to touch the 
 hypervisor.

There's no argument that it's easier.  My concern is different, we're
adding more and more stuff to the hypervisor because it's easier, which
bloats it.  Every time we do it we add to compatibility and security
problems.

The panic notification is *really* simple, so I don't expect it to cause
a lot of problems.  But still, if it's possible not to change the
hypervisor, we must make an effort in that direction.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Amit Shah 
On (Wed) 14 Mar 2012 [17:53:00], Wen Congyang wrote:
 At 03/14/2012 05:24 PM, Avi Kivity Wrote:
  On 03/14/2012 10:29 AM, Wen Congyang wrote:
  At 03/13/2012 06:47 PM, Avi Kivity Wrote:
  On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
  On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
 
  Not really, but I'm not 100% convinced the patch is worthwhile.  It's
  likely to only be used by Linux, which has kexec facilities, and you can
  put talk to management via virtio-serial and describe the crash in more
  details than a simple hypercall.
 
  As mentioned before, I don't think virtio-serial is a good fit for this.
  We want something that is simple  guaranteed always available. Using
  virtio-serial requires significant setup work on both the host and guest.
 
  So what?  It needs to be done anyway for the guest agent.
 
  Many management application won't know to make a vioserial device 
  available
  to all guests they create. 
 
  Then they won't know to deal with the panic event either.
 
  Most administrators won't even configure kexec,
  let alone virtio serial on top of it. 
 
  It should be done by the OS vendor, not the individual admin.
 
  The hypercall requires zero host
  side config, and zero guest side config, which IMHO is what we need for
  this feature.
 
  If it was this one feature, yes.  But we keep getting more and more
  features like that and we bloat the hypervisor.  There's a reason we
  have a host-to-guest channel, we should use it.
 
 
  I donot know how to use virtio-serial.
  
  I don't either, copying Amit.
  
  I start vm like this:
  qemu ...\
 -device virtio-serial \
-chardev socket,path=/tmp/foo,server,nowait,id=foo \
-device virtserialport,chardev=foo,name=port1 ...
 
  You said that there are too many channels. Does it mean /tmp/foo is a 
  channel?
  
  Probably.
 
 Hmm, if we use virtio-serial, the guest kernel writes something into the 
 channel when
 the os is panicked. Is it right?

Depends on how you want to use it.  It could be the kernel, or it
could be a userspace program which monitors syslogs for panic
information and passes on that info to the virtio-serial channel.

 If so, is this channel visible to guest userspace? If the channle is visible 
 to guest
 userspace, the program running in userspace may write the same message to the 
 channel.

Access control is via permissions.  You can have udev scripts assign
whatever uid and gid to the port of your interest.  By default, all
ports are only accessible to the root user.

Amit
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Amit Shah 
On (Wed) 14 Mar 2012 [18:04:40], Wen Congyang wrote:
 At 03/14/2012 05:51 PM, Amit Shah Wrote:
  On (Wed) 14 Mar 2012 [16:29:50], Wen Congyang wrote:
  At 03/13/2012 06:47 PM, Avi Kivity Wrote:
  On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
  On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
 
  Not really, but I'm not 100% convinced the patch is worthwhile.  It's
  likely to only be used by Linux, which has kexec facilities, and you can
  put talk to management via virtio-serial and describe the crash in more
  details than a simple hypercall.
 
  As mentioned before, I don't think virtio-serial is a good fit for this.
  We want something that is simple  guaranteed always available. Using
  virtio-serial requires significant setup work on both the host and guest.
 
  So what?  It needs to be done anyway for the guest agent.
 
  Many management application won't know to make a vioserial device 
  available
  to all guests they create. 
 
  Then they won't know to deal with the panic event either.
 
  Most administrators won't even configure kexec,
  let alone virtio serial on top of it. 
 
  It should be done by the OS vendor, not the individual admin.
 
  The hypercall requires zero host
  side config, and zero guest side config, which IMHO is what we need for
  this feature.
 
  If it was this one feature, yes.  But we keep getting more and more
  features like that and we bloat the hypervisor.  There's a reason we
  have a host-to-guest channel, we should use it.
 
 
  I donot know how to use virtio-serial.
 
  I start vm like this:
  qemu ...\
 -device virtio-serial \
-chardev socket,path=/tmp/foo,server,nowait,id=foo \
-device virtserialport,chardev=foo,name=port1 ...
  
  This is sufficient.  On the host, you can open /tmp/foo using a custom
  program or nc (nc -U /tmp/foo).  On the guest, you can just open
  /dev/virtio-ports/port1 and read/write into it.
 
 I have two questions:
 1. does it OK to open this device when the guest is panicked?

Depends on what kind of panic it is.  If the guest can continue
operations inspite of the panic, it will be possible to write out the
data.

 2. how to prevent the userspace's program using this device?

Mentioned in previous reply.

BTW: an in-kernel API for reading/writing to ports isn't implemented
yet, because there's no user for it as of now.  If you want to write
from the kernel to the host, there are trivial additions to the code
necessary.

(However, I think it's better to do the writing from userspace instead
from the kernel itself).

Amit
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Gleb Natapov 
On Wed, Mar 14, 2012 at 04:10:04PM +0530, Amit Shah wrote:
 On (Wed) 14 Mar 2012 [18:04:40], Wen Congyang wrote:
  At 03/14/2012 05:51 PM, Amit Shah Wrote:
   On (Wed) 14 Mar 2012 [16:29:50], Wen Congyang wrote:
   At 03/13/2012 06:47 PM, Avi Kivity Wrote:
   On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
   On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
   On 03/12/2012 11:04 AM, Wen Congyang wrote:
   Do you have any other comments about this patch?
  
  
   Not really, but I'm not 100% convinced the patch is worthwhile.  It's
   likely to only be used by Linux, which has kexec facilities, and you 
   can
   put talk to management via virtio-serial and describe the crash in 
   more
   details than a simple hypercall.
  
   As mentioned before, I don't think virtio-serial is a good fit for 
   this.
   We want something that is simple  guaranteed always available. Using
   virtio-serial requires significant setup work on both the host and 
   guest.
  
   So what?  It needs to be done anyway for the guest agent.
  
   Many management application won't know to make a vioserial device 
   available
   to all guests they create. 
  
   Then they won't know to deal with the panic event either.
  
   Most administrators won't even configure kexec,
   let alone virtio serial on top of it. 
  
   It should be done by the OS vendor, not the individual admin.
  
   The hypercall requires zero host
   side config, and zero guest side config, which IMHO is what we need for
   this feature.
  
   If it was this one feature, yes.  But we keep getting more and more
   features like that and we bloat the hypervisor.  There's a reason we
   have a host-to-guest channel, we should use it.
  
  
   I donot know how to use virtio-serial.
  
   I start vm like this:
   qemu ...\
  -device virtio-serial \
 -chardev socket,path=/tmp/foo,server,nowait,id=foo \
 -device virtserialport,chardev=foo,name=port1 ...
   
   This is sufficient.  On the host, you can open /tmp/foo using a custom
   program or nc (nc -U /tmp/foo).  On the guest, you can just open
   /dev/virtio-ports/port1 and read/write into it.
  
  I have two questions:
  1. does it OK to open this device when the guest is panicked?
 
 Depends on what kind of panic it is.  If the guest can continue
 operations inspite of the panic, it will be possible to write out the
 data.
 
  2. how to prevent the userspace's program using this device?
 
 Mentioned in previous reply.
 
 BTW: an in-kernel API for reading/writing to ports isn't implemented
 yet, because there's no user for it as of now.  If you want to write
 from the kernel to the host, there are trivial additions to the code
 necessary.
 
 (However, I think it's better to do the writing from userspace instead
 from the kernel itself).
 
In case of panic notifier this is out of question.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Gleb Natapov 
On Wed, Mar 14, 2012 at 12:29:57PM +0200, Avi Kivity wrote:
 On 03/14/2012 12:26 PM, Wen Congyang wrote:
   If so, is this channel visible to guest userspace? If the channle is 
   visible to guest
   userspace, the program running in userspace may write the same message 
   to the channel.
  
   
   Surely there's some kind of access control on channels.
 
  The virtio-serial depends on more things than touching the hypervisor. So I 
  think touching
  the hypervisor is more reliable than using virtio-serial device, and it is 
  very simple and
  easy to use.
 
  If we pass something from guest userspace to host, we can use 
  virtio-serial. But If we pass
  something from guest kernelspace to host, I still prefer to touch the 
  hypervisor.
 
 There's no argument that it's easier.  My concern is different, we're
 adding more and more stuff to the hypervisor because it's easier, which
 bloats it.  Every time we do it we add to compatibility and security
 problems.
 
 The panic notification is *really* simple, so I don't expect it to cause
 a lot of problems.  But still, if it's possible not to change the
 hypervisor, we must make an effort in that direction.
 
One more point against using virtio-serial is that it will be likely
compiled as a module which means panic during early boot will not be
reported.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Avi Kivity 
On 03/14/2012 12:46 PM, Gleb Natapov wrote:
 On Wed, Mar 14, 2012 at 12:29:57PM +0200, Avi Kivity wrote:
  On 03/14/2012 12:26 PM, Wen Congyang wrote:
If so, is this channel visible to guest userspace? If the channle is 
visible to guest
userspace, the program running in userspace may write the same message 
to the channel.
   

Surely there's some kind of access control on channels.
  
   The virtio-serial depends on more things than touching the hypervisor. So 
   I think touching
   the hypervisor is more reliable than using virtio-serial device, and it 
   is very simple and
   easy to use.
  
   If we pass something from guest userspace to host, we can use 
   virtio-serial. But If we pass
   something from guest kernelspace to host, I still prefer to touch the 
   hypervisor.
  
  There's no argument that it's easier.  My concern is different, we're
  adding more and more stuff to the hypervisor because it's easier, which
  bloats it.  Every time we do it we add to compatibility and security
  problems.
  
  The panic notification is *really* simple, so I don't expect it to cause
  a lot of problems.  But still, if it's possible not to change the
  hypervisor, we must make an effort in that direction.
  
 One more point against using virtio-serial is that it will be likely
 compiled as a module which means panic during early boot will not be
 reported.

I don't think we want to use the driver.  Instead, have a small piece of
code that resets the device and pushes out a string (the panic message?)
without any interrupts etc.

It's still going to be less reliable than a hypercall, I agree.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 06:37 PM, Amit Shah Wrote:
 On (Wed) 14 Mar 2012 [17:53:00], Wen Congyang wrote:
 At 03/14/2012 05:24 PM, Avi Kivity Wrote:
 On 03/14/2012 10:29 AM, Wen Congyang wrote:
 At 03/13/2012 06:47 PM, Avi Kivity Wrote:
 On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
 On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?


 Not really, but I'm not 100% convinced the patch is worthwhile.  It's
 likely to only be used by Linux, which has kexec facilities, and you can
 put talk to management via virtio-serial and describe the crash in more
 details than a simple hypercall.

 As mentioned before, I don't think virtio-serial is a good fit for this.
 We want something that is simple  guaranteed always available. Using
 virtio-serial requires significant setup work on both the host and guest.

 So what?  It needs to be done anyway for the guest agent.

 Many management application won't know to make a vioserial device 
 available
 to all guests they create. 

 Then they won't know to deal with the panic event either.

 Most administrators won't even configure kexec,
 let alone virtio serial on top of it. 

 It should be done by the OS vendor, not the individual admin.

 The hypercall requires zero host
 side config, and zero guest side config, which IMHO is what we need for
 this feature.

 If it was this one feature, yes.  But we keep getting more and more
 features like that and we bloat the hypervisor.  There's a reason we
 have a host-to-guest channel, we should use it.


 I donot know how to use virtio-serial.

 I don't either, copying Amit.

 I start vm like this:
 qemu ...\
-device virtio-serial \
   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
   -device virtserialport,chardev=foo,name=port1 ...

 You said that there are too many channels. Does it mean /tmp/foo is a 
 channel?

 Probably.

 Hmm, if we use virtio-serial, the guest kernel writes something into the 
 channel when
 the os is panicked. Is it right?
 
 Depends on how you want to use it.  It could be the kernel, or it
 could be a userspace program which monitors syslogs for panic
 information and passes on that info to the virtio-serial channel.

When the kernel is panicked, we cannot use userspace program.

 
 If so, is this channel visible to guest userspace? If the channle is visible 
 to guest
 userspace, the program running in userspace may write the same message to 
 the channel.
 
 Access control is via permissions.  You can have udev scripts assign
 whatever uid and gid to the port of your interest.  By default, all
 ports are only accessible to the root user.

We should also prevent root user writing message to this channel if it is
used for panicked notification.

Thanks
Wen Congyang

 
   Amit
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/
 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Gleb Natapov 
On Wed, Mar 14, 2012 at 06:52:07PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:37 PM, Amit Shah Wrote:
  On (Wed) 14 Mar 2012 [17:53:00], Wen Congyang wrote:
  At 03/14/2012 05:24 PM, Avi Kivity Wrote:
  On 03/14/2012 10:29 AM, Wen Congyang wrote:
  At 03/13/2012 06:47 PM, Avi Kivity Wrote:
  On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
  On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
 
  Not really, but I'm not 100% convinced the patch is worthwhile.  It's
  likely to only be used by Linux, which has kexec facilities, and you 
  can
  put talk to management via virtio-serial and describe the crash in 
  more
  details than a simple hypercall.
 
  As mentioned before, I don't think virtio-serial is a good fit for 
  this.
  We want something that is simple  guaranteed always available. Using
  virtio-serial requires significant setup work on both the host and 
  guest.
 
  So what?  It needs to be done anyway for the guest agent.
 
  Many management application won't know to make a vioserial device 
  available
  to all guests they create. 
 
  Then they won't know to deal with the panic event either.
 
  Most administrators won't even configure kexec,
  let alone virtio serial on top of it. 
 
  It should be done by the OS vendor, not the individual admin.
 
  The hypercall requires zero host
  side config, and zero guest side config, which IMHO is what we need for
  this feature.
 
  If it was this one feature, yes.  But we keep getting more and more
  features like that and we bloat the hypervisor.  There's a reason we
  have a host-to-guest channel, we should use it.
 
 
  I donot know how to use virtio-serial.
 
  I don't either, copying Amit.
 
  I start vm like this:
  qemu ...\
 -device virtio-serial \
-chardev socket,path=/tmp/foo,server,nowait,id=foo \
-device virtserialport,chardev=foo,name=port1 ...
 
  You said that there are too many channels. Does it mean /tmp/foo is a 
  channel?
 
  Probably.
 
  Hmm, if we use virtio-serial, the guest kernel writes something into the 
  channel when
  the os is panicked. Is it right?
  
  Depends on how you want to use it.  It could be the kernel, or it
  could be a userspace program which monitors syslogs for panic
  information and passes on that info to the virtio-serial channel.
 
 When the kernel is panicked, we cannot use userspace program.
 
  
  If so, is this channel visible to guest userspace? If the channle is 
  visible to guest
  userspace, the program running in userspace may write the same message to 
  the channel.
  
  Access control is via permissions.  You can have udev scripts assign
  whatever uid and gid to the port of your interest.  By default, all
  ports are only accessible to the root user.
 
 We should also prevent root user writing message to this channel if it is
 used for panicked notification.
 
Why? Root user can also call panic hypercall if he wishes so.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Avi Kivity 
On 03/14/2012 12:52 PM, Wen Congyang wrote:
  
  If so, is this channel visible to guest userspace? If the channle is 
  visible to guest
  userspace, the program running in userspace may write the same message to 
  the channel.
  
  Access control is via permissions.  You can have udev scripts assign
  whatever uid and gid to the port of your interest.  By default, all
  ports are only accessible to the root user.

 We should also prevent root user writing message to this channel if it is
 used for panicked notification.


Why?  root can easily cause a panic.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 06:52 PM, Gleb Natapov Wrote:
 On Wed, Mar 14, 2012 at 06:52:07PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:37 PM, Amit Shah Wrote:
 On (Wed) 14 Mar 2012 [17:53:00], Wen Congyang wrote:
 At 03/14/2012 05:24 PM, Avi Kivity Wrote:
 On 03/14/2012 10:29 AM, Wen Congyang wrote:
 At 03/13/2012 06:47 PM, Avi Kivity Wrote:
 On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
 On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?


 Not really, but I'm not 100% convinced the patch is worthwhile.  It's
 likely to only be used by Linux, which has kexec facilities, and you 
 can
 put talk to management via virtio-serial and describe the crash in 
 more
 details than a simple hypercall.

 As mentioned before, I don't think virtio-serial is a good fit for 
 this.
 We want something that is simple  guaranteed always available. Using
 virtio-serial requires significant setup work on both the host and 
 guest.

 So what?  It needs to be done anyway for the guest agent.

 Many management application won't know to make a vioserial device 
 available
 to all guests they create. 

 Then they won't know to deal with the panic event either.

 Most administrators won't even configure kexec,
 let alone virtio serial on top of it. 

 It should be done by the OS vendor, not the individual admin.

 The hypercall requires zero host
 side config, and zero guest side config, which IMHO is what we need for
 this feature.

 If it was this one feature, yes.  But we keep getting more and more
 features like that and we bloat the hypervisor.  There's a reason we
 have a host-to-guest channel, we should use it.


 I donot know how to use virtio-serial.

 I don't either, copying Amit.

 I start vm like this:
 qemu ...\
-device virtio-serial \
   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
   -device virtserialport,chardev=foo,name=port1 ...

 You said that there are too many channels. Does it mean /tmp/foo is a 
 channel?

 Probably.

 Hmm, if we use virtio-serial, the guest kernel writes something into the 
 channel when
 the os is panicked. Is it right?

 Depends on how you want to use it.  It could be the kernel, or it
 could be a userspace program which monitors syslogs for panic
 information and passes on that info to the virtio-serial channel.

 When the kernel is panicked, we cannot use userspace program.


 If so, is this channel visible to guest userspace? If the channle is 
 visible to guest
 userspace, the program running in userspace may write the same message to 
 the channel.

 Access control is via permissions.  You can have udev scripts assign
 whatever uid and gid to the port of your interest.  By default, all
 ports are only accessible to the root user.

 We should also prevent root user writing message to this channel if it is
 used for panicked notification.

 Why? Root user can also call panic hypercall if he wishes so.

IIRC, the instruction vmcall needs to run on ring0. The root user is in ring3.

Thanks
Wen Congyang

 
 --
   Gleb.
 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 06:52 PM, Avi Kivity Wrote:
 On 03/14/2012 12:52 PM, Wen Congyang wrote:

 If so, is this channel visible to guest userspace? If the channle is 
 visible to guest
 userspace, the program running in userspace may write the same message to 
 the channel.

 Access control is via permissions.  You can have udev scripts assign
 whatever uid and gid to the port of your interest.  By default, all
 ports are only accessible to the root user.

 We should also prevent root user writing message to this channel if it is
 used for panicked notification.

 
 Why?  root can easily cause a panic.
 

root user can write the same message to virtio-serial while the guest is 
running...

Thanks
Wen Congyang
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Daniel P. Berrange 
On Wed, Mar 14, 2012 at 03:21:14PM +0530, Amit Shah wrote:
 On (Wed) 14 Mar 2012 [16:29:50], Wen Congyang wrote:
  At 03/13/2012 06:47 PM, Avi Kivity Wrote:
   On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
   On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
   On 03/12/2012 11:04 AM, Wen Congyang wrote:
   Do you have any other comments about this patch?
  
  
   Not really, but I'm not 100% convinced the patch is worthwhile.  It's
   likely to only be used by Linux, which has kexec facilities, and you can
   put talk to management via virtio-serial and describe the crash in more
   details than a simple hypercall.
  
   As mentioned before, I don't think virtio-serial is a good fit for this.
   We want something that is simple  guaranteed always available. Using
   virtio-serial requires significant setup work on both the host and guest.
   
   So what?  It needs to be done anyway for the guest agent.
   
   Many management application won't know to make a vioserial device 
   available
   to all guests they create. 
   
   Then they won't know to deal with the panic event either.
   
   Most administrators won't even configure kexec,
   let alone virtio serial on top of it. 
   
   It should be done by the OS vendor, not the individual admin.
   
   The hypercall requires zero host
   side config, and zero guest side config, which IMHO is what we need for
   this feature.
   
   If it was this one feature, yes.  But we keep getting more and more
   features like that and we bloat the hypervisor.  There's a reason we
   have a host-to-guest channel, we should use it.
   
  
  I donot know how to use virtio-serial.
  
  I start vm like this:
  qemu ...\
 -device virtio-serial \
-chardev socket,path=/tmp/foo,server,nowait,id=foo \
-device virtserialport,chardev=foo,name=port1 ...
 
 This is sufficient.  On the host, you can open /tmp/foo using a custom
 program or nc (nc -U /tmp/foo).  On the guest, you can just open
 /dev/virtio-ports/port1 and read/write into it.
 
 See the following links for more details.
 
 https://fedoraproject.org/wiki/Features/VirtioSerial#How_To_Test
 http://www.linux-kvm.org/page/Virtio-serial_API
 
  You said that there are too many channels. Does it mean /tmp/foo is a 
  channel?
 
 You can have several such -device virtserialport.  The -device part
 describes what the guest will see.  The -chardev part ties that to the
 host-side part of the channel.
 
 /tmp/foo is the host end-point for the channel, in the example above,
 and /dev/virtio-ports/port1 is the guest-side end-point.

If we do choose to use virtio-serial for panics (which I don't think
we should), then we should not expose it in the host filesystem. The
host side should be a virtual chardev backend internal to QEMU, in
the same way that 'spicevmc' is handled.

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Amit Shah 
On (Wed) 14 Mar 2012 [18:52:07], Wen Congyang wrote:
 At 03/14/2012 06:37 PM, Amit Shah Wrote:
  On (Wed) 14 Mar 2012 [17:53:00], Wen Congyang wrote:
  At 03/14/2012 05:24 PM, Avi Kivity Wrote:
  On 03/14/2012 10:29 AM, Wen Congyang wrote:
  At 03/13/2012 06:47 PM, Avi Kivity Wrote:
  On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
  On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
 
  Not really, but I'm not 100% convinced the patch is worthwhile.  It's
  likely to only be used by Linux, which has kexec facilities, and you 
  can
  put talk to management via virtio-serial and describe the crash in 
  more
  details than a simple hypercall.
 
  As mentioned before, I don't think virtio-serial is a good fit for 
  this.
  We want something that is simple  guaranteed always available. Using
  virtio-serial requires significant setup work on both the host and 
  guest.
 
  So what?  It needs to be done anyway for the guest agent.
 
  Many management application won't know to make a vioserial device 
  available
  to all guests they create. 
 
  Then they won't know to deal with the panic event either.
 
  Most administrators won't even configure kexec,
  let alone virtio serial on top of it. 
 
  It should be done by the OS vendor, not the individual admin.
 
  The hypercall requires zero host
  side config, and zero guest side config, which IMHO is what we need for
  this feature.
 
  If it was this one feature, yes.  But we keep getting more and more
  features like that and we bloat the hypervisor.  There's a reason we
  have a host-to-guest channel, we should use it.
 
 
  I donot know how to use virtio-serial.
 
  I don't either, copying Amit.
 
  I start vm like this:
  qemu ...\
 -device virtio-serial \
-chardev socket,path=/tmp/foo,server,nowait,id=foo \
-device virtserialport,chardev=foo,name=port1 ...
 
  You said that there are too many channels. Does it mean /tmp/foo is a 
  channel?
 
  Probably.
 
  Hmm, if we use virtio-serial, the guest kernel writes something into the 
  channel when
  the os is panicked. Is it right?
  
  Depends on how you want to use it.  It could be the kernel, or it
  could be a userspace program which monitors syslogs for panic
  information and passes on that info to the virtio-serial channel.
 
 When the kernel is panicked, we cannot use userspace program.
 
  
  If so, is this channel visible to guest userspace? If the channle is 
  visible to guest
  userspace, the program running in userspace may write the same message to 
  the channel.
  
  Access control is via permissions.  You can have udev scripts assign
  whatever uid and gid to the port of your interest.  By default, all
  ports are only accessible to the root user.
 
 We should also prevent root user writing message to this channel if it is
 used for panicked notification.

Well, if you want a particular channel to be write-only by the kernel,
that can be arranged as well: just don't expose it in /dev/ at all.

Amit
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Gleb Natapov 
On Wed, Mar 14, 2012 at 06:57:59PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:52 PM, Gleb Natapov Wrote:
  On Wed, Mar 14, 2012 at 06:52:07PM +0800, Wen Congyang wrote:
  At 03/14/2012 06:37 PM, Amit Shah Wrote:
  On (Wed) 14 Mar 2012 [17:53:00], Wen Congyang wrote:
  At 03/14/2012 05:24 PM, Avi Kivity Wrote:
  On 03/14/2012 10:29 AM, Wen Congyang wrote:
  At 03/13/2012 06:47 PM, Avi Kivity Wrote:
  On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
  On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
 
  Not really, but I'm not 100% convinced the patch is worthwhile.  
  It's
  likely to only be used by Linux, which has kexec facilities, and 
  you can
  put talk to management via virtio-serial and describe the crash in 
  more
  details than a simple hypercall.
 
  As mentioned before, I don't think virtio-serial is a good fit for 
  this.
  We want something that is simple  guaranteed always available. Using
  virtio-serial requires significant setup work on both the host and 
  guest.
 
  So what?  It needs to be done anyway for the guest agent.
 
  Many management application won't know to make a vioserial device 
  available
  to all guests they create. 
 
  Then they won't know to deal with the panic event either.
 
  Most administrators won't even configure kexec,
  let alone virtio serial on top of it. 
 
  It should be done by the OS vendor, not the individual admin.
 
  The hypercall requires zero host
  side config, and zero guest side config, which IMHO is what we need 
  for
  this feature.
 
  If it was this one feature, yes.  But we keep getting more and more
  features like that and we bloat the hypervisor.  There's a reason we
  have a host-to-guest channel, we should use it.
 
 
  I donot know how to use virtio-serial.
 
  I don't either, copying Amit.
 
  I start vm like this:
  qemu ...\
 -device virtio-serial \
-chardev socket,path=/tmp/foo,server,nowait,id=foo \
-device virtserialport,chardev=foo,name=port1 ...
 
  You said that there are too many channels. Does it mean /tmp/foo is a 
  channel?
 
  Probably.
 
  Hmm, if we use virtio-serial, the guest kernel writes something into the 
  channel when
  the os is panicked. Is it right?
 
  Depends on how you want to use it.  It could be the kernel, or it
  could be a userspace program which monitors syslogs for panic
  information and passes on that info to the virtio-serial channel.
 
  When the kernel is panicked, we cannot use userspace program.
 
 
  If so, is this channel visible to guest userspace? If the channle is 
  visible to guest
  userspace, the program running in userspace may write the same message 
  to the channel.
 
  Access control is via permissions.  You can have udev scripts assign
  whatever uid and gid to the port of your interest.  By default, all
  ports are only accessible to the root user.
 
  We should also prevent root user writing message to this channel if it is
  used for panicked notification.
 
  Why? Root user can also call panic hypercall if he wishes so.
 
 IIRC, the instruction vmcall needs to run on ring0. The root user is in ring3.
 
And who will stop the root from loading kernel module?
 
--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Daniel P. Berrange 
On Wed, Mar 14, 2012 at 06:58:47PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:52 PM, Avi Kivity Wrote:
  On 03/14/2012 12:52 PM, Wen Congyang wrote:
 
  If so, is this channel visible to guest userspace? If the channle is 
  visible to guest
  userspace, the program running in userspace may write the same message 
  to the channel.
 
  Access control is via permissions.  You can have udev scripts assign
  whatever uid and gid to the port of your interest.  By default, all
  ports are only accessible to the root user.
 
  We should also prevent root user writing message to this channel if it is
  used for panicked notification.
 
  
  Why?  root can easily cause a panic.
  
 
 root user can write the same message to virtio-serial while the guest is 
 running...

Unless you are running a MAC policy which strictly confines the root
account, root can cause a kernel panic regardless of virtio-serial
permissions in the guest:

  echo c  /proc/sysrq-trigger

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Gleb Natapov 
On Wed, Mar 14, 2012 at 06:58:47PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:52 PM, Avi Kivity Wrote:
  On 03/14/2012 12:52 PM, Wen Congyang wrote:
 
  If so, is this channel visible to guest userspace? If the channle is 
  visible to guest
  userspace, the program running in userspace may write the same message 
  to the channel.
 
  Access control is via permissions.  You can have udev scripts assign
  whatever uid and gid to the port of your interest.  By default, all
  ports are only accessible to the root user.
 
  We should also prevent root user writing message to this channel if it is
  used for panicked notification.
 
  
  Why?  root can easily cause a panic.
  
 
 root user can write the same message to virtio-serial while the guest is 
 running...
 
So what?

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 06:57 PM, Daniel P. Berrange Wrote:
 On Wed, Mar 14, 2012 at 03:21:14PM +0530, Amit Shah wrote:
 On (Wed) 14 Mar 2012 [16:29:50], Wen Congyang wrote:
 At 03/13/2012 06:47 PM, Avi Kivity Wrote:
 On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
 On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?


 Not really, but I'm not 100% convinced the patch is worthwhile.  It's
 likely to only be used by Linux, which has kexec facilities, and you can
 put talk to management via virtio-serial and describe the crash in more
 details than a simple hypercall.

 As mentioned before, I don't think virtio-serial is a good fit for this.
 We want something that is simple  guaranteed always available. Using
 virtio-serial requires significant setup work on both the host and guest.

 So what?  It needs to be done anyway for the guest agent.

 Many management application won't know to make a vioserial device 
 available
 to all guests they create. 

 Then they won't know to deal with the panic event either.

 Most administrators won't even configure kexec,
 let alone virtio serial on top of it. 

 It should be done by the OS vendor, not the individual admin.

 The hypercall requires zero host
 side config, and zero guest side config, which IMHO is what we need for
 this feature.

 If it was this one feature, yes.  But we keep getting more and more
 features like that and we bloat the hypervisor.  There's a reason we
 have a host-to-guest channel, we should use it.


 I donot know how to use virtio-serial.

 I start vm like this:
 qemu ...\
-device virtio-serial \
   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
   -device virtserialport,chardev=foo,name=port1 ...

 This is sufficient.  On the host, you can open /tmp/foo using a custom
 program or nc (nc -U /tmp/foo).  On the guest, you can just open
 /dev/virtio-ports/port1 and read/write into it.

 See the following links for more details.

 https://fedoraproject.org/wiki/Features/VirtioSerial#How_To_Test
 http://www.linux-kvm.org/page/Virtio-serial_API

 You said that there are too many channels. Does it mean /tmp/foo is a 
 channel?

 You can have several such -device virtserialport.  The -device part
 describes what the guest will see.  The -chardev part ties that to the
 host-side part of the channel.

 /tmp/foo is the host end-point for the channel, in the example above,
 and /dev/virtio-ports/port1 is the guest-side end-point.
 
 If we do choose to use virtio-serial for panics (which I don't think
 we should), then we should not expose it in the host filesystem. The
 host side should be a virtual chardev backend internal to QEMU, in
 the same way that 'spicevmc' is handled.

Yes. But we don't decide to choose which now. I prefer to use vmcall.
It is simple and more reliable.

Thanks
Wen Congyang

 
 Regards,
 Daniel

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 06:59 PM, Daniel P. Berrange Wrote:
 On Wed, Mar 14, 2012 at 06:58:47PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:52 PM, Avi Kivity Wrote:
 On 03/14/2012 12:52 PM, Wen Congyang wrote:

 If so, is this channel visible to guest userspace? If the channle is 
 visible to guest
 userspace, the program running in userspace may write the same message 
 to the channel.

 Access control is via permissions.  You can have udev scripts assign
 whatever uid and gid to the port of your interest.  By default, all
 ports are only accessible to the root user.

 We should also prevent root user writing message to this channel if it is
 used for panicked notification.


 Why?  root can easily cause a panic.


 root user can write the same message to virtio-serial while the guest is 
 running...
 
 Unless you are running a MAC policy which strictly confines the root
 account, root can cause a kernel panic regardless of virtio-serial
 permissions in the guest:
 
   echo c  /proc/sysrq-trigger

Yes, root user can cause a kernel panic. But if he writes the same message to 
virtio-serial,
the host will see the guest is panicked while the guest is not panicked. The 
host is cheated.

If we use vmcall, and the user causes a kernel panic, we can also know the 
guest is panicked.
It is the thing what we need. We need to know the guest is panicked, and we 
donot aware
why it is panicked. If the guest is not panicked, and the host think the guest 
is panicked, it
is not the thing we need.

Thanks

 
 Regards,
 Daniel

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 06:48 PM, Avi Kivity Wrote:
 On 03/14/2012 12:46 PM, Gleb Natapov wrote:
 On Wed, Mar 14, 2012 at 12:29:57PM +0200, Avi Kivity wrote:
 On 03/14/2012 12:26 PM, Wen Congyang wrote:
 If so, is this channel visible to guest userspace? If the channle is 
 visible to guest
 userspace, the program running in userspace may write the same message 
 to the channel.


 Surely there's some kind of access control on channels.

 The virtio-serial depends on more things than touching the hypervisor. So 
 I think touching
 the hypervisor is more reliable than using virtio-serial device, and it is 
 very simple and
 easy to use.

 If we pass something from guest userspace to host, we can use 
 virtio-serial. But If we pass
 something from guest kernelspace to host, I still prefer to touch the 
 hypervisor.

 There's no argument that it's easier.  My concern is different, we're
 adding more and more stuff to the hypervisor because it's easier, which
 bloats it.  Every time we do it we add to compatibility and security
 problems.

 The panic notification is *really* simple, so I don't expect it to cause
 a lot of problems.  But still, if it's possible not to change the
 hypervisor, we must make an effort in that direction.

 One more point against using virtio-serial is that it will be likely
 compiled as a module which means panic during early boot will not be
 reported.
 
 I don't think we want to use the driver.  Instead, have a small piece of
 code that resets the device and pushes out a string (the panic message?)
 without any interrupts etc.
 
 It's still going to be less reliable than a hypercall, I agree.

Do you still want to use complicated and less reliable way?

I think the other ones prefer to touch the hypervisor.

Thanks
Wen Congyang

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Gleb Natapov 
On Wed, Mar 14, 2012 at 07:06:50PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:59 PM, Daniel P. Berrange Wrote:
  On Wed, Mar 14, 2012 at 06:58:47PM +0800, Wen Congyang wrote:
  At 03/14/2012 06:52 PM, Avi Kivity Wrote:
  On 03/14/2012 12:52 PM, Wen Congyang wrote:
 
  If so, is this channel visible to guest userspace? If the channle is 
  visible to guest
  userspace, the program running in userspace may write the same message 
  to the channel.
 
  Access control is via permissions.  You can have udev scripts assign
  whatever uid and gid to the port of your interest.  By default, all
  ports are only accessible to the root user.
 
  We should also prevent root user writing message to this channel if it is
  used for panicked notification.
 
 
  Why?  root can easily cause a panic.
 
 
  root user can write the same message to virtio-serial while the guest is 
  running...
  
  Unless you are running a MAC policy which strictly confines the root
  account, root can cause a kernel panic regardless of virtio-serial
  permissions in the guest:
  
echo c  /proc/sysrq-trigger
 
 Yes, root user can cause a kernel panic. But if he writes the same message to 
 virtio-serial,
 the host will see the guest is panicked while the guest is not panicked. The 
 host is cheated.
 
And why is this a problem? If root in a guest wants to cheat host like
that there is no way to stop him. He can load kernel module and do
whatever he wants. Management should treat that condition as if guest
panicked.

 If we use vmcall, and the user causes a kernel panic, we can also know the 
 guest is panicked.
 It is the thing what we need. We need to know the guest is panicked, and we 
 donot aware
 why it is panicked. If the guest is not panicked, and the host think the 
 guest is panicked, it
 is not the thing we need.
 
Then you cannot get the thing you need and you can as well stop trying.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Wen Congyang 
At 03/14/2012 06:58 PM, Gleb Natapov Wrote:
 On Wed, Mar 14, 2012 at 06:57:59PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:52 PM, Gleb Natapov Wrote:
 On Wed, Mar 14, 2012 at 06:52:07PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:37 PM, Amit Shah Wrote:
 On (Wed) 14 Mar 2012 [17:53:00], Wen Congyang wrote:
 At 03/14/2012 05:24 PM, Avi Kivity Wrote:
 On 03/14/2012 10:29 AM, Wen Congyang wrote:
 At 03/13/2012 06:47 PM, Avi Kivity Wrote:
 On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
 On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?


 Not really, but I'm not 100% convinced the patch is worthwhile.  
 It's
 likely to only be used by Linux, which has kexec facilities, and 
 you can
 put talk to management via virtio-serial and describe the crash in 
 more
 details than a simple hypercall.

 As mentioned before, I don't think virtio-serial is a good fit for 
 this.
 We want something that is simple  guaranteed always available. Using
 virtio-serial requires significant setup work on both the host and 
 guest.

 So what?  It needs to be done anyway for the guest agent.

 Many management application won't know to make a vioserial device 
 available
 to all guests they create. 

 Then they won't know to deal with the panic event either.

 Most administrators won't even configure kexec,
 let alone virtio serial on top of it. 

 It should be done by the OS vendor, not the individual admin.

 The hypercall requires zero host
 side config, and zero guest side config, which IMHO is what we need 
 for
 this feature.

 If it was this one feature, yes.  But we keep getting more and more
 features like that and we bloat the hypervisor.  There's a reason we
 have a host-to-guest channel, we should use it.


 I donot know how to use virtio-serial.

 I don't either, copying Amit.

 I start vm like this:
 qemu ...\
-device virtio-serial \
   -chardev socket,path=/tmp/foo,server,nowait,id=foo \
   -device virtserialport,chardev=foo,name=port1 ...

 You said that there are too many channels. Does it mean /tmp/foo is a 
 channel?

 Probably.

 Hmm, if we use virtio-serial, the guest kernel writes something into the 
 channel when
 the os is panicked. Is it right?

 Depends on how you want to use it.  It could be the kernel, or it
 could be a userspace program which monitors syslogs for panic
 information and passes on that info to the virtio-serial channel.

 When the kernel is panicked, we cannot use userspace program.


 If so, is this channel visible to guest userspace? If the channle is 
 visible to guest
 userspace, the program running in userspace may write the same message 
 to the channel.

 Access control is via permissions.  You can have udev scripts assign
 whatever uid and gid to the port of your interest.  By default, all
 ports are only accessible to the root user.

 We should also prevent root user writing message to this channel if it is
 used for panicked notification.

 Why? Root user can also call panic hypercall if he wishes so.

 IIRC, the instruction vmcall needs to run on ring0. The root user is in 
 ring3.

 And who will stop the root from loading kernel module?

Yes, I forgot this.

Thanks
Wen Congyang

  
 --
   Gleb.
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/
 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Daniel P. Berrange 
On Wed, Mar 14, 2012 at 07:06:50PM +0800, Wen Congyang wrote:
 At 03/14/2012 06:59 PM, Daniel P. Berrange Wrote:
  On Wed, Mar 14, 2012 at 06:58:47PM +0800, Wen Congyang wrote:
  At 03/14/2012 06:52 PM, Avi Kivity Wrote:
  On 03/14/2012 12:52 PM, Wen Congyang wrote:
 
  If so, is this channel visible to guest userspace? If the channle is 
  visible to guest
  userspace, the program running in userspace may write the same message 
  to the channel.
 
  Access control is via permissions.  You can have udev scripts assign
  whatever uid and gid to the port of your interest.  By default, all
  ports are only accessible to the root user.
 
  We should also prevent root user writing message to this channel if it is
  used for panicked notification.
 
 
  Why?  root can easily cause a panic.
 
 
  root user can write the same message to virtio-serial while the guest is 
  running...
  
  Unless you are running a MAC policy which strictly confines the root
  account, root can cause a kernel panic regardless of virtio-serial
  permissions in the guest:
  
echo c  /proc/sysrq-trigger
 
 Yes, root user can cause a kernel panic. But if he writes the same message to 
 virtio-serial,
 the host will see the guest is panicked while the guest is not panicked. The 
 host is cheated.

The host mgmt layer must *ALWAYS* expect that any information originating
from the guest is bogus. It must never trust the guest info. So regardless
of the implementation, you have to expect that the guest might have lied
to you about it being crashed. The same is true even of Xen's panic notifier.

So if an application is automatically triggering core dumps based on this
panic notification, it needs to be aware that the guest can lie and take
steps to avoid the guest causing a DOS attack on the host. Most likely
by rate limiting the frequency of core dumps per guest, and/or setting a
max core dump storage quota per guest.

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Avi Kivity 
On 03/14/2012 01:11 PM, Wen Congyang wrote:
  
  I don't think we want to use the driver.  Instead, have a small piece of
  code that resets the device and pushes out a string (the panic message?)
  without any interrupts etc.
  
  It's still going to be less reliable than a hypercall, I agree.

 Do you still want to use complicated and less reliable way?

Are you willing to try it out and see how complicated it really is?

While it's more complicated, it's also more flexible.  You can
communicate the panic message, whether the guest is attempting a kdump
and its own recovery or whether it wants the host to do it, etc., you
can communicate less severe failures like oopses.

 I think the other ones prefer to touch the hypervisor.

I understand the sentiment.  Your patches are simple and easy.  But my
feeling is that the kernel has become too complicated already and I'm
looking for ways to limit changes.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Avi Kivity 
On 03/14/2012 03:07 PM, Avi Kivity wrote:
 On 03/14/2012 01:11 PM, Wen Congyang wrote:
   
   I don't think we want to use the driver.  Instead, have a small piece of
   code that resets the device and pushes out a string (the panic message?)
   without any interrupts etc.
   
   It's still going to be less reliable than a hypercall, I agree.
 
  Do you still want to use complicated and less reliable way?

 Are you willing to try it out and see how complicated it really is?

 While it's more complicated, it's also more flexible.  You can
 communicate the panic message, whether the guest is attempting a kdump
 and its own recovery or whether it wants the host to do it, etc., you
 can communicate less severe failures like oopses.

Note, this is similar to how network drivers have a special path (no
interrupts) for netconsole output, this is used during panic as well.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Gleb Natapov 
On Wed, Mar 14, 2012 at 03:07:46PM +0200, Avi Kivity wrote:
 On 03/14/2012 01:11 PM, Wen Congyang wrote:
   
   I don't think we want to use the driver.  Instead, have a small piece of
   code that resets the device and pushes out a string (the panic message?)
   without any interrupts etc.
   
   It's still going to be less reliable than a hypercall, I agree.
 
  Do you still want to use complicated and less reliable way?
 
 Are you willing to try it out and see how complicated it really is?
 
 While it's more complicated, it's also more flexible.  You can
 communicate the panic message, whether the guest is attempting a kdump
 and its own recovery or whether it wants the host to do it, etc., you
 can communicate less severe failures like oopses.
 
hypercall can take arguments to achieve the same.

  I think the other ones prefer to touch the hypervisor.
 
 I understand the sentiment.  Your patches are simple and easy.  But my
 feeling is that the kernel has become too complicated already and I'm
 looking for ways to limit changes.
 
Using virtio-serial will not reduce kernel complexity. Quite contrary
since code that will use virtio-serial will be more complicated.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Avi Kivity 
On 03/14/2012 03:14 PM, Gleb Natapov wrote:
 On Wed, Mar 14, 2012 at 03:07:46PM +0200, Avi Kivity wrote:
  On 03/14/2012 01:11 PM, Wen Congyang wrote:

I don't think we want to use the driver.  Instead, have a small piece of
code that resets the device and pushes out a string (the panic message?)
without any interrupts etc.

It's still going to be less reliable than a hypercall, I agree.
  
   Do you still want to use complicated and less reliable way?
  
  Are you willing to try it out and see how complicated it really is?
  
  While it's more complicated, it's also more flexible.  You can
  communicate the panic message, whether the guest is attempting a kdump
  and its own recovery or whether it wants the host to do it, etc., you
  can communicate less severe failures like oopses.
  
 hypercall can take arguments to achieve the same.

It has to be designed in advance; and every time we notice something's
missing we have to update the host kernel.

   I think the other ones prefer to touch the hypervisor.
  
  I understand the sentiment.  Your patches are simple and easy.  But my
  feeling is that the kernel has become too complicated already and I'm
  looking for ways to limit changes.
  
 Using virtio-serial will not reduce kernel complexity. Quite contrary
 since code that will use virtio-serial will be more complicated.

The host kernel is unmodified though.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Gleb Natapov 
On Wed, Mar 14, 2012 at 03:16:05PM +0200, Avi Kivity wrote:
 On 03/14/2012 03:14 PM, Gleb Natapov wrote:
  On Wed, Mar 14, 2012 at 03:07:46PM +0200, Avi Kivity wrote:
   On 03/14/2012 01:11 PM, Wen Congyang wrote:
 
 I don't think we want to use the driver.  Instead, have a small piece 
 of
 code that resets the device and pushes out a string (the panic 
 message?)
 without any interrupts etc.
 
 It's still going to be less reliable than a hypercall, I agree.
   
Do you still want to use complicated and less reliable way?
   
   Are you willing to try it out and see how complicated it really is?
   
   While it's more complicated, it's also more flexible.  You can
   communicate the panic message, whether the guest is attempting a kdump
   and its own recovery or whether it wants the host to do it, etc., you
   can communicate less severe failures like oopses.
   
  hypercall can take arguments to achieve the same.
 
 It has to be designed in advance; and every time we notice something's
 missing we have to update the host kernel.
 

We and in the designed stage now. Not to late to design something flexible
:) Panic hypercall can take GPA of a buffer where host puts panic info
as a parameter.  This buffer can be read by QEMU and passed to management.

I think the other ones prefer to touch the hypervisor.
   
   I understand the sentiment.  Your patches are simple and easy.  But my
   feeling is that the kernel has become too complicated already and I'm
   looking for ways to limit changes.
   
  Using virtio-serial will not reduce kernel complexity. Quite contrary
  since code that will use virtio-serial will be more complicated.
 
 The host kernel is unmodified though.
 
Yes, this is trade-off between complexity in hypervisor and a guest
kernel. But in the end we use the same kernel for both.

--
Gleb.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-14 Thread Eric Northup 
On Wed, Mar 14, 2012 at 6:25 AM, Gleb Natapov g...@redhat.com wrote:
 On Wed, Mar 14, 2012 at 03:16:05PM +0200, Avi Kivity wrote:
 On 03/14/2012 03:14 PM, Gleb Natapov wrote:
  On Wed, Mar 14, 2012 at 03:07:46PM +0200, Avi Kivity wrote:
   On 03/14/2012 01:11 PM, Wen Congyang wrote:

 I don't think we want to use the driver.  Instead, have a small 
 piece of
 code that resets the device and pushes out a string (the panic 
 message?)
 without any interrupts etc.

 It's still going to be less reliable than a hypercall, I agree.
   
Do you still want to use complicated and less reliable way?
  
   Are you willing to try it out and see how complicated it really is?
  
   While it's more complicated, it's also more flexible.  You can
   communicate the panic message, whether the guest is attempting a kdump
   and its own recovery or whether it wants the host to do it, etc., you
   can communicate less severe failures like oopses.
  
  hypercall can take arguments to achieve the same.

 It has to be designed in advance; and every time we notice something's
 missing we have to update the host kernel.


 We and in the designed stage now. Not to late to design something flexible
 :) Panic hypercall can take GPA of a buffer where host puts panic info
 as a parameter.  This buffer can be read by QEMU and passed to management.

If a host kernel change is in the works, I think it might be cleanest
to have the host kernel export a new kind of VCPU exit for
unhandled-by-KVM hypercalls.  Then usermode can respond to the
hypercall as appropriate.  This would permit adding or changing future
hypercalls without host kernel changes.

Guest panic is almost the definition of not-a-fast-path, and so
what's the reason to handle it in the host kernel.

Punting the functionality to user-space isn't a magic bullet for
getting a good interface designed, but in my opinion it is a better
place to be doing this.
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-13 Thread Wen Congyang 
At 03/12/2012 06:33 PM, Avi Kivity Wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?

 
 Not really, but I'm not 100% convinced the patch is worthwhile.  It's
 likely to only be used by Linux, which has kexec facilities, and you can
 put talk to management via virtio-serial and describe the crash in more
 details than a simple hypercall.

Hmm, can we use virtio-serial to talk with not-linux OS? I guess the answer
is no. If so, virtio-serial is also used by linux.

Another problem is: virtio-serial is available on many deployed versions
but the guest must have virtio-serial device. So we cannot know the guest
is panicked if it does not have virtio-serial device while the hypercall does
not depend on any device.

Thanks
Wen Congyang
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-13 Thread Avi Kivity 
On 03/13/2012 08:44 AM, Wen Congyang wrote:
 At 03/12/2012 06:33 PM, Avi Kivity Wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
  
  Not really, but I'm not 100% convinced the patch is worthwhile.  It's
  likely to only be used by Linux, which has kexec facilities, and you can
  put talk to management via virtio-serial and describe the crash in more
  details than a simple hypercall.

 Hmm, can we use virtio-serial to talk with not-linux OS? I guess the answer
 is no. If so, virtio-serial is also used by linux.

You can use virtio-serial with any guest that has a driver.  There are
drivers available for Windows.

 Another problem is: virtio-serial is available on many deployed versions
 but the guest must have virtio-serial device. So we cannot know the guest
 is panicked if it does not have virtio-serial device while the hypercall does
 not depend on any device.


The hypercall implementation must exist in the hypervisor.

virtio-serial is used by the guest agent, so it's likely to be
availalble in all cloud or data center deployments.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-13 Thread Daniel P. Berrange 
On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
 On 03/12/2012 11:04 AM, Wen Congyang wrote:
  Do you have any other comments about this patch?
 
 
 Not really, but I'm not 100% convinced the patch is worthwhile.  It's
 likely to only be used by Linux, which has kexec facilities, and you can
 put talk to management via virtio-serial and describe the crash in more
 details than a simple hypercall.

As mentioned before, I don't think virtio-serial is a good fit for this.
We want something that is simple  guaranteed always available. Using
virtio-serial requires significant setup work on both the host and guest.
Many management application won't know to make a vioserial device available
to all guests they create. Most administrators won't even configure kexec,
let alone virtio serial on top of it. The hypercall requires zero host
side config, and zero guest side config, which IMHO is what we need for
this feature.


Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-13 Thread Avi Kivity 
On 03/13/2012 11:18 AM, Daniel P. Berrange wrote:
 On Mon, Mar 12, 2012 at 12:33:33PM +0200, Avi Kivity wrote:
  On 03/12/2012 11:04 AM, Wen Congyang wrote:
   Do you have any other comments about this patch?
  
  
  Not really, but I'm not 100% convinced the patch is worthwhile.  It's
  likely to only be used by Linux, which has kexec facilities, and you can
  put talk to management via virtio-serial and describe the crash in more
  details than a simple hypercall.

 As mentioned before, I don't think virtio-serial is a good fit for this.
 We want something that is simple  guaranteed always available. Using
 virtio-serial requires significant setup work on both the host and guest.

So what?  It needs to be done anyway for the guest agent.

 Many management application won't know to make a vioserial device available
 to all guests they create. 

Then they won't know to deal with the panic event either.

 Most administrators won't even configure kexec,
 let alone virtio serial on top of it. 

It should be done by the OS vendor, not the individual admin.

 The hypercall requires zero host
 side config, and zero guest side config, which IMHO is what we need for
 this feature.

If it was this one feature, yes.  But we keep getting more and more
features like that and we bloat the hypervisor.  There's a reason we
have a host-to-guest channel, we should use it.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-12 Thread Wen Congyang 
At 03/09/2012 09:21 AM, Wen Congyang Wrote:
 At 03/08/2012 07:13 PM, Avi Kivity Wrote:
 On 03/08/2012 09:57 AM, Wen Congyang wrote:
 We can know the guest is paniced when the guest runs on xen.
 But we do not have such feature on kvm.

 Another purpose of this feature is: management app(for example:
 libvirt) can do auto dump when the guest is crashed. If management
 app does not do auto dump, the guest's user can do dump by hand if
 he sees the guest is paniced.

 I touch the hypervisor instead of using virtio-serial, because
 1. it is simple
 2. the virtio-serial is an optional device, and the guest may
not have such device.

 Changes from v2 to v3:
 1. correct spelling

 Changes from v1 to v2:
 1. split up host and guest-side changes
 2. introduce new request flag to avoid changing return values.

 I see no Documentation/ changes.

Do you have any other comments about this patch?

 
 What shoude be writen into Documentation/? I read the documents under
 Documentation/virtual/kvm, not all KVM_EXIT_* are writen in api.txt.
 In this patch set, I introduce a new exit_reason: KVM_EXIT_GUEST_PANICKED,
 but I donot know where I should write.

What about this?

Thanks
Wen Congyang

 
 Thanks
 Wen Congyang
 --
 To unsubscribe from this list: send the line unsubscribe linux-kernel in
 the body of a message to majord...@vger.kernel.org
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/
 

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-12 Thread Avi Kivity 
On 03/09/2012 03:21 AM, Wen Congyang wrote:
 
  Changes from v2 to v3:
  1. correct spelling
 
  Changes from v1 to v2:
  1. split up host and guest-side changes
  2. introduce new request flag to avoid changing return values.
  
  I see no Documentation/ changes.

 What shoude be writen into Documentation/? I read the documents under
 Documentation/virtual/kvm, not all KVM_EXIT_* are writen in api.txt.
 In this patch set, I introduce a new exit_reason: KVM_EXIT_GUEST_PANICKED,
 but I donot know where I should write.

Describe the exit (why it happens).  Also document the new hypercall. 
If there is no good place for it, start a new file.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-12 Thread Avi Kivity 
On 03/12/2012 11:04 AM, Wen Congyang wrote:
 Do you have any other comments about this patch?


Not really, but I'm not 100% convinced the patch is worthwhile.  It's
likely to only be used by Linux, which has kexec facilities, and you can
put talk to management via virtio-serial and describe the crash in more
details than a simple hypercall.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-08 Thread Avi Kivity 
On 03/08/2012 09:57 AM, Wen Congyang wrote:
 We can know the guest is paniced when the guest runs on xen.
 But we do not have such feature on kvm.

 Another purpose of this feature is: management app(for example:
 libvirt) can do auto dump when the guest is crashed. If management
 app does not do auto dump, the guest's user can do dump by hand if
 he sees the guest is paniced.

 I touch the hypervisor instead of using virtio-serial, because
 1. it is simple
 2. the virtio-serial is an optional device, and the guest may
not have such device.

 Changes from v2 to v3:
 1. correct spelling

 Changes from v1 to v2:
 1. split up host and guest-side changes
 2. introduce new request flag to avoid changing return values.

I see no Documentation/ changes.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2 v3] kvm: notify host when guest panicked

2012-03-08 Thread Wen Congyang 
At 03/08/2012 07:13 PM, Avi Kivity Wrote:
 On 03/08/2012 09:57 AM, Wen Congyang wrote:
 We can know the guest is paniced when the guest runs on xen.
 But we do not have such feature on kvm.

 Another purpose of this feature is: management app(for example:
 libvirt) can do auto dump when the guest is crashed. If management
 app does not do auto dump, the guest's user can do dump by hand if
 he sees the guest is paniced.

 I touch the hypervisor instead of using virtio-serial, because
 1. it is simple
 2. the virtio-serial is an optional device, and the guest may
not have such device.

 Changes from v2 to v3:
 1. correct spelling

 Changes from v1 to v2:
 1. split up host and guest-side changes
 2. introduce new request flag to avoid changing return values.
 
 I see no Documentation/ changes.

What shoude be writen into Documentation/? I read the documents under
Documentation/virtual/kvm, not all KVM_EXIT_* are writen in api.txt.
In this patch set, I introduce a new exit_reason: KVM_EXIT_GUEST_PANICKED,
but I donot know where I should write.

Thanks
Wen Congyang
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html