[libvirt] [PATCH v2 3/4] Add a mutex to serialize updates to firewall
Daniel P. Berrange
berrange at redhat.com
Tue Jan 28 11:15:18 UTC 2014
On Mon, Jan 27, 2014 at 04:50:56PM -0500, Stefan Berger wrote:
> On 01/27/2014 12:18 PM, Daniel P. Berrange wrote:
> >The nwfilter conf update mutex previously serialized
> >updates to the internal data structures for firewall
> >rules, and updates to the firewall itself. Since the
>
> Hm, wasn't aware (anymore) of this double-purpose.
It wasn't entirely clear to me either, but I am right in
believing that it isn't safe to have multiple threads all
creating iptables rules for different VMs at the same
time, aren't I ?
> I also hadn't looked at this patch in the first round...
>
> >former is going to be turned into a read/write lock
> >instead of a mutex, a new lock is required to serialize
> >access to the firewall itself.
> >
> >With this new lock, the lock ordering rules will be
> >for virNWFilter{Define,Undefine}
> >
> > 1. nwfilter driver lock
> > 2. nwfilter update lock
>
>
> Insert: 3. nwfilter callback drivers lock
>
> This is then used in this order also by nwfilterStateReload
>
>
> > 3. virt driver lock
> > 4. domain object lock
> > 5. gentech driver lock
> >
> >and VM start
> >
> > 1. nwfilter update lock
> > 2. virt driver lock
> > 3. domain object lock
> > 4. gentech driver lock
> >
> >Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> >---
> > src/nwfilter/nwfilter_driver.c | 4 +++-
> > src/nwfilter/nwfilter_gentech_driver.c | 19 +++++++++++++++++--
> > src/nwfilter/nwfilter_gentech_driver.h | 2 +-
> > 3 files changed, 21 insertions(+), 4 deletions(-)
> >
> >diff --git a/src/nwfilter/nwfilter_gentech_driver.c b/src/nwfilter/nwfilter_gentech_driver.c
> >index 89913cf8..d500963 100644
> >--- a/src/nwfilter/nwfilter_gentech_driver.c
> >+++ b/src/nwfilter/nwfilter_gentech_driver.c
> >@@ -936,6 +943,7 @@ _virNWFilterInstantiateFilter(virNWFilterDriverStatePtr driver,
> > int rc;
> >
> > virNWFilterLockFilterUpdates();
> >+ virMutexLock(&updateMutex);
>
>
> Since the filter updates lock had the two purposes before, you are
> now introducing a separate lock to assign a purpose to each lock.
> Further below you are preventing concurrent teardowns to this here.
>
> I am wondering how much further down this lock here could actually
> be pushed. This and the other function
> (virNWFilterInstantiateFilterLate) where you place this lock are
> calling __virNWFilterInstantiateFilter and nothing else calls that
> function [and the filter read protection above the lock call will
> remain]. So I think this lock could be placed inside
> __virNWFilterInstantiateFilter(). Also looking at that function I am
> not sure whether there is anything worth protecting using this newly
> introduced lock then. It ends up calling virNWFilterInstantiate().
> Here I would be a bit careful with the threads being started to
> learn the IP addresses. So maybe this function could be the place
> where to serialize access. What's your take?
The callgraph showed the three entry points into this area of
code look like:
virNWFilterInstantiateFilterLate virNWFilterInstantiateFilter virNWFilterTeardownFilter
| | |
+-------------------------|-----+ |
| +------------+ | |
| | | |
V V V V
_virNWFilterInstantiateFilter _virNWFilterTeardownFilter
Looking at the code I don't see how it is safe to allow teardown to
happen in parallel with instantiate. The teardown code could confuse
and conflict with the instantiate code causing it to fail I believe.
In particular a VM could exit causing QEMU to request teardown, while
the DHCP snoop thread is in the middle of re-creating the iptables
ruleset for a VM, so we surely require serialization of modifications
to iptables.
I could, push the locking down one level, but it wouldn't change the
level of serialization, and the lock calls are clearer at the level
of the code I have them I believe.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list