docs/kbase/internals/qemu-threads.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338

QEMU Driver Threading: The Rules
================================

.. contents::

This document describes how thread safety is ensured throughout
the QEMU driver. The criteria for this model are:

 - Objects must never be exclusively locked for any prolonged time
 - Code which sleeps must be able to time out after suitable period
 - Must be safe against dispatch of asynchronous events from monitor

Basic locking primitives
------------------------

There are a number of locks on various objects

  ``virQEMUDriver``

    The ``qemu_conf.h`` file has inline comments describing the locking
    needs for each field. Any field marked immutable, self-locking
    can be accessed without the driver lock. For other fields there
    are typically helper APIs in ``qemu_conf.c`` that provide serialized
    access to the data. No code outside ``qemu_conf.c`` should ever
    acquire this lock

  ``virDomainObj``

    Will be locked and the reference counter will be increased after calling
    any of the ``virDomainObjListFindBy{ID,Name,UUID}`` methods. The preferred way
    of decrementing the reference counter and unlocking the domain is using the
    ``virDomainObjEndAPI()`` function.

    Lock must be held when changing/reading any variable in the ``virDomainObj``

    This lock must not be held for anything which sleeps/waits (i.e. monitor
    commands).


  ``qemuMonitorPrivatePtr`` job conditions

    Since ``virDomainObj`` lock must not be held during sleeps, the job
    conditions provide additional protection for code making updates.

    QEMU driver uses three kinds of job conditions: asynchronous, agent
    and normal.

    Asynchronous job condition is used for long running jobs (such as
    migration) that consist of several monitor commands and it is
    desirable to allow calling a limited set of other monitor commands
    while such job is running.  This allows clients to, e.g., query
    statistical data, cancel the job, or change parameters of the job.

    Normal job condition is used by all other jobs to get exclusive
    access to the monitor and also by every monitor command issued by an
    asynchronous job.  When acquiring normal job condition, the job must
    specify what kind of action it is about to take and this is checked
    against the allowed set of jobs in case an asynchronous job is
    running.  If the job is incompatible with current asynchronous job,
    it needs to wait until the asynchronous job ends and try to acquire
    the job again.

    Agent job condition is then used when thread wishes to talk to qemu
    agent monitor. It is possible to acquire just agent job
    (``virDomainObjBeginAgentJob``), or only normal job (``virDomainObjBeginJob``)
    but not both at the same time. Holding an agent job and a normal job would
    allow an unresponsive or malicious agent to block normal libvirt API and
    potentially result in a denial of service. Which type of job to grab
    depends whether caller wishes to communicate only with agent socket, or
    only with qemu monitor socket.

    Immediately after acquiring the ``virDomainObj`` lock, any method
    which intends to update state must acquire asynchronous, normal or
    agent job . The ``virDomainObj`` lock is released while blocking on
    these condition variables.  Once the job condition is acquired, a
    method can safely release the ``virDomainObj`` lock whenever it hits
    a piece of code which may sleep/wait, and re-acquire it after the
    sleep/wait.  Whenever an asynchronous job wants to talk to the
    monitor, it needs to acquire nested job (a special kind of normal
    job) to obtain exclusive access to the monitor.

    Since the ``virDomainObj`` lock was dropped while waiting for the
    job condition, it is possible that the domain is no longer active
    when the condition is finally obtained.  The monitor lock is only
    safe to grab after verifying that the domain is still active.


  ``qemuMonitor`` mutex

    Lock to be used when invoking any monitor command to ensure safety
    wrt any asynchronous events that may be dispatched from the monitor.
    It should be acquired before running a command.

    The job condition *MUST* be held before acquiring the monitor lock

    The ``virDomainObj`` lock *MUST* be held before acquiring the monitor
    lock.

    The ``virDomainObj`` lock *MUST* then be released when invoking the
    monitor command.


Helper methods
--------------

To lock the ``virDomainObj``

  ``virObjectLock()``
    - Acquires the ``virDomainObj`` lock

  ``virObjectUnlock()``
    - Releases the ``virDomainObj`` lock


To acquire the normal job condition

  ``virDomainObjBeginJob()``
    - Waits until the job is compatible with current async job or no
      async job is running
    - Waits for ``job.cond`` condition ``job.active != 0`` using ``virDomainObj``
      mutex
    - Rechecks if the job is still compatible and repeats waiting if it
      isn't
    - Sets ``job.active`` to the job type

  ``virDomainObjEndJob()``
    - Sets job.active to 0
    - Signals on job.cond condition


To acquire the agent job condition

  ``virDomainObjBeginAgentJob()``
    - Waits until there is no other agent job set
    - Sets ``job.agentActive`` to the job type

  ``virDomainObjEndAgentJob()``
    - Sets ``job.agentActive`` to 0
    - Signals on ``job.cond`` condition


To acquire the asynchronous job condition

  ``virDomainObjBeginAsyncJob()``
    - Waits until no async job is running
    - Waits for ``job.cond`` condition ``job.active != 0`` using ``virDomainObj``
      mutex
    - Rechecks if any async job was started while waiting on ``job.cond``
      and repeats waiting in that case
    - Sets ``job.asyncJob`` to the asynchronous job type

  ``virDomainObjEndAsyncJob()``
    - Sets ``job.asyncJob`` to 0
    - Broadcasts on ``job.asyncCond`` condition


To acquire the QEMU monitor lock

  ``qemuDomainObjEnterMonitor()``
    - Acquires the ``qemuMonitorObj`` lock
    - Releases the ``virDomainObj`` lock

  ``qemuDomainObjExitMonitor()``
    - Releases the ``qemuMonitorObj`` lock
    - Acquires the ``virDomainObj`` lock

  These functions must not be used by an asynchronous job.


To acquire the QEMU monitor lock as part of an asynchronous job

  ``qemuDomainObjEnterMonitorAsync()``
    - Validates that the right async job is still running
    - Acquires the ``qemuMonitorObj`` lock
    - Releases the ``virDomainObj`` lock
    - Validates that the VM is still active

  qemuDomainObjExitMonitor()
    - Releases the ``qemuMonitorObj`` lock
    - Acquires the ``virDomainObj`` lock

  These functions are for use inside an asynchronous job; the caller
  must check for a return of -1 (VM not running, so nothing to exit).
  Helper functions may also call this with ``VIR_ASYNC_JOB_NONE`` when
  used from a sync job (such as when first starting a domain).


To keep a domain alive while waiting on a remote command

  ``qemuDomainObjEnterRemote()``
    - Releases the ``virDomainObj`` lock

  ``qemuDomainObjExitRemote()``
    - Acquires the ``virDomainObj`` lock


Design patterns
---------------

 * Accessing something directly to do with a ``virDomainObj``::

     virDomainObj *obj;

     obj = qemuDomObjFromDomain(dom);

     ...do work...

     virDomainObjEndAPI(&obj);


 * Updating something directly to do with a ``virDomainObj``::

     virDomainObj *obj;

     obj = qemuDomObjFromDomain(dom);

     virDomainObjBeginJob(obj, VIR_JOB_TYPE);

     ...do work...

     virDomainObjEndJob(obj);

     virDomainObjEndAPI(&obj);


 * Invoking a monitor command on a ``virDomainObj``::

     virDomainObj *obj;
     qemuDomainObjPrivate *priv;

     obj = qemuDomObjFromDomain(dom);

     virDomainObjBeginJob(obj, VIR_JOB_TYPE);

     ...do prep work...

     if (virDomainObjIsActive(vm)) {
         qemuDomainObjEnterMonitor(obj);
         qemuMonitorXXXX(priv->mon);
         qemuDomainObjExitMonitor(obj);
     }

     ...do final work...

     virDomainObjEndJob(obj);
     virDomainObjEndAPI(&obj);


 * Invoking an agent command on a ``virDomainObj``::

     virDomainObj *obj;
     qemuAgent *agent;

     obj = qemuDomObjFromDomain(dom);

     virDomainObjBeginAgentJob(obj, VIR_AGENT_JOB_TYPE);

     ...do prep work...

     if (!qemuDomainAgentAvailable(obj, true))
         goto cleanup;

     agent = qemuDomainObjEnterAgent(obj);
     qemuAgentXXXX(agent, ..);
     qemuDomainObjExitAgent(obj, agent);

     ...do final work...

     virDomainObjEndAgentJob(obj);
     virDomainObjEndAPI(&obj);


 * Running asynchronous job::

     virDomainObj *obj;
     qemuDomainObjPrivate *priv;

     obj = qemuDomObjFromDomain(dom);

     virDomainObjBeginAsyncJob(obj, VIR_ASYNC_JOB_TYPE);
     qemuDomainObjSetAsyncJobMask(obj, allowedJobs);

     ...do prep work...

     if (qemuDomainObjEnterMonitorAsync(driver, obj,
                                        VIR_ASYNC_JOB_TYPE) < 0) {
         /* domain died in the meantime */
         goto error;
     }
     ...start qemu job...
     qemuDomainObjExitMonitor(obj);

     while (!finished) {
         if (qemuDomainObjEnterMonitorAsync(driver, obj,
                                            VIR_ASYNC_JOB_TYPE) < 0) {
             /* domain died in the meantime */
             goto error;
         }
         ...monitor job progress...
         qemuDomainObjExitMonitor(obj);

         virObjectUnlock(obj);
         sleep(aWhile);
         virObjectLock(obj);
     }

     ...do final work...

     virDomainObjEndAsyncJob(obj);
     virDomainObjEndAPI(&obj);


 * Coordinating with a remote server for migration::

     virDomainObj *obj;
     qemuDomainObjPrivate *priv;

     obj = qemuDomObjFromDomain(dom);

     virDomainObjBeginAsyncJob(obj, VIR_ASYNC_JOB_TYPE);

     ...do prep work...

     if (virDomainObjIsActive(vm)) {
         qemuDomainObjEnterRemote(obj);
         ...communicate with remote...
         qemuDomainObjExitRemote(obj);
         /* domain may have been stopped while we were talking to remote */
         if (!virDomainObjIsActive(vm)) {
             qemuReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                             _("guest unexpectedly quit"));
         }
     }

     ...do final work...

     virDomainObjEndAsyncJob(obj);
     virDomainObjEndAPI(&obj);