2c1629da04
Cleaning up after domain shutdown (domain-stopped and domain-shutdown
events) relies on libvirt events which may be unreliable in some cases
(events may be processed with some delay, of if libvirt was restarted in
the meantime, may not happen at all). So, instead of ensuring only
proper ordering between shutdown cleanup and next startup, also trigger
the cleanup when we know for sure domain isn't running:
- at vm.kill() - after libvirt confirms domain was destroyed
- at vm.shutdown(wait=True) - after successful shutdown
- at vm.remove_from_disk() - after ensuring it isn't running but just
before actually removing it
This fixes various race conditions:
- qvm-kill && qvm-remove: remove could happen before shutdown cleanup
was done and storage driver would be confused about that
- qvm-shutdown --wait && qvm-clone: clone could happen before new content was
commited to the original volume, making the copy of previous VM state
(and probably more)
Previously it wasn't such a big issue on default configuration, because
LVM driver was fully synchronous, effectively blocking the whole qubesd
for the time the cleanup happened.
To avoid code duplication, factor out _ensure_shutdown_handled function
calling actual cleanup (and possibly canceling one called with libvirt
event). Note that now, "Duplicated stopped event from libvirt received!"
warning may happen in normal circumstances, not only because of some
bug.
It is very important that post-shutdown cleanup happen when domain is
not running. To ensure that, take startup_lock and under it 1) ensure
its halted and only then 2) execute the cleanup. This isn't necessary
when removing it from disk, because its already removed from the
collection at that time, which also avoids other calls to it (see also
"vm/dispvm: fix DispVM cleanup" commit).
Actually, taking the startup_lock in remove_from_disk function would
cause a deadlock in DispVM auto cleanup code:
- vm.kill (or other trigger for the cleanup)
- vm.startup_lock acquire <====
- vm._ensure_shutdown_handled
- domain-shutdown event
- vm._auto_cleanup (in DispVM class)
- vm.remove_from_disk
- cannot take vm.startup_lock again
|
||
|---|---|---|
| ci | ||
| contrib | ||
| doc | ||
| etc | ||
| linux | ||
| qubes | ||
| qubes-rpc | ||
| qubes-rpc-policy | ||
| qubespolicy | ||
| qvm-tools | ||
| relaxng | ||
| rpm_spec | ||
| templates | ||
| test-packages | ||
| tests | ||
| .coveragerc | ||
| .gitignore | ||
| .pylintrc | ||
| .travis.yml | ||
| installer.wxs | ||
| LICENSE | ||
| Makefile | ||
| Makefile.builder | ||
| README.md | ||
| run-tests | ||
| setup.cfg | ||
| setup.py | ||
| version | ||
Qubes core, version 3
This is master branch of the Qubes OS core.
API documentation is available: https://dev.qubes-os.org/projects/core-admin/en/latest/.