On Mon, Jan 30, 2012 at 03:30:18PM -0500, Laine Stump wrote: > On 01/30/2012 06:02 AM, Daniel P. Berrange wrote: > >On Fri, Jan 27, 2012 at 01:35:35PM -0500, Laine Stump wrote: > >>When libvirt is shutting down the qemu process, it first sends > >>SIGTERM, then waits for 1.6 seconds and, if it sees the process still > >>there, sends a SIGKILL. > >> > >>There have been reports that this behavior can lead to data loss > >>because the guest running in qemu doesn't have time to flush it's disk > >>cache buffers before it's unceremoniously whacked. > >> > >>One suggestion on how to solve that problem was to remove SIGKILL from > >>the normal virDomainDestroyFlags, but still provide the ability to > >>kill qemu with SIGKILL by using a new flag to virDomainDestroyFlags. > >>This patch is a quick attempt at that in order to start a > >>conversation on the topic. > >> > >>So what are your opinions? Is this the right way to solve the problem? > >No, we can't change the default semantics of virDomainDestroy in > >this case. Applications expect that we do absolutely everything > >possible to kill of the guest. This is particularly important for > >cluster fencing usage. If we only use SIGTERM, then we're introducing > >unacceptable risk to apps relying on this. > > > >We could do the opposite though - have a flag to do a gracefully > >destroy, leaving the default as un-graceful. > > virDomainShutdown ends up calling qemuProcessKill() too. So, I guess > we need to add a flag there too. > > In the meantime, shouldn't we at least wait longer before resorting > to SIGKILL? (especially since it appears the current timeout is > quite often too short). (If we don't at least do that, what we're > saying is "the behavior of virDomainShutdown / virDomainDestroy is > to lose your data unless you're lucky. If you don't want this > behavior, you need to use virDomainXXXFlags, and specify the > VIR_DOMAIN_DONT_TRASH_MY_DATA flag" :-P). If you add a flag to trigger a graceful kill(SIGINT) only, then we don't need to change the timeout. The application now has the ability to wait as long as they like, before issuing another virDomainDestroy() Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list