Qemu driver: graceful shutdown feature #3411
Conversation
cheeseprocedure
force-pushed
the
f-qemu-graceful-shutdown
branch
3 times, most recently
from
216285c
to
2129de2
Compare
client/driver/qemu.go
Outdated
| @@ -239,7 +288,7 @@ func (d *QemuDriver) Start(ctx *ExecContext, task *structs.Task) (*StartResponse | |||
| ) | |||
| } | |||
|
|
|||
| d.logger.Printf("[DEBUG] Starting QemuVM command: %q", strings.Join(args, " ")) | |||
| d.logger.Printf("[DEBUG] driver.qemu - starting QemuVM command: %q", strings.Join(args, " ")) | |||
There was a problem hiding this comment.
Can you standardize on driver.qemu: as you logging prefix? That's the convention we use elsewhere.
client/driver/qemu.go
Outdated
| @@ -317,7 +367,7 @@ func (d *QemuDriver) Open(ctx *ExecContext, handleID string) (DriverHandle, erro | |||
|
|
|||
| exec, pluginClient, err := createExecutorWithConfig(pluginConfig, d.config.LogOutput) | |||
| if err != nil { | |||
| d.logger.Println("[ERR] driver.qemu: error connecting to plugin so destroying plugin pid and user pid") | |||
| d.logger.Println("[ERR] driver.qemu - error connecting to plugin so destroying plugin pid and user pid") | |||
There was a problem hiding this comment.
While you're changing this could you switch to Printf and include at least the pids. There's not really enough information in this log line to be useful.
client/driver/qemu.go
Outdated
| defer monitorSocket.Close() | ||
| h.logger.Printf("[DEBUG] driver.qemu - sending graceful shutdown command to qemu monitor socket at %s", h.monitorPath) | ||
| _, err = monitorSocket.Write([]byte(qemuGracefulShutdownMsg)) | ||
| if err == nil { |
There was a problem hiding this comment.
Is there any way to block until either the vm exits or the kill timeout is reached and make sure to always call h.executor.ShutDown() to kill Nomad's sidecar process?
I'm afraid this could leak VMs and Nomad executor processes.
client/driver/qemu.go
Outdated
| if err == nil { | ||
| return nil | ||
| } | ||
| h.logger.Printf("[WARN] driver.qemu - failed to send '%s' to monitor socket '%s': %s", qemuGracefulShutdownMsg, h.monitorPath, err) |
There was a problem hiding this comment.
Using %q instead of '%s' will properly escape and quote strings for what it's worth. Not a big deal to change as we're not consistent either, but %q is pretty handy.
client/driver/qemu.go
Outdated
| @@ -395,13 +462,13 @@ func (h *qemuHandle) Kill() error { | |||
| case <-h.doneCh: | |||
| return nil | |||
| case <-time.After(h.killTimeout): | |||
| h.logger.Printf("[DEBUG] driver.qemu - kill timeout exceeded") | |||
There was a problem hiding this comment.
Can you include monitorPath and/or userPid in log messages so users have some way of connectin gthem to a particular VM?
client/driver/qemu.go
Outdated
| @@ -414,7 +481,7 @@ func (h *qemuHandle) run() { | |||
| ps, werr := h.executor.Wait() | |||
| if ps.ExitCode == 0 && werr != nil { | |||
| if e := killProcess(h.userPid); e != nil { | |||
| h.logger.Printf("[ERR] driver.qemu: error killing user process: %v", e) | |||
| h.logger.Printf("[ERR] driver.qemu - error killing user process: %v", e) | |||
client/driver/qemu_test.go
Outdated
| @@ -14,6 +14,14 @@ import ( | |||
| ctestutils "github.com/hashicorp/nomad/client/testutil" | |||
| ) | |||
|
|
|||
| func generateString(length int) string { | |||
There was a problem hiding this comment.
Replace with strings.Repeat("x", n)
| Config: map[string]interface{}{ | ||
| "image_path": "linux-0.2.img", | ||
| "accelerator": "tcg", | ||
| "graceful_shutdown": false, |
There was a problem hiding this comment.
Adding a graceful_shutdown test would be nice. Maybe copy StartOpen_Wait, but don't worry about the Open part (that's the restore path)?
| @@ -47,6 +48,8 @@ The `qemu` driver supports the following configuration in the job spec: | |||
| If the host machine has `qemu` installed with KVM support, users can specify | |||
| `kvm` for the `accelerator`. Default is `tcg`. | |||
|
|
|||
| * `graceful_shutdown` `(bool: false)` - Using the [qemu monitor](https://en.wikibooks.org/wiki/QEMU/Monitor), send an ACPI shutdown signal to virtual machines rather than simply terminating them. This emulates a physical power button press, and gives instances a chance to shut down cleanly. If the VM is still running after ``kill_timeout``, it will be forcefully terminated. (Note that [prior to qemu 2.10.1](https://github.com/qemu/qemu/commit/ad9579aaa16d5b385922d49edac2c96c79bcfb6), the monitor socket path is limited to 108 characters. Graceful shutdown will be disabled if qemu is < 2.10.1 and the generated monitor path exceeds this length. You may encounter this issue if you set long [data_dir](https://www.nomadproject.io/docs/agent/configuration/index.html#data_dir) or [alloc_dir](https://www.nomadproject.io/docs/agent/configuration/client.html#alloc_dir) paths.) | |||
There was a problem hiding this comment.
Wrap at 80 characters and indent lines with 2 spaces (we're considering loosening this style, but now we're trying to stay consistent).
If the VM is still running after
kill_timeout, it will be forcefully terminated.
Huh, I thought if you wrote the shutdown message to the monitor's socket properly the Kill() method returned and Nomad would consider the VM dead even if it wasn't? Perhaps my comment on that code above is wrong?
cheeseprocedure
force-pushed
the
f-qemu-graceful-shutdown
branch
7 times, most recently
from
35176dc
to
95e07da
Compare
cheeseprocedure
force-pushed
the
f-qemu-graceful-shutdown
branch
from
95e07da
to
60030d8
Compare
|
Hi @schmichael - thank you for all the feedback! I've made a number of improvements in response, including more actionable logging, fixes to Please let me know if I can perform any additional changes and/or cleanup. |
There was a problem hiding this comment.
Looks great! Thanks for all of the hard work @cheeseprocedure.
I left a few more comments, but I don't think any are blockers. I'll merge soon unless someone else spots something.
client/driver/qemu.go
Outdated
| var err error | ||
| if monitorPath == "" { | ||
| logger.Printf("[DEBUG] driver.qemu: monitorPath not set; will not attempt graceful shutdown for user process pid %d", userPid) | ||
| err = errors.New("monitorPath not set") |
There was a problem hiding this comment.
You could return the error here and skip the else block and var err error declaration.
Not a blocker.
client/driver/qemu_test.go
Outdated
| monitorPathExists := false | ||
| for i := 0; i < 5; i++ { | ||
| if _, err := os.Stat(monitorPath); !os.IsNotExist(err) { | ||
| fmt.Printf("Monitor socket exists at %q\n", monitorPath) |
There was a problem hiding this comment.
d.logger.Printf (or a testLogger()) is preferred but not a blocker.
client/driver/qemu_test.go
Outdated
| monitorPathExists = true | ||
| break | ||
| } | ||
| time.Sleep(1 * time.Second) |
There was a problem hiding this comment.
We test on fast developer machines and very slow VMs, so testing more often (eg every 200ms) and more times (eg 50 times) would be preferred.
client/driver/qemu_test.go
Outdated
| } | ||
|
|
||
| // Clean up | ||
| if err := resp.Handle.Kill(); err != nil { |
client/driver/qemu_test.go
Outdated
|
|
||
| // Clean up | ||
| if err := resp.Handle.Kill(); err != nil { | ||
| fmt.Printf("\nError killing Qemu test: %s", err) |
There was a problem hiding this comment.
Same as above (use a testLogger)
|
Thanks for the additional feedback! I've made some small changes in response. |
GNUmakefile
Outdated
| @echo "==> Spell checking website..." | ||
| @misspell -error -source=text website/source/ | ||
| # @misspell -error -source=text website/source/ |
There was a problem hiding this comment.
Ha, I don't think you meant to commit this. :)
There was a problem hiding this comment.
D'oh! Fixed.
client/driver/qemu_test.go
Outdated
| } | ||
|
|
||
| // Clean up | ||
| defer func() { |
There was a problem hiding this comment.
Oh sorry, meant to do this block in a defer right after you check the error from d.Start. That way you cleanup even if a fatal error is hit.
There was a problem hiding this comment.
Double d'oh. Fixed!
cheeseprocedure
force-pushed
the
f-qemu-graceful-shutdown
branch
from
b4fc5e7
to
1856585
Compare
client/driver/qemu.go
Outdated
| // The key populated in Node Attributes to indicate presence of the Qemu driver | ||
| qemuDriverAttr = "driver.qemu" | ||
| qemuDriverVersionAttr = "driver.qemu.version" | ||
| qemuDriverLongMonitorPathAttr = "driver.qemu.longsocketpaths" |
There was a problem hiding this comment.
I am not a fan of this being an attribute. I think we can just check in the start method
There was a problem hiding this comment.
For scheduling purposes, constraining on this can be replicated by: https://www.nomadproject.io/docs/job-specification/constraint.html#quot-version-quot-
There was a problem hiding this comment.
Thanks - I've removed this attribute as part of the changes to getMonitorPath!
client/driver/qemu.go
Outdated
| // Relevant fix is here: | ||
| // https://github.com/qemu/qemu/commit/ad9579aaa16d5b385922d49edac2c96c79bcfb6 | ||
| currentQemuSemver := semver.New(currentQemuVersion) | ||
| fixedSocketPathLenVer := semver.New("2.10.1") |
There was a problem hiding this comment.
Can you make this a variable with a comment. Can be a singleton.
client/driver/qemu.go
Outdated
| @@ -64,6 +75,13 @@ type qemuHandle struct { | |||
| doneCh chan struct{} | |||
| } | |||
|
|
|||
| func getMonitorPath(dir string, longPathSupport string) (string, error) { | |||
client/driver/qemu.go
Outdated
| @@ -64,6 +75,13 @@ type qemuHandle struct { | |||
| doneCh chan struct{} | |||
| } | |||
|
|
|||
| func getMonitorPath(dir string, longPathSupport string) (string, error) { | |||
| if len(dir) > legacyMaxMonitorPathLen && longPathSupport != "1" { | |||
There was a problem hiding this comment.
Instead of taking the longPathSupport string make this a function on the QemuDriver and use the node that is in the embedded DriverCtx to check the version of the qemu driver and determine if there is support.
client/driver/qemu.go
Outdated
| d.logger.Printf("[DEBUG] driver.qemu: got monitor path OK: %s", monitorPath) | ||
| args = append(args, "-monitor", fmt.Sprintf("unix:%s,server,nowait", monitorPath)) | ||
| } else { | ||
| d.logger.Printf("[WARN] driver.qemu: %s", err) |
There was a problem hiding this comment.
I think this should fail the task.
There was a problem hiding this comment.
Done! This will now return (and log) an error.
client/driver/qemu.go
Outdated
| if h.pluginClient.Exited() { | ||
| return nil | ||
| // First, try sending a graceful shutdown command via the qemu monitor | ||
| err := sendQemuShutdown(h.logger, h.monitorPath, h.userPid) |
There was a problem hiding this comment.
Wrap this in a if check seeing if graceful shutdown is enabled and log the error
client/driver/qemu.go
Outdated
| if monitorPath == "" { | ||
| logger.Printf("[DEBUG] driver.qemu: monitorPath not set; will not attempt graceful shutdown for user process pid %d", userPid) | ||
| return errors.New("monitorPath not set") | ||
| } else { |
There was a problem hiding this comment.
You can remove the else statement since the if returns.
client/driver/qemu.go
Outdated
| return errors.New("monitorPath not set") | ||
| } else { | ||
| monitorSocket, err := net.Dial("unix", monitorPath) | ||
| if err == nil { |
There was a problem hiding this comment.
Swap the checking. if err != nil { log && return err} and de-indent the block.
client/driver/qemu.go
Outdated
| // Reference: https://en.wikibooks.org/wiki/QEMU/Monitor | ||
| qemuGracefulShutdownMsg = "system_powerdown\n" | ||
| legacyMaxMonitorPathLen = 108 | ||
| qemuMonitorSocketName = "qemu-monitor.sock" |
There was a problem hiding this comment.
Good question! Until today, I didn't realize QEMU was available on Windows hosts. I would need to spin up an EC2 instance and experiment a bit with QEMU monitor interaction on that platform.
It appears an existing QEMU driver option can cause trouble on Windows hosts (accelerator = "kvm"). As a first pass, would it be acceptable to fail a task if graceful shutdown has been enabled for the job and runtime.GOOS == "windows" (ensuring it's called out in documentation, of course)?
There was a problem hiding this comment.
Yeah I think that is acceptable. Would you mind adding error cases for both graceful and kvm on windows.
|
@dadgar thank you very much for your feedback! I believe I've addressed the comments, with the exception of one outstanding question about Windows support. |
cheeseprocedure
force-pushed
the
f-qemu-graceful-shutdown
branch
2 times, most recently
from
101dba8
to
80495d7
Compare
Remove attribute for long qemu monitor path; misc cleanup; update tests
cheeseprocedure
force-pushed
the
f-qemu-graceful-shutdown
branch
from
80495d7
to
66f9840
Compare
client/driver/qemu.go
Outdated
| d.logger.Printf("[WARN] driver.qemu: %s", err) | ||
| monitorPath, err := d.getMonitorPath(ctx.TaskDir.Dir) | ||
| if err != nil { | ||
| d.logger.Printf("[ERR] driver.qemu: could not get qemu monitor path - error: %s", err) |
There was a problem hiding this comment.
"[ERR] driver.qemu: could not get qemu monitor path: %s"
client/driver/qemu.go
Outdated
| // If we did not send a graceful shutdown via the monitor socket, we'll | ||
| // issue an interrupt to the qemu process as a last resort | ||
| if err != nil { | ||
| if err := sendQemuShutdown(h.logger, h.monitorPath, h.userPid); err != nil { |
There was a problem hiding this comment.
This will log several debug messages relating to graceful shutdown even if the user didn't set the option. We should only attempt the graceful shutdown if the user asked for it.
client/driver/qemu.go
Outdated
| // Reference: https://en.wikibooks.org/wiki/QEMU/Monitor | ||
| qemuGracefulShutdownMsg = "system_powerdown\n" | ||
| legacyMaxMonitorPathLen = 108 | ||
| qemuMonitorSocketName = "qemu-monitor.sock" |
There was a problem hiding this comment.
Yeah I think that is acceptable. Would you mind adding error cases for both graceful and kvm on windows.
|
@dadgar thank you for the review! In addition to the fixes above, I've added simple checks for the graceful-shutdown feature and use of the KVM accelerator which return errors if run on a Windows host. |
cheeseprocedure
force-pushed
the
f-qemu-graceful-shutdown
branch
from
c3121f1
to
046b774
Compare
cheeseprocedure
force-pushed
the
f-qemu-graceful-shutdown
branch
from
046b774
to
f734d84
Compare
|
@cheeseprocedure Awesome work! I am going to merge and add some documentation that the graceful shutdown is only supported on Linux for now! |
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
This PR enables the Qemu driver to attempt a graceful shutdown of guest VMs by passing an ACPI-shutdown via the Qemu monitor.
This is a best-effort mechanism for notifying guests of their impending termination. The driver will still forcibly terminate the process if the kill timeout expires.
I think the integration tests can be improved; any suggestions in that area are especially appreciated.
Thank you!