Xen project Mailing List

Re: [Xen-devel] [PATCH for 4.9] vif-common.sh: Have iptables wait for the xtables lock

Date: Tue, 6 Jun 2017 17:46:10 +0100

Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>

Delivery-date: Tue, 06 Jun 2017 16:48:11 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Tue, Jun 06, 2017 at 05:28:58PM +0100, Julien Grall wrote: > Hi George, > > On 05/06/17 12:03, George Dunlap wrote: > > Forgot to cc' the release manager. > > > > On Mon, Jun 5, 2017 at 11:02 AM, George Dunlap <george.dunlap@xxxxxxxxxx> > > wrote: > > > iptables has a system-wide lock on the xtables. Strangely though, in > > > the case of two concurrent invocations, the default is for the > > > instance not grabbing the lock to exit out rather than waiting for it. > > > This means that when starting a large number of guests in parallel, > > > many will fail out with messages like this: > > > > > > 2017-05-10 11:45:40 UTC libxl: error: libxl_exec.c:118: > > > libxl_report_child_exitstatus: /etc/xen/scripts/vif-bridge remove [18767] > > > exited with error status 4 > > > 2017-05-10 11:50:52 UTC libxl: error: libxl_exec.c:118: > > > libxl_report_child_exitstatus: /etc/xen/scripts/vif-bridge offline [1554] > > > exited with error status 4 > > > > > > In order to instruct iptables to wait for the lock, you have to > > > specify '-w'. Unfortunately, not all versions of iptables have the > > > '-w' option, so on first invocation check to see if it accepts the -w > > > command. > > > > > > Reported-by: Antony Saba <awsaba@xxxxxxxxx> > > > Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> > > > --- > > > CC: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> > > > CC: Wei Liu <wei.liu2@xxxxxxxxxx> > > > --- > > > tools/hotplug/Linux/vif-common.sh | 38 > > > +++++++++++++++++++++++++++++++++++--- > > > 1 file changed, 35 insertions(+), 3 deletions(-) > > > > > > diff --git a/tools/hotplug/Linux/vif-common.sh > > > b/tools/hotplug/Linux/vif-common.sh > > > index 6e8d584..29cd8dd 100644 > > > --- a/tools/hotplug/Linux/vif-common.sh > > > +++ b/tools/hotplug/Linux/vif-common.sh > > > @@ -120,6 +120,38 @@ fi > > > ip=${ip:-} > > > ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip") > > > > > > +IPTABLES_WAIT_RUNE="-w" > > > +IPTABLES_WAIT_RUNE_CHECKED=false > > > + > > > +# When iptables introduced locking, in the event of lock contention, > > > +# they made "fail" rather than "wait for the lock" the default > > > +# behavior. In order to select "wait for the lock" behavior, you have > > > +# to add the '-w' parameter. Unfortinately, both the locking and the > > NIT: s/Unfortinately/Unfortunately/ > > Release-acked-by: Julien Grall <julien.grall@xxxxxxx> > Fixed the typo and committed to staging and staging-4.9. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.