protocols/grpc: fix CPU hotplug race condition

[devimc]

With this patch the runtime will communicate to the agent the
number of vCPUs that were hot added, allowing to the agent online all vCPUs.
The agent will try to online all vCPUs 5 times, waiting 500 milliseconds
in each iteration, this is needed since when the runtime calls to QMP
device_add, QEMU doesn't allocate all vCPUs inmediatelly.

fixes #181

Signed-off-by: Julio Montes julio.montes@intel.com

[sboeuf]

Looks like a multiplexer with the naming ...Mux. Please call this onlineCPUMemLock

[sboeuf]

This looks like a lot ! We cannot afford to wait for so much time between two retries. Something like 50ms seems more appropriate, and maybe increase the number of retries if you think that in some cases it might take some time.

[sboeuf]

I think this should not be spawned into a go routine. This is the caller responsibility to know if it should wait or not for the return of this function.
Also, if we look at this patch, we expect to be able to return a valid error in case we could not hotplug the amount of CPUs provided as parameter.

[sboeuf]

Was thinking that nb_cpus or something with number in it, might be more appropriate as the parameter here, since we're providing a number of CPUs.

[sboeuf]

Having functions onlineCPUResources() and onlineMemResources() seems more appropriate to make the code more readable.

func onlineCPUResources(nbCPU int) error {
        resource := onlineResource{
		sysfsOnlinePath: sysfsCPUOnlinePath,
		regexpPattern:   cpuRegexpPattern,
	}

	var count uint32
	for i := uint32(0); i < onlineCPUMaxTries; i++ {
		r, err := onlineResources(resource)
		if err != nil {
			return err
		}
		count += r
		if count == nbCPU {
			return nil
		}
		time.Sleep(onlineCPUMemWaitTime)
	}

	return fmt.Errorf("only %d of %d were connected", count, expectedResources)
}

func onlineMemResources() error {
        resource := onlineResource{
		sysfsOnlinePath: sysfsMemOnlinePath,
		regexpPattern:   memRegexpPattern,
	}

        _, err := onlineResources(resource)
        return err
}

[jodh-intel]

when the runtime calls to QMP device_add, QEMU doesn't allocate all vCPUs inmediatelly.

I think this the piece of code you're referring to:

• https://github.com/kata-containers/runtime/blob/master/virtcontainers/qemu.go#L712..L736

If so, I was about to say that QMP needs a transaction message, when -- guess what? -- I found that it already has!

• https://github.com/qemu/qemu/blob/master/qapi/transaction.json#L87..L151

Hence, we should be able to replace that loop with a call to something like:

{
  "execute": "transaction",                    
  "arguments": { "actions": [                  
    { 
      "type": "device_add",
      "data" : { 
        "id": "cpu-0", "socket-id": "...", "core-id": "...", "thread-id": "..." 
      }   
    },
    { 
      "type": "device_add",
      "data" : { 
        "id": "cpu-1", "socket-id": "...", "core-id": "...", "thread-id": "..." 
      }   
    },
    { 
      "type": "device_add",
      "data" : { 
        "id": "cpu-2", "socket-id": "...", "core-id": "...", "thread-id": "..." 
      }   
    } 
  ]                                            
}

It would be useful to have this feature in https://github.com/intel/govmm.

/cc @rarindam, @markdryan.

[markdryan]

@jodh-intel I'd never seen that transaction command before. I'd assumed it was new when you mentioned it but looking at the qmp docs it seems to have been around since 1.0.

The way we currently model QMP commands doesn't really lend itself to a generic transaction mechanism. Perhaps this is a sign that the API is wrong and should be changed. In the short term it should be possible to add a ExecuteAddDevices that adds multiple devices transactionally.

The other comment I would make is, would using transactions actually solve the race condition? Does qmp generate an event when adding a device? Perhaps ExecuteDeviceAdd just needs to wait for that. Modifying ExecuteDeviceAdd might be a little risky, but we could add a new blocking version of that function and migrate to it over time.

[devimc]

Hi @jodh-intel nice finding!
but I think transactional messages won't fix the race condition, since it only guarantee a failure if any operation fail, the problem with the race condition is that QEMU does not allocate and assign vCPUs intermediately, because it has to negotiate the resources with KVM.
For example, if 5 vCPUs are hot added to the VM, when onlineCPUMem is called, probably only 3 vCPUs have been allocated and assigned to the VM, that means the agent will online only 3 vCPUs, the other two vCPUs will be allocated and assigned later, but the agent won't be able to online them.

[devimc]

@sboeuf changes applied, thanks

[sboeuf]

IMO, no need to specify this Wait through the spec, the caller could simply decide to run the call to OnlineCPUMem() into a go routine if needed.

[devimc]

In order to have a fast boot time, the go routine should run inside the VM, otherwise the runtime fails with next error

rpc error: code = Unavailable desc = transport is closing.

[sboeuf]

Ok makes sense!

[sboeuf]

if nbResources > 0 && count == uint32(nbResources) {

[sboeuf]

@devimc this looks better, I have 2 more comments.

[markdryan]

You should probably check the error here. What you should do I'm not sure. Perhaps simply continue. Looking and the old code no action was taken after this line, so although the error wasn't discarded, ignoring it was harmless. But with these changes I guess it's not.

[devimc]

fixed, thanks

[markdryan]

I'm not sure it's fixed correctly though. If you get one write error you'll give up entirely, i.e., the for loop in onlineCPUResources will terminate. Is this intentional?

[markdryan]

Do the directory contents of resource.sysfsOnlinePath change between invocations of this function? If not do you need to read the directory up to 10 times and check the online files 10 times. I'm suppose I'm thinking of a situation in which in the first invocation you online 4 out of 5 cpus. If I read the code correctly you'd then re-read the online files associated with those CPUs up to 9 more times.

[devimc]

In systems running low on resources, yes. Read the directory in each iteration is needed

[sboeuf]

Thanks @devimc

[markdryan]

If you get one write error you'll give up entirely, i.e., the for loop in onlineCPUResources will terminate. Is this intentional?

[devimc]

you're right, would be better to log the error and continue

PR changed

[devimc]

@markdryan @sboeuf PTAL

[devimc]

🙁

[sboeuf]

@bergwolf @laijs PTAL

[bergwolf]

Just two nits.
lgtm

[bergwolf]

check req.NbCpus is larger than 0?

[bergwolf]

nits: move it to after count++. It only makes sense to check when count increases.

[devimc]

@bergwolf changes applied , thanks

[codecov]

Codecov Report

Merging #182 into master will increase coverage by 2.93%.
The diff coverage is 82.35%.

@@            Coverage Diff             @@
##           master     #182      +/-   ##
==========================================
+ Coverage   32.05%   34.98%   +2.93%     
==========================================
  Files          10       10              
  Lines        1482     1612     +130     
==========================================
+ Hits          475      564      +89     
- Misses        940      963      +23     
- Partials       67       85      +18

Impacted Files	Coverage Δ
grpc.go	14.21% <82.35%> (+10.3%)	⬆️
network.go	46.24% <0%> (-0.21%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c8199f6...49f01ed. Read the comment docs.

[devimc]

ping @kata-containers/agent

[jodh-intel]

lgtm

[jodh-intel]

Nit: shouldn't these be strictly?:

cpuRegexpPattern = "cpu[0-9][0-9]*"
memRegexpPattern = "memory[0-9][0-9]*"

[jodh-intel]

It's fine as long as files called cpu or memory are never created in that directory.

[sboeuf]

@devimc Only a few nits, but looks good !

[sboeuf]

Ok makes sense!

[sboeuf]

s/until/once/

[sboeuf]

s/else/otherwise/

[sboeuf]

s/immediately/immediately./

[sboeuf]

s/Specifies/specifies/
s/online/online./

[sboeuf]

@markdryan could you give this a last review before we merge ?

[markdryan]

Looking at the code, there's no limit if nbResources==0 either.

[markdryan]

@sboeuf Looks good to me. I think my comments have been addressed. I made one small comment on a comment.

[sboeuf]

@devimc please address both comments from @markdryan and myself, and we're good to merge this :)

[devimc]

@markdryan @sboeuf changes applied, thanks

[sboeuf]

Thanks @devimc, let's merge it !