RS: remove support for unsafe updates

This feature should no longer be necessary.

Change-Id: I9bff628be020cf1741bffaeb3bb97e3660a54aea

minix/commands/service/service.c

@@ -95,7 +95,6 @@ static int known_request_types[] = {
 #define OPT_FORCE_INIT_FAIL    "-y"	/* force init failure (for debugging) */
 #define OPT_FORCE_INIT_TIMEOUT "-z"	/* force init timeout (for debugging) */
 #define OPT_FORCE_INIT_DEFCB   "-d"	/* force init default callback */
-#define OPT_UNSAFE_LU          "-u"     /* allow unsafe update */
 #define OPT_NOMMAP_LU          "-m"     /* don't inherit mmaped regions */
 #define OPT_DETACH             "-e"     /* detach on update/restart */
 #define OPT_NORESTART          "-f"     /* don't restart */
@@ -176,11 +175,11 @@ static void print_usage(char *app_name, char *problem)
   fprintf(stderr, "Warning, %s\n", problem);
   fprintf(stderr, "Usage:\n");
   fprintf(stderr,
-      "    %s [%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s] (up|run|edit|update) <binary|%s> [%s <args>] [%s <special>] [%s <major_nr>] [%s <dev_id>] [%s <ticks>] [%s <path>] [%s <name>] [%s <path>] [%s <state value|eval_expression>] [%s <time>] [%s <bytes>] [%s <bytes>] [%s <name>] [(%s|%s <src_label1,src_type1:src_label2,:,src_type3:...>)*] [%s <restarts>]\n",
+      "    %s [%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s] (up|run|edit|update) <binary|%s> [%s <args>] [%s <special>] [%s <major_nr>] [%s <dev_id>] [%s <ticks>] [%s <path>] [%s <name>] [%s <path>] [%s <state value|eval_expression>] [%s <time>] [%s <bytes>] [%s <bytes>] [%s <name>] [(%s|%s <src_label1,src_type1:src_label2,:,src_type3:...>)*] [%s <restarts>]\n",
 	app_name, OPT_COPY, OPT_REUSE, OPT_NOBLOCK, OPT_REPLICA, OPT_NO_BIN_EXP,
 	OPT_BATCH, OPT_ASR_LU, OPT_PREPARE_ONLY_LU, OPT_FORCE_SELF_LU,
 	OPT_FORCE_INIT_CRASH, OPT_FORCE_INIT_FAIL, OPT_FORCE_INIT_TIMEOUT,
-	OPT_FORCE_INIT_DEFCB, OPT_UNSAFE_LU, OPT_NOMMAP_LU, OPT_DETACH,
+	OPT_FORCE_INIT_DEFCB, OPT_NOMMAP_LU, OPT_DETACH,
 	OPT_NORESTART, OPT_FORCE_INIT_ST, SELF_BINARY,
 	ARG_ARGS, ARG_DEV, ARG_MAJOR, ARG_DEVMANID, ARG_PERIOD,
 	ARG_SCRIPT, ARG_LABELNAME, ARG_CONFIG, ARG_LU_STATE, ARG_LU_MAXTIME,
@@ -207,7 +206,6 @@ static void print_usage(char *app_name, char *problem)
   fprintf(stderr, "      %s: force init failure (for debugging)\n", OPT_FORCE_INIT_FAIL);
   fprintf(stderr, "      %s: force init timeout (for debugging)\n", OPT_FORCE_INIT_TIMEOUT);
   fprintf(stderr, "      %s: force init default callback       \n", OPT_FORCE_INIT_DEFCB);
-  fprintf(stderr, "      %s: allow unsafe update               \n", OPT_UNSAFE_LU);
   fprintf(stderr, "      %s: don't inherit mmaped regions      \n", OPT_NOMMAP_LU);
   fprintf(stderr, "      %s: detach on update/restart          \n", OPT_DETACH);
   fprintf(stderr, "      %s: don't restart                     \n", OPT_NORESTART);
@@ -454,9 +452,6 @@ static int parse_arguments(int argc, char **argv, u32_t *rss_flags)
       if(d_flag)
           *rss_flags |= RSS_FORCE_INIT_DEFCB;
 
-      if(u_flag)
-          *rss_flags |= RSS_UNSAFE_LU;
-
       if(m_flag)
           *rss_flags |= RSS_NOMMAP_LU;
 

minix/include/minix/rs.h

@@ -43,12 +43,11 @@ Interface to the reincarnation server
 #define RSS_FORCE_INIT_DEFCB    0x2000  /* force default cb at initialization time (for debugging) */
 #define RSS_SYS_BASIC_CALLS	0x4000	/* include basic kernel calls */
 #define RSS_VM_BASIC_CALLS	0x8000	/* include basic vm calls */
-#define RSS_UNSAFE_LU          0x10000  /* allow unsafe update */
-#define RSS_NOMMAP_LU          0x20000  /* don't inherit mmapped regions */
-#define RSS_DETACH             0x40000  /* detach on update/restart */
-#define RSS_NORESTART          0x80000  /* don't restart */
-#define RSS_FORCE_INIT_ST     0x100000  /* force state transfer at initialization time */
-#define RSS_NO_BIN_EXP        0x200000  /* suppress binary exponential offset */
+#define RSS_NOMMAP_LU          0x10000  /* don't inherit mmapped regions */
+#define RSS_DETACH             0x20000  /* detach on update/restart */
+#define RSS_NORESTART          0x40000  /* don't restart */
+#define RSS_FORCE_INIT_ST      0x80000  /* force state transfer at initialization time */
+#define RSS_NO_BIN_EXP        0x100000  /* suppress binary exponential offset */
 
 /* Common definitions. */
 #define RS_NR_CONTROL		 8

minix/include/minix/sef.h

@@ -237,9 +237,8 @@ int sef_cb_lu_response_rs_reply(message *m_ptr);
 #define SEF_LU_INCLUDES_VM     	      0x0800    /* the update includes VM */
 #define SEF_LU_INCLUDES_RS     	      0x1000    /* the update includes RS */
 #define SEF_LU_PREPARE_ONLY           0x2000    /* prepare only, no actual update taking place */
-#define SEF_LU_UNSAFE                 0x4000    /* unsafe update, rollback may not be possible */
-#define SEF_LU_NOMMAP	      	      0x8000    /* update doesn't inherit mmapped regions */
-#define SEF_LU_DETACHED      	     0x10000    /* update detaches the old instance */
+#define SEF_LU_NOMMAP	      	      0x4000    /* update doesn't inherit mmapped regions */
+#define SEF_LU_DETACHED      	      0x8000    /* update detaches the old instance */
 
 #define SEF_LU_IS_IDENTITY_UPDATE(F) (((F) & (SEF_LU_SELF|SEF_LU_NOMMAP|SEF_LU_ASR|SEF_INIT_ST)) == SEF_LU_SELF)
 

minix/servers/rs/request.c

@@ -578,9 +578,6 @@ int do_update(message *m_ptr)
   if(rs_start.rss_flags & RSS_ASR_LU) {
       lu_flags |= SEF_LU_ASR;
   }
-  if(rs_start.rss_flags & RSS_UNSAFE_LU) {
-      lu_flags |= SEF_LU_UNSAFE;
-  }
   if(!prepare_only && (rs_start.rss_flags & RSS_DETACH)) {
       lu_flags |= SEF_LU_DETACHED;
   }

minix/servers/rs/update.c

@@ -65,7 +65,7 @@ void rupdate_add_upd(struct rprocupd* rpupd)
   rupdate.num_rpupds++;
 
   /* Propagate relevant flags from the new descriptor. */
-  lu_flags = rpupd->lu_flags & (SEF_LU_INCLUDES_VM|SEF_LU_INCLUDES_RS|SEF_LU_UNSAFE|SEF_LU_MULTI);
+  lu_flags = rpupd->lu_flags & (SEF_LU_INCLUDES_VM|SEF_LU_INCLUDES_RS|SEF_LU_MULTI);
   if(lu_flags) {
       RUPDATE_ITER(rupdate.first_rpupd, prev_rpupd, walk_rpupd,
           walk_rpupd->lu_flags |= lu_flags;
@@ -95,7 +95,7 @@ void rupdate_set_new_upd_flags(struct rprocupd* rpupd)
 
   /* Propagate relevant flags from last service under update (if any). */
   if(rupdate.last_rpupd) {
-      int lu_flags = rupdate.last_rpupd->lu_flags & (SEF_LU_INCLUDES_VM|SEF_LU_INCLUDES_RS|SEF_LU_UNSAFE);
+      int lu_flags = rupdate.last_rpupd->lu_flags & (SEF_LU_INCLUDES_VM|SEF_LU_INCLUDES_RS);
       rpupd->lu_flags |= lu_flags;
       rpupd->init_flags |= lu_flags;
   }
@@ -886,16 +886,6 @@ void end_update_debug(char *file, int line,
       exit(1);
   }
 
-  /* If VM is updated as part of a multi-component live update and something
-   * goes wrong after VM has completed initialization, rollback is only
-   * supported in a best-effort way in unsafe mode. The new VM instance might
-   * have important state changes that won't be reflected in the old version
-   * once we rollback.
-   */
-  if(result != OK && RUPDATE_IS_UPD_VM_MULTI() && RUPDATE_IS_VM_INIT_DONE() && (rupdate.vm_rpupd->lu_flags & SEF_LU_UNSAFE)) {
-      printf("RS: Warning rollbacking in unsafe multi-component update including VM!\n");
-  }
-
   /* Handle prepare-only services first: simply cancel the update. */
   RUPDATE_ITER(rupdate.first_rpupd, prev_rpupd, rpupd,
       if(UPD_IS_PREPARING_ONLY(rpupd)) {

minix/servers/rs/utility.c

@@ -189,11 +189,11 @@ char* srv_upd_to_string(struct rprocupd *rpupd)
 #define srv_upd_luflag_c(F) (rpupd->lu_flags & F ? '1' : '0')
 #define srv_upd_iflag_c(F) (rpupd->init_flags & F ? '1' : '0')
 
-   sprintf(srv_upd_string, "update (lu_flags(SAMPUNDRV)=%c%c%c%c%c%c%c%c%c, init_flags=(FCTD)=%c%c%c%c, state %d (%s), tm %lu, maxtime %lu, endpoint %d, state_data_gid %d, prev_ep %d, next_ep %d)",
+   sprintf(srv_upd_string, "update (lu_flags(SAMPNDRV)=%c%c%c%c%c%c%c%c, init_flags=(FCTD)=%c%c%c%c, state %d (%s), tm %lu, maxtime %lu, endpoint %d, state_data_gid %d, prev_ep %d, next_ep %d)",
        srv_upd_luflag_c(SEF_LU_SELF), srv_upd_luflag_c(SEF_LU_ASR),
        srv_upd_luflag_c(SEF_LU_MULTI), srv_upd_luflag_c(SEF_LU_PREPARE_ONLY),
-       srv_upd_luflag_c(SEF_LU_UNSAFE), srv_upd_luflag_c(SEF_LU_NOMMAP),
-       srv_upd_luflag_c(SEF_LU_DETACHED), srv_upd_luflag_c(SEF_LU_INCLUDES_RS),
+       srv_upd_luflag_c(SEF_LU_NOMMAP), srv_upd_luflag_c(SEF_LU_DETACHED),
+       srv_upd_luflag_c(SEF_LU_INCLUDES_RS),
        srv_upd_luflag_c(SEF_LU_INCLUDES_VM), srv_upd_iflag_c(SEF_INIT_FAIL),
        srv_upd_iflag_c(SEF_INIT_CRASH), srv_upd_iflag_c(SEF_INIT_TIMEOUT),
        srv_upd_iflag_c(SEF_INIT_DEFCB), rpupd->prepare_state, 

minix/servers/vm/main.c

@@ -617,10 +617,6 @@ static int sef_cb_init_vm_multi_lu(int type, sef_init_info_t *info)
 	num_elements = 0;
 	ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;
 	ipc_filter[num_elements++].m_source = RS_PROC_NR;
-	if(info->flags & SEF_LU_UNSAFE) {
-	    ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;
-	    ipc_filter[num_elements++].m_source = ANY_TSK;
-	}
 	if((r = sys_safecopyfrom(RS_PROC_NR, info->rproctab_gid, 0,
 	    (vir_bytes) rprocpub, NR_SYS_PROCS*sizeof(struct rprocpub))) != OK) {
 	    panic("sys_safecopyfrom failed: %d", r);
@@ -635,28 +631,18 @@ static int sef_cb_init_vm_multi_lu(int type, sef_init_info_t *info)
                      * are blocked intentionally, as handling these would
                      * prevent VM from being able to roll back.
                      */
-	            ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;
+	            ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
 	            ipc_filter[num_elements].m_source = rprocpub[i].old_endpoint;
-	            if(!(info->flags & SEF_LU_UNSAFE)) {
-	                ipc_filter[num_elements].flags |= IPCF_MATCH_M_TYPE;
-	                ipc_filter[num_elements].m_type = VM_BRK;
-	            }
-	            num_elements++;
-	            ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;
+	            ipc_filter[num_elements++].m_type = VM_BRK;
+	            ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
 	            ipc_filter[num_elements].m_source = rprocpub[i].new_endpoint;
-	            if(!(info->flags & SEF_LU_UNSAFE)) {
-	                ipc_filter[num_elements].flags |= IPCF_MATCH_M_TYPE;
-	                ipc_filter[num_elements].m_type = VM_BRK;
-	            }
-	            num_elements++;
-	            if(!(info->flags & SEF_LU_UNSAFE)) {
-	                ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
-	                ipc_filter[num_elements].m_source = rprocpub[i].old_endpoint;
-	                ipc_filter[num_elements++].m_type = VM_INFO;
-	                ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
-	                ipc_filter[num_elements].m_source = rprocpub[i].new_endpoint;
-	                ipc_filter[num_elements++].m_type = VM_INFO;
-	            }
+	            ipc_filter[num_elements++].m_type = VM_BRK;
+	            ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
+	            ipc_filter[num_elements].m_source = rprocpub[i].old_endpoint;
+	            ipc_filter[num_elements++].m_type = VM_INFO;
+	            ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
+	            ipc_filter[num_elements].m_source = rprocpub[i].new_endpoint;
+	            ipc_filter[num_elements++].m_type = VM_INFO;
 	            /* Make sure we can talk to any RS instance. */
 	            if(rprocpub[i].old_endpoint == RS_PROC_NR) {
 	                ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;

minix/tests/testrelpol.sh

@@ -237,7 +237,6 @@ multi_lu_test_one() {
 	local ret=0
 	local index=0
 	local once_index=2
-	local force_unsafe=""
 
 	lu_opts=${lu_opts:-}
 	lu_maxtime=${lu_maxtime:-3HZ}
@@ -249,13 +248,9 @@ multi_lu_test_one() {
 	for label in ${labels}
 	do
 		index=`expr $index + 1`
-		force_unsafe=""
 
 		if [ "x$label" = "xvm" ]
 		then
-			# VM doesn't support safe LU, nor rollbacks for now
-			force_unsafe="-u"
-
 			if echo "${lu_opts_once}" | grep -q -E -- '-(x|y|z)'
 			then
 				continue
@@ -264,9 +259,9 @@ multi_lu_test_one() {
 
 		if [ $index -eq $once_index ]
 		then
-			service ${lu_opts_once} ${force_unsafe} -q update self -label ${label} -maxtime ${lu_maxtime_once} -state ${lu_state_once} || ret=1
+			service ${lu_opts_once} -q update self -label ${label} -maxtime ${lu_maxtime_once} -state ${lu_state_once} || ret=1
 		else
-			service ${lu_opts} ${force_unsafe} -q update self -label ${label} -maxtime ${lu_maxtime} -state ${lu_state} || ret=1
+			service ${lu_opts} -q update self -label ${label} -maxtime ${lu_maxtime} -state ${lu_state} || ret=1
 		fi
 	done
 	service sysctl upd_run