RS: remove support for unsafe updates

This feature should no longer be necessary.

Change-Id: I9bff628be020cf1741bffaeb3bb97e3660a54aea
This commit is contained in:
David van Moolenbroek 2015-07-15 10:46:04 +02:00
parent 4506a0eebf
commit c0df94ec22
8 changed files with 26 additions and 65 deletions

View file

@ -95,7 +95,6 @@ static int known_request_types[] = {
#define OPT_FORCE_INIT_FAIL "-y" /* force init failure (for debugging) */
#define OPT_FORCE_INIT_TIMEOUT "-z" /* force init timeout (for debugging) */
#define OPT_FORCE_INIT_DEFCB "-d" /* force init default callback */
#define OPT_UNSAFE_LU "-u" /* allow unsafe update */
#define OPT_NOMMAP_LU "-m" /* don't inherit mmaped regions */
#define OPT_DETACH "-e" /* detach on update/restart */
#define OPT_NORESTART "-f" /* don't restart */
@ -176,11 +175,11 @@ static void print_usage(char *app_name, char *problem)
fprintf(stderr, "Warning, %s\n", problem);
fprintf(stderr, "Usage:\n");
fprintf(stderr,
" %s [%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s] (up|run|edit|update) <binary|%s> [%s <args>] [%s <special>] [%s <major_nr>] [%s <dev_id>] [%s <ticks>] [%s <path>] [%s <name>] [%s <path>] [%s <state value|eval_expression>] [%s <time>] [%s <bytes>] [%s <bytes>] [%s <name>] [(%s|%s <src_label1,src_type1:src_label2,:,src_type3:...>)*] [%s <restarts>]\n",
" %s [%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s] (up|run|edit|update) <binary|%s> [%s <args>] [%s <special>] [%s <major_nr>] [%s <dev_id>] [%s <ticks>] [%s <path>] [%s <name>] [%s <path>] [%s <state value|eval_expression>] [%s <time>] [%s <bytes>] [%s <bytes>] [%s <name>] [(%s|%s <src_label1,src_type1:src_label2,:,src_type3:...>)*] [%s <restarts>]\n",
app_name, OPT_COPY, OPT_REUSE, OPT_NOBLOCK, OPT_REPLICA, OPT_NO_BIN_EXP,
OPT_BATCH, OPT_ASR_LU, OPT_PREPARE_ONLY_LU, OPT_FORCE_SELF_LU,
OPT_FORCE_INIT_CRASH, OPT_FORCE_INIT_FAIL, OPT_FORCE_INIT_TIMEOUT,
OPT_FORCE_INIT_DEFCB, OPT_UNSAFE_LU, OPT_NOMMAP_LU, OPT_DETACH,
OPT_FORCE_INIT_DEFCB, OPT_NOMMAP_LU, OPT_DETACH,
OPT_NORESTART, OPT_FORCE_INIT_ST, SELF_BINARY,
ARG_ARGS, ARG_DEV, ARG_MAJOR, ARG_DEVMANID, ARG_PERIOD,
ARG_SCRIPT, ARG_LABELNAME, ARG_CONFIG, ARG_LU_STATE, ARG_LU_MAXTIME,
@ -207,7 +206,6 @@ static void print_usage(char *app_name, char *problem)
fprintf(stderr, " %s: force init failure (for debugging)\n", OPT_FORCE_INIT_FAIL);
fprintf(stderr, " %s: force init timeout (for debugging)\n", OPT_FORCE_INIT_TIMEOUT);
fprintf(stderr, " %s: force init default callback \n", OPT_FORCE_INIT_DEFCB);
fprintf(stderr, " %s: allow unsafe update \n", OPT_UNSAFE_LU);
fprintf(stderr, " %s: don't inherit mmaped regions \n", OPT_NOMMAP_LU);
fprintf(stderr, " %s: detach on update/restart \n", OPT_DETACH);
fprintf(stderr, " %s: don't restart \n", OPT_NORESTART);
@ -454,9 +452,6 @@ static int parse_arguments(int argc, char **argv, u32_t *rss_flags)
if(d_flag)
*rss_flags |= RSS_FORCE_INIT_DEFCB;
if(u_flag)
*rss_flags |= RSS_UNSAFE_LU;
if(m_flag)
*rss_flags |= RSS_NOMMAP_LU;

View file

@ -43,12 +43,11 @@ Interface to the reincarnation server
#define RSS_FORCE_INIT_DEFCB 0x2000 /* force default cb at initialization time (for debugging) */
#define RSS_SYS_BASIC_CALLS 0x4000 /* include basic kernel calls */
#define RSS_VM_BASIC_CALLS 0x8000 /* include basic vm calls */
#define RSS_UNSAFE_LU 0x10000 /* allow unsafe update */
#define RSS_NOMMAP_LU 0x20000 /* don't inherit mmapped regions */
#define RSS_DETACH 0x40000 /* detach on update/restart */
#define RSS_NORESTART 0x80000 /* don't restart */
#define RSS_FORCE_INIT_ST 0x100000 /* force state transfer at initialization time */
#define RSS_NO_BIN_EXP 0x200000 /* suppress binary exponential offset */
#define RSS_NOMMAP_LU 0x10000 /* don't inherit mmapped regions */
#define RSS_DETACH 0x20000 /* detach on update/restart */
#define RSS_NORESTART 0x40000 /* don't restart */
#define RSS_FORCE_INIT_ST 0x80000 /* force state transfer at initialization time */
#define RSS_NO_BIN_EXP 0x100000 /* suppress binary exponential offset */
/* Common definitions. */
#define RS_NR_CONTROL 8

View file

@ -237,9 +237,8 @@ int sef_cb_lu_response_rs_reply(message *m_ptr);
#define SEF_LU_INCLUDES_VM 0x0800 /* the update includes VM */
#define SEF_LU_INCLUDES_RS 0x1000 /* the update includes RS */
#define SEF_LU_PREPARE_ONLY 0x2000 /* prepare only, no actual update taking place */
#define SEF_LU_UNSAFE 0x4000 /* unsafe update, rollback may not be possible */
#define SEF_LU_NOMMAP 0x8000 /* update doesn't inherit mmapped regions */
#define SEF_LU_DETACHED 0x10000 /* update detaches the old instance */
#define SEF_LU_NOMMAP 0x4000 /* update doesn't inherit mmapped regions */
#define SEF_LU_DETACHED 0x8000 /* update detaches the old instance */
#define SEF_LU_IS_IDENTITY_UPDATE(F) (((F) & (SEF_LU_SELF|SEF_LU_NOMMAP|SEF_LU_ASR|SEF_INIT_ST)) == SEF_LU_SELF)

View file

@ -578,9 +578,6 @@ int do_update(message *m_ptr)
if(rs_start.rss_flags & RSS_ASR_LU) {
lu_flags |= SEF_LU_ASR;
}
if(rs_start.rss_flags & RSS_UNSAFE_LU) {
lu_flags |= SEF_LU_UNSAFE;
}
if(!prepare_only && (rs_start.rss_flags & RSS_DETACH)) {
lu_flags |= SEF_LU_DETACHED;
}

View file

@ -65,7 +65,7 @@ void rupdate_add_upd(struct rprocupd* rpupd)
rupdate.num_rpupds++;
/* Propagate relevant flags from the new descriptor. */
lu_flags = rpupd->lu_flags & (SEF_LU_INCLUDES_VM|SEF_LU_INCLUDES_RS|SEF_LU_UNSAFE|SEF_LU_MULTI);
lu_flags = rpupd->lu_flags & (SEF_LU_INCLUDES_VM|SEF_LU_INCLUDES_RS|SEF_LU_MULTI);
if(lu_flags) {
RUPDATE_ITER(rupdate.first_rpupd, prev_rpupd, walk_rpupd,
walk_rpupd->lu_flags |= lu_flags;
@ -95,7 +95,7 @@ void rupdate_set_new_upd_flags(struct rprocupd* rpupd)
/* Propagate relevant flags from last service under update (if any). */
if(rupdate.last_rpupd) {
int lu_flags = rupdate.last_rpupd->lu_flags & (SEF_LU_INCLUDES_VM|SEF_LU_INCLUDES_RS|SEF_LU_UNSAFE);
int lu_flags = rupdate.last_rpupd->lu_flags & (SEF_LU_INCLUDES_VM|SEF_LU_INCLUDES_RS);
rpupd->lu_flags |= lu_flags;
rpupd->init_flags |= lu_flags;
}
@ -886,16 +886,6 @@ void end_update_debug(char *file, int line,
exit(1);
}
/* If VM is updated as part of a multi-component live update and something
* goes wrong after VM has completed initialization, rollback is only
* supported in a best-effort way in unsafe mode. The new VM instance might
* have important state changes that won't be reflected in the old version
* once we rollback.
*/
if(result != OK && RUPDATE_IS_UPD_VM_MULTI() && RUPDATE_IS_VM_INIT_DONE() && (rupdate.vm_rpupd->lu_flags & SEF_LU_UNSAFE)) {
printf("RS: Warning rollbacking in unsafe multi-component update including VM!\n");
}
/* Handle prepare-only services first: simply cancel the update. */
RUPDATE_ITER(rupdate.first_rpupd, prev_rpupd, rpupd,
if(UPD_IS_PREPARING_ONLY(rpupd)) {

View file

@ -189,11 +189,11 @@ char* srv_upd_to_string(struct rprocupd *rpupd)
#define srv_upd_luflag_c(F) (rpupd->lu_flags & F ? '1' : '0')
#define srv_upd_iflag_c(F) (rpupd->init_flags & F ? '1' : '0')
sprintf(srv_upd_string, "update (lu_flags(SAMPUNDRV)=%c%c%c%c%c%c%c%c%c, init_flags=(FCTD)=%c%c%c%c, state %d (%s), tm %lu, maxtime %lu, endpoint %d, state_data_gid %d, prev_ep %d, next_ep %d)",
sprintf(srv_upd_string, "update (lu_flags(SAMPNDRV)=%c%c%c%c%c%c%c%c, init_flags=(FCTD)=%c%c%c%c, state %d (%s), tm %lu, maxtime %lu, endpoint %d, state_data_gid %d, prev_ep %d, next_ep %d)",
srv_upd_luflag_c(SEF_LU_SELF), srv_upd_luflag_c(SEF_LU_ASR),
srv_upd_luflag_c(SEF_LU_MULTI), srv_upd_luflag_c(SEF_LU_PREPARE_ONLY),
srv_upd_luflag_c(SEF_LU_UNSAFE), srv_upd_luflag_c(SEF_LU_NOMMAP),
srv_upd_luflag_c(SEF_LU_DETACHED), srv_upd_luflag_c(SEF_LU_INCLUDES_RS),
srv_upd_luflag_c(SEF_LU_NOMMAP), srv_upd_luflag_c(SEF_LU_DETACHED),
srv_upd_luflag_c(SEF_LU_INCLUDES_RS),
srv_upd_luflag_c(SEF_LU_INCLUDES_VM), srv_upd_iflag_c(SEF_INIT_FAIL),
srv_upd_iflag_c(SEF_INIT_CRASH), srv_upd_iflag_c(SEF_INIT_TIMEOUT),
srv_upd_iflag_c(SEF_INIT_DEFCB), rpupd->prepare_state,

View file

@ -617,10 +617,6 @@ static int sef_cb_init_vm_multi_lu(int type, sef_init_info_t *info)
num_elements = 0;
ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;
ipc_filter[num_elements++].m_source = RS_PROC_NR;
if(info->flags & SEF_LU_UNSAFE) {
ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;
ipc_filter[num_elements++].m_source = ANY_TSK;
}
if((r = sys_safecopyfrom(RS_PROC_NR, info->rproctab_gid, 0,
(vir_bytes) rprocpub, NR_SYS_PROCS*sizeof(struct rprocpub))) != OK) {
panic("sys_safecopyfrom failed: %d", r);
@ -635,28 +631,18 @@ static int sef_cb_init_vm_multi_lu(int type, sef_init_info_t *info)
* are blocked intentionally, as handling these would
* prevent VM from being able to roll back.
*/
ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;
ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
ipc_filter[num_elements].m_source = rprocpub[i].old_endpoint;
if(!(info->flags & SEF_LU_UNSAFE)) {
ipc_filter[num_elements].flags |= IPCF_MATCH_M_TYPE;
ipc_filter[num_elements].m_type = VM_BRK;
}
num_elements++;
ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;
ipc_filter[num_elements++].m_type = VM_BRK;
ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
ipc_filter[num_elements].m_source = rprocpub[i].new_endpoint;
if(!(info->flags & SEF_LU_UNSAFE)) {
ipc_filter[num_elements].flags |= IPCF_MATCH_M_TYPE;
ipc_filter[num_elements].m_type = VM_BRK;
}
num_elements++;
if(!(info->flags & SEF_LU_UNSAFE)) {
ipc_filter[num_elements++].m_type = VM_BRK;
ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
ipc_filter[num_elements].m_source = rprocpub[i].old_endpoint;
ipc_filter[num_elements++].m_type = VM_INFO;
ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE | IPCF_MATCH_M_TYPE;
ipc_filter[num_elements].m_source = rprocpub[i].new_endpoint;
ipc_filter[num_elements++].m_type = VM_INFO;
}
/* Make sure we can talk to any RS instance. */
if(rprocpub[i].old_endpoint == RS_PROC_NR) {
ipc_filter[num_elements].flags = IPCF_MATCH_M_SOURCE;

View file

@ -237,7 +237,6 @@ multi_lu_test_one() {
local ret=0
local index=0
local once_index=2
local force_unsafe=""
lu_opts=${lu_opts:-}
lu_maxtime=${lu_maxtime:-3HZ}
@ -249,13 +248,9 @@ multi_lu_test_one() {
for label in ${labels}
do
index=`expr $index + 1`
force_unsafe=""
if [ "x$label" = "xvm" ]
then
# VM doesn't support safe LU, nor rollbacks for now
force_unsafe="-u"
if echo "${lu_opts_once}" | grep -q -E -- '-(x|y|z)'
then
continue
@ -264,9 +259,9 @@ multi_lu_test_one() {
if [ $index -eq $once_index ]
then
service ${lu_opts_once} ${force_unsafe} -q update self -label ${label} -maxtime ${lu_maxtime_once} -state ${lu_state_once} || ret=1
service ${lu_opts_once} -q update self -label ${label} -maxtime ${lu_maxtime_once} -state ${lu_state_once} || ret=1
else
service ${lu_opts} ${force_unsafe} -q update self -label ${label} -maxtime ${lu_maxtime} -state ${lu_state} || ret=1
service ${lu_opts} -q update self -label ${label} -maxtime ${lu_maxtime} -state ${lu_state} || ret=1
fi
done
service sysctl upd_run