Re: [Xen-devel] [PATCH for 4.9] vif-common.sh: Have iptables wait for the xtables lock

Tue, 06 Jun 2017 09:48:41 -0700 

On Tue, Jun 06, 2017 at 05:28:58PM +0100, Julien Grall wrote:
> Hi George,
> 
> On 05/06/17 12:03, George Dunlap wrote:
> > Forgot to cc' the release manager.
> > 
> > On Mon, Jun 5, 2017 at 11:02 AM, George Dunlap <george.dun...@citrix.com> 
> > wrote:
> > > iptables has a system-wide lock on the xtables.  Strangely though, in
> > > the case of two concurrent invocations, the default is for the
> > > instance not grabbing the lock to exit out rather than waiting for it.
> > > This means that when starting a large number of guests in parallel,
> > > many will fail out with messages like this:
> > > 
> > >   2017-05-10 11:45:40 UTC libxl: error: libxl_exec.c:118: 
> > > libxl_report_child_exitstatus: /etc/xen/scripts/vif-bridge remove [18767] 
> > > exited with error status 4
> > >   2017-05-10 11:50:52 UTC libxl: error: libxl_exec.c:118: 
> > > libxl_report_child_exitstatus: /etc/xen/scripts/vif-bridge offline [1554] 
> > > exited with error status 4
> > > 
> > > In order to instruct iptables to wait for the lock, you have to
> > > specify '-w'.  Unfortunately, not all versions of iptables have the
> > > '-w' option, so on first invocation check to see if it accepts the -w
> > > command.
> > > 
> > > Reported-by: Antony Saba <aws...@gmail.com>
> > > Signed-off-by: George Dunlap <george.dun...@citrix.com>
> > > ---
> > > CC: Ian Jackson <ian.jack...@eu.citrix.com>
> > > CC: Wei Liu <wei.l...@citrix.com>
> > > ---
> > >  tools/hotplug/Linux/vif-common.sh | 38 
> > > +++++++++++++++++++++++++++++++++++---
> > >  1 file changed, 35 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/tools/hotplug/Linux/vif-common.sh 
> > > b/tools/hotplug/Linux/vif-common.sh
> > > index 6e8d584..29cd8dd 100644
> > > --- a/tools/hotplug/Linux/vif-common.sh
> > > +++ b/tools/hotplug/Linux/vif-common.sh
> > > @@ -120,6 +120,38 @@ fi
> > >  ip=${ip:-}
> > >  ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")
> > > 
> > > +IPTABLES_WAIT_RUNE="-w"
> > > +IPTABLES_WAIT_RUNE_CHECKED=false
> > > +
> > > +# When iptables introduced locking, in the event of lock contention,
> > > +# they made "fail" rather than "wait for the lock" the default
> > > +# behavior.  In order to select "wait for the lock" behavior, you have
> > > +# to add the '-w' parameter.  Unfortinately, both the locking and the
> 
> NIT: s/Unfortinately/Unfortunately/
> 
> Release-acked-by: Julien Grall <julien.gr...@arm.com>
> 

Fixed the typo and committed to staging and staging-4.9.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Reply via email to