[libvirt] [PATCH v2 3/4] Add a mutex to serialize updates to firewall

Stefan Berger stefanb at linux.vnet.ibm.com
Tue Jan 28 12:31:04 UTC 2014 

On 01/28/2014 06:15 AM, Daniel P. Berrange wrote:
> On Mon, Jan 27, 2014 at 04:50:56PM -0500, Stefan Berger wrote:
>> On 01/27/2014 12:18 PM, Daniel P. Berrange wrote:
>>> The nwfilter conf update mutex previously serialized
>>> updates to the internal data structures for firewall
>>> rules, and updates to the firewall itself. Since the
>> Hm, wasn't aware (anymore) of this double-purpose.
> It wasn't entirely clear to me either, but I am right in
> believing that it isn't safe to have multiple threads all
> creating iptables rules for different VMs at the same
> time, aren't I ?

At least one thread shouldn't try to instantiate filters for one (VM) 
interface while another one tears them down. So that would be 
serialization per interface. I think instantiation of filters could be 
done concurrently for different interfaces, but not the execution of the 
iptables commands themselves, though. The latter is locking that needs 
to be done by the ebtables/iptables driver and that driver does 
serialize the execution of all scripts using the execCLIMutex. The 
ebtables and iptables rules are created on a per-interface basis, all 
hooking into some form of 'root' chains. The critical part here is that 
the 'root' chains can be accessed concurrently by different interfaces 
-- from what I can tell is that all the scripts that are run by the 
eb/iptables driver only need to be serialized and that is done with that 
execCLIMutex. So we should be fine from that perspective.

At least locking on a per-interface basis is already happening in the 
'gentech' driver:


nwfilter_gentech_driver.c::virNWFilterInstantiate

[...]
         if (virNWFilterLockIface(ifname) < 0)
             goto err_exit;

         rc = techdriver->applyNewRules(ifname, nptrs, ptrs);

         if (teardownOld && rc == 0)
             techdriver->tearOldRules(ifname);

         if (rc == 0 && (virNetDevValidateConfig(ifname, NULL, ifindex) 
<= 0)) {
             virResetLastError();
             /* interface changed/disppeared */
             techdriver->allTeardown(ifname);
             rc = -1;
         }

         virNWFilterUnlockIface(ifname);
[...]



nwfilter_gentech_driver.c::_virNWFilterTeardownFilter

[...]
     if (virNWFilterLockIface(ifname) < 0)
        return -1;

     techdriver->allTeardown(ifname);

     virNWFilterIPAddrMapDelIPAddr(ifname, NULL);

     virNWFilterUnlockIface(ifname);
[...]


(Besides the above calls to the 'techdriver', there are others that call 
into the techdriver during the test phases of a filter updated. They 
hold the writer lock to the filter updates and with this block every 
concurrent thread then.)

I may be missing something subtle, but I think there is already enough 
serialization happening per interface.

>
>> I also hadn't looked at this patch in the first round...
>>
>>> former is going to be turned into a read/write lock
>>> instead of a mutex, a new lock is required to serialize
>>> access to the firewall itself.
>>>
>>> With this new lock, the lock ordering rules will be
>>> for virNWFilter{Define,Undefine}
>>>
>>>        1. nwfilter driver lock
>>>        2. nwfilter update lock
>>
>> Insert: 3. nwfilter callback drivers lock
>>
>> This is then used in this order also by nwfilterStateReload
>>
>>
>>>        3. virt driver lock
>>>        4. domain object lock
>>>        5. gentech driver lock
>>>
>>> and VM start
>>>
>>>        1. nwfilter update lock
>>>        2. virt driver lock
>>>        3. domain object lock
>>>        4. gentech driver lock
>>>
>>> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
>>> ---
>>>   src/nwfilter/nwfilter_driver.c         |  4 +++-
>>>   src/nwfilter/nwfilter_gentech_driver.c | 19 +++++++++++++++++--
>>>   src/nwfilter/nwfilter_gentech_driver.h |  2 +-
>>>   3 files changed, 21 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/src/nwfilter/nwfilter_gentech_driver.c b/src/nwfilter/nwfilter_gentech_driver.c
>>> index 89913cf8..d500963 100644
>>> --- a/src/nwfilter/nwfilter_gentech_driver.c
>>> +++ b/src/nwfilter/nwfilter_gentech_driver.c
>>> @@ -936,6 +943,7 @@ _virNWFilterInstantiateFilter(virNWFilterDriverStatePtr driver,
>>>       int rc;
>>>
>>>       virNWFilterLockFilterUpdates();
>>> +    virMutexLock(&updateMutex);
>>
>> Since the filter updates lock had the two purposes before, you are
>> now introducing a separate lock to assign a purpose to each lock.
>> Further below you are preventing concurrent teardowns to this here.
>>
>> I am wondering how much further down this lock here could actually
>> be pushed. This and the other function
>> (virNWFilterInstantiateFilterLate) where you  place this lock are
>> calling __virNWFilterInstantiateFilter and nothing else calls that
>> function [and the filter read protection above the lock call will
>> remain]. So I think this lock could be placed inside
>> __virNWFilterInstantiateFilter(). Also looking at that function I am
>> not sure whether there is anything worth protecting using this newly
>> introduced lock then. It ends up calling virNWFilterInstantiate().
>> Here I would be a bit careful with the threads being started to
>> learn the IP addresses. So maybe this function could be the place
>> where to serialize access. What's your take?
> The callgraph showed the three entry points into this area of
> code look like:
>
> virNWFilterInstantiateFilterLate    virNWFilterInstantiateFilter virNWFilterTeardownFilter
>                   |                         |                       |
>                   +-------------------------|-----+                 |
>                   |            +------------+     |                 |
>                   |            |                  |                 |
>                   V            V                  V                 V
>            _virNWFilterInstantiateFilter       _virNWFilterTeardownFilter
>
> Looking at the code I don't see how it is safe to allow teardown to
> happen in parallel with instantiate. The teardown code could confuse
> and conflict with the instantiate code causing it to fail I believe.

I agree. These two need to per serialized. But do they need to be 
serialized on a per-interface basis only or as a whole? In the latter 
case I think a more global lock should now go into the ebtables/iptables 
driver rather than this one here, but I think it wouldn't be necessary.

> In particular a VM could exit causing QEMU to request teardown, while
> the DHCP snoop thread is in the middle of re-creating the iptables
> ruleset for a VM, so we surely require serialization of modifications
> to iptables.
>
> I could, push the locking down one level, but it wouldn't change the
> level of serialization, and the lock calls are clearer at the level
> of the code I have them I believe.

Let me look at the locking for a bit and I'll try to get back to you as 
soon as I can.

    Stefan

More information about the libvir-list mailing list