Bug 865336

Summary: RFE: add werror=stop,rerror=stop to -drive parameter in QEMU command line (so VMs will pause upon IO errors)
Product: Red Hat OpenStack Reporter: Yaniv Kaul <ykaul>
Component: openstack-novaAssignee: Solly Ross <sross>
Status: CLOSED NOTABUG QA Contact: Ami Jeain <ajeain>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.0 (Essex)CC: apevec, berrange, dallan, jkt, kchamart, markmc, yeylon
Target Milestone: betaKeywords: FutureFeature
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-11 14:07:26 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Yaniv Kaul 2012-10-11 05:09:38 EDT
Description of problem:
Unless this is the default of downstream QEMU, we should have the VM pause upon IO errors to prevent data loss.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 2 Alan Pevec 2012-12-13 12:16:41 EST
What would be the recovery action / alert to the user?
Comment 3 Dave Allan 2013-04-30 11:27:17 EDT
Dan, stop is the qemu default, right, so there's nothing needed here, is there?
Comment 4 Daniel Berrange 2013-04-30 11:30:02 EDT
Yeah, but the bigger question is what todo when this situation occurs. Just marking the VM as paused in libvirt is not a full soltion
Comment 5 Dave Allan 2013-04-30 13:43:31 EDT
What needs to happen?
Comment 6 Daniel Berrange 2013-05-01 03:40:07 EDT
I don't know - that's what someone needs to figure out.
Comment 8 Solly Ross 2013-06-03 09:56:31 EDT
According to the official qemu documentation (http://qemu.weilnetz.de/qemu-doc.html, linked from qemu.org), the default flags are werror=enospc and rerror=report, meaning report read errors to guest and on write errors pause qemu if host disk is full, otherwise report them to the guest..


This is supported via libvirt's error_policy (for both, override read error policy with rerror_policy) on the driver tag for the disk specification.  According to the libvirt doc, the default setting for libvirt is REPORT (I'm guessing that libvirt actually passes these to qemu, so the qemu defaults are moot).

So, injecting it in to the configuration should be pretty easy, but we probably also want to provide a configuration option.  As for state, perhaps we could use the metadata tag (http://libvirt.org/formatdomain.html#elementsMetadata) and have to store a flag, but we'd need to figure out how to detect if the stopping of the VM was intentional or accidental (we could manually set the flag to "on_purpose" whenever we intentionally shut down the vm, then look and see if the vm is shut down but on_purpose is not set).
Comment 9 Solly Ross 2013-06-06 16:35:34 EDT
(ping -- see above)
Comment 10 Solly Ross 2013-06-10 12:48:25 EDT
Bug added upstream: https://bugs.launchpad.net/nova/+bug/1189543 (no review id yet, though)
Comment 11 Solly Ross 2013-06-11 14:07:26 EDT
Polled upstream, consensus was WORKS AS INTENDED --

The thought was that this would be confusing for people running software in VMs (why is my VM suddenly stopped when I have code inside to handle IO errors) and that much existing software would rather just have the default (REPORT), and have the guest software (OS, database, etc) deal with the IO errors instead.