Date: Wed, 20 Feb 2013 00:26:19 +0200 From: Andriy Gapon <avg@FreeBSD.org> To: Alfred Perlstein <bright@mu.org> Cc: "arch@freebsd.org" <arch@FreeBSD.org>, Poul-Henning Kamp <phk@phk.freebsd.dk> Subject: Re: request for preliminary review, enhanced watchdog. Message-ID: <5123FC0B.3020503@FreeBSD.org> In-Reply-To: <511AE9C4.4030301@mu.org> References: <511AE9C4.4030301@mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
on 13/02/2013 03:17 Alfred Perlstein said the following: > At work we've had some issues with superfluous watchdog timeouts firing. > > Since we use an ipmi/external watchdog the system is completely reset and we are > unable to gather metrics. > > I investigated the issue and then compared to what is offered by Linux and > decided to crib from their API such that we can benefit from an enhanced watchdog. > > I have a WIP at this time in a branch that I would hope people could weigh in on > and review as well as make technical suggestions. Alfred, I think that this is very useful work. Some comments below. > The branch is located here: > svn+ssh://svn.freebsd.org/base/user/alfred/ewatchdog > > The easy way to get changes: > svn log --stop-on-copy svn+ssh://svn.freebsd.org/base/user/alfred/ewatchdog > > 1) Support for pre-watchdog timeout. This means that so long as the kernel is > somewhat functional (callouts are working) we can trigger a configurable action > (panic,ddb,log) if the watchdog program is otherwise hung. I see where this can be useful. The unfortunate drawback which you mentioned is that the solution is "semi-reliable" - it won't help much if a hang is such that the callouts no longer fire. But it could be still desirable to obtain something for postmortem analysis even in that condition. > 2) Support for built-in software watchdog that has the same options > (panic,ddb,log) if the watchdog times out. This is useful for prototyping and > was done instead of using the SW_WATCHDOG in kern_clock.c because of the ease of > working the code into watchdog.c versus communication via the EVENTHANDLER api. I see why you chose (or had to choose) this option, but this is kind of unfortunate - more below. > 3) Support for Linux-like API. (WDIOC_GETTIMELEFT, > WDIOC_SETTIMEOUT,WDIOC_GETTIMEOUT, etc) I haven't looked at the complete Linux API, but from you quote above - what are the Linux and potential FreeBSD use-cases for the ioctls like GETTIMELEFT and GETTIMEOUT? > 4) Modifications to watchdogd(8): > - Warn if the watchdog program takes too long. > - Disable activation of the system watchdog so that one can test the > watchdogd script > without potentially rebooting the system. > - Ability to log to syslog when scripts begin to timeout. > - When told to measure time, do not unconditionally nap for 'sleep' seconds, > instead adjust > the naptime by the elapsed time so as not to trigger the watchdog. I don't have anything to say about the userland part. In general these new things sound useful. > I've not yet hooked in the optional pre-timeout code into watchdogd(8) but plan > on doing so later in the week. > > It would be really helpful if we could decide on a way of selecting which > watchdogs to arm/fire and how to query them. I may adopt the Linux API unless > someone has alternative suggestions that make a strong enough case to forge our > own API. Again, I haven't examined Linux API, so I can't say much about it. The following is how I imagine our watchdog infrastructure. I think that we should have some quality and feature flags associated with various watchdog drivers (somewhat similarly to e.g. eventtimers), which would describe things like: - I am implemented in software or hardware - I am able to generate system reset - I am able to generate a "hard" debug event (NMI) - (for software wd) I work via NMIs or regular interrupts Then ,I think that watchdogd should support at least two timeouts: for debug watchdog and reset watchdog. The ioctl interface should of course support setting timeouts per watchdog type. This way a user should be able to specify a timeout (e.g. 10 seconds) for a debug watchdog with an intent of dumping a core (or other debugging action) and a different timeout (say 60 seconds) for a reset watchdog, which should make sure in a fail-safe manner that a system doesn't get stuck in the debug/dump/etc code. Then, the kernel should auto-select the best watchdog driver for each of the watchdog classes. But sysctl interface should allow a user to override the selection in case that there are multiple drivers with sufficient capabilities. Also, and only partially related to your WIP, I think that it is long overdue that we got a software watchdog driven by (periodic) NMIs as opposed to SW_WATCHDOG (or your "callout" "watchdog" [in quotes only because it is not implemented as a real watchdog(9) driver, but is blended into the infrastructure]) that is driven by regular timer interrupts. My opinion is that such infrastructure could be more powerful and flexible (and reliable) than what you currently have in the branch. We could let a multitude of watchdog drivers co-exist and "cooperate" by ensuring that each of them does its special part of the overall job. Of course, it requires more work too. -- Andriy Gapon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5123FC0B.3020503>