[pve-devel] [PATCH firewall 1/7] configs: add locking helpers

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Apr 29 11:45:14 CEST 2020 

On 4/29/20 10:52 AM, Fabian Grünbichler wrote:
> to allow some level of safe concurrent config modification, instead of
> the current free for all.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> 
> Notes:
>     require pve-cluster that provides cfs_lock_firewall, or switching to
>     cfs_lock_domain as mentioned in pve-cluster#1
>     
>     lock_hostfw_conf could also use a node-local lock, but IMHO it's easier to have
>     the same locking semantics/interface across all three levels (especially if we
>     do the second patch in pve-cluster).
>     
>     it's easy enough to switch out though.

Hmm, are you aware that cfs_locks only protect from other nodes, and not
intra-node? I.e., if one process of the node has the lock any other can
aquire it too, just no other node can.

That's the reason for my a bit special corosync config change lock:
https://git.proxmox.com/?p=pve-cluster.git;a=blob;f=data/PVE/API2/ClusterConfig.pm;h=7a4bce07169c15cfe982ea34f2c238ad6ee4abf7;hb=HEAD#l188

> 
>  src/PVE/Firewall.pm | 32 ++++++++++++++++++++++++++++++++
>  1 file changed, 32 insertions(+)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index d22b15a..eda39eb 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -3053,6 +3053,8 @@ sub generic_fw_config_parser {
>      return $res;
>  }
>  
> +# this is only used to prevent concurrent runs of rule compilation/application
> +# see lock_*_conf for cfs locks protectiong config modification
>  sub run_locked {
>      my ($code, @param) = @_;
>  
> @@ -3101,6 +3103,18 @@ sub read_local_vm_config {
>      return $vmdata;
>  };
>  
> +sub lock_vmfw_conf {
> +    my ($vmid, $timeout, $code, @param) = @_;
> +
> +    die "can't lock VM firewall config for undefined VMID\n"
> +	if !defined($vmid);
> +
> +    my $res = PVE::Cluster::cfs_lock_firewall("vm-$vmid", $timeout, $code, @param);
> +    die $@ if $@;
> +
> +    return $res;
> +}
> +
>  sub load_vmfw_conf {
>      my ($cluster_conf, $rule_env, $vmid, $dir) = @_;
>  
> @@ -3448,6 +3462,15 @@ my $set_global_log_ratelimit = sub {
>      }
>  };
>  
> +sub lock_clusterfw_conf {
> +    my ($timeout, $code, @param) = @_;
> +
> +    my $res = PVE::Cluster::cfs_lock_firewall("cluster", $timeout, $code, @param);
> +    die $@ if $@;
> +
> +    return $res;
> +}
> +
>  sub load_clusterfw_conf {
>      my ($filename) = @_;
>  
> @@ -3511,6 +3534,15 @@ sub save_clusterfw_conf {
>      }
>  }
>  
> +sub lock_hostfw_conf {
> +    my ($timeout, $code, @param) = @_;
> +
> +    my $res = PVE::Cluster::cfs_lock_firewall("host-$nodename", $timeout, $code, @param);
> +    die $@ if $@;
> +
> +    return $res;
> +}
> +
>  sub load_hostfw_conf {
>      my ($cluster_conf, $filename) = @_;
>  
>

More information about the pve-devel mailing list