[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v5 23/28] xsplice: Stacking build-id dependency checking.

On 04/04/2016 09:01 PM, Konrad Rzeszutek Wilk wrote:

On Mon, Apr 04, 2016 at 09:00:00AM -0600, Jan Beulich wrote:

On 24.03.16 at 21:00, <konrad.wilk@xxxxxxxxxx> wrote:

@@ -929,6 +932,33 @@ being loaded and requires an hypervisor build-id to match 
against.
  The old code allows much more flexibility and an additional guard,
  but is more complex to implement.

+The second option which requires an build-id of the hypervisor
+is implemented in the Xen Project hypervisor.
+
+Specifically each payload has two build-id ELF notes:
+ * The build-id of the payload itself (generated via --build-id).
+ * The build-id of the payload it depends on (extracted from the
+   the previous payload or hypervisor during build time).
+
+This means that the very first payload depends on the hypervisor
+build-id.


So this is mean to be a singly linked chain, not something with
branches and alike, allowing independent patches to be applied
solely based on the base build ID? Is such a restriction not going


Correct.

to get in the way rather sooner than later?


Here is what the design doc says:

"
### xSplice interdependencies

xSplice patches interdependencies are tricky.

There are the ways this can be addressed:
  * A single large patch that subsumes and replaces all previous ones.
    Over the life-time of patching the hypervisor this large patch
    grows to accumulate all the code changes.
  * Hotpatch stack - where an mechanism exists that loads the hotpatches
    in the same order they were built in. We would need an build-id
    of the hypevisor to make sure the hot-patches are build against the
    correct build.
  * Payload containing the old code to check against that. That allows
    the hotpatches to be loaded indepedently (if they don't overlap) - or
    if the old code also containst previously patched code - even if they
    overlap.

The disadvantage of the first large patch is that it can grow over
time and not provide an bisection mechanism to identify faulty patches.

The hot-patch stack puts stricts requirements on the order of the patches
being loaded and requires an hypervisor build-id to match against.

The old code allows much more flexibility and an additional guard,
but is more complex to implement.

The second option which requires an build-id of the hypervisor
is implemented in the Xen Project hypervisor.

"

I was all for "old_code to check against" but that would incur quite a lot
of implementation. The 'stacking' (suggested by Martin) is much easier
to implement. I am hoping that in next major milestone the 'old code' checking
can be implemented such that the admin has the choice to use both.
I don't think checking old code provides any real safety though. What if the function I'm replacing is unchanged (so it passes the old code check) but it calls some other function whose behavior has changed?
It's somewhat telling that the publicly available binary patches for kSplice always use a linear stack of patches with dependency management done in userspace, despite having old code checking. What kSplice use in practice is exactly what is implemented here; a linear stack of patches using some sort of identifier (build-id/uuid). 

--
Ross Lagerwall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.