VMs do not reconnect networking after netvm's restart

[marmarek]

Reported by joanna on 2 Mar 2013 22:16 UTC
None

Migrated-From: https://wiki.qubes-os.org/ticket/722

[marmarek]

Modified by marmarek on 6 Aug 2013 03:24 UTC

[marmarek]

Modified by marmarek on 6 Aug 2013 03:24 UTC

[marmarek]

Comment by marmarek on 7 Aug 2013 15:45 UTC
This issue is harder than I though... So far identified problems:

1. xen-netback doesn't properly finalize device shutdown procedure (BTW not sure if there is defined procedure for backend-initiated shutdown), result:

xenbus_dev_shutdown: backend/vif/2/0 timeout closing device

and leaves backend xenstore state 5. Also backend doesn't set online to 0.
2. xen-netfront after forced remove (xenstore-rm /local/domain/X/device/vif/0) doesn't fully cleanup device state. Effect: after netvm restart and manual reconnect, device is immediately disconnected.
3. This all should be cleaned up by toolstack (libxl) at backend domain shutdown. But apparently it only take care of devices with frontend in just destroyed domain (not backend).

There is simple workaround:

qvm-prefs firewallvm -s netvm netvm

(note lack of setting netvm to "none" - it is intentional). Sometimes above needs to be executed twice (when the fist time timed out).

So I'm giving up with this ticket for now...

[marmarek]

Comment by marmarek on 7 Aug 2013 15:45 UTC
This issue is harder than I though... So far identified problems:

1. xen-netback doesn't properly finalize device shutdown procedure (BTW not sure if there is defined procedure for backend-initiated shutdown), result:

xenbus_dev_shutdown: backend/vif/2/0 timeout closing device

and leaves backend xenstore state 5. Also backend doesn't set online to 0.
2. xen-netfront after forced remove (xenstore-rm /local/domain/X/device/vif/0) doesn't fully cleanup device state. Effect: after netvm restart and manual reconnect, device is immediately disconnected.
3. This all should be cleaned up by toolstack (libxl) at backend domain shutdown. But apparently it only take care of devices with frontend in just destroyed domain (not backend).

There is simple workaround:

qvm-prefs firewallvm -s netvm netvm

(note lack of setting netvm to "none" - it is intentional). Sometimes above needs to be executed twice (when the fist time timed out).

So I'm giving up with this ticket for now...

[marmarek]

Comment by joanna on 16 Nov 2013 12:09 UTC
As an additional workaround we also now forbid to shutdown a vm if it's used as a netvm for other running vms. Also, the work-around given above works just fine, so I just added this to the wiki:

http://wiki.qubes-os.org/trac/wiki/QubesFirewall?action=diff&version=10&old_version=9

Closing.

[marmarek]

Comment by joanna on 16 Nov 2013 12:09 UTC
As an additional workaround we also now forbid to shutdown a vm if it's used as a netvm for other running vms. Also, the work-around given above works just fine, so I just added this to the wiki:

http://wiki.qubes-os.org/trac/wiki/QubesFirewall?action=diff&version=10&old_version=9

Closing.