feat: support hardware watchdog timers

[dsseng]

Pull Request

What? (description)

Add support for Linux hardware watchdog API and corresponding configuration values. Watchdog timer is armed and fed by a controller (is it reliable to be sure a ticker will tick fine as long as no hang occurs?).

Watchdog timer can help automatically restoring a bare metal/supported VM node after a hang caused by a software or hardware error.

Why? (reasoning)

Fixes #8284, approved by developers in the comments

Acceptance

Please use the following checklist:

• you linked an issue (if applicable)
• you included tests (not applicable due to small footprint and mainly being ioctl-centered)
• you ran conformance (make conformance - not done due to certainly being unrelated)
• you formatted your code (make fmt)
• you linted your code (make lint)
• you generated documentation (make docs)
• you ran unit-tests (make unit-tests)

See make help for a description of the available targets.

[dsseng]

We currently disable watchdog when quitting. systemd however allows for shutdown, reboot and kexec watchdogs to be set up to ensure power operations don't hang the system in inaccessible state. I could also do so if we clarify requirements for this and how are controllers being shut down during a restart or poweroff to be sure what timeout would be sane

[smira]

Controllers are terminated right before the reboot/shutdown (from the controller point of view, context will be cancelled).

[dsseng]

Okay, then I might add a prop for that after the first review. However shutdown/reboot watchdog won't be turned on by default as I'm not sure what are the safe values and they depend on target config.

[dsseng]

Why are the CI checks failing? Does conform/commit/gpg-identity require me to add a GPG key and re-sign commits using it?

[frezbo]

Why are the CI checks failing? Does conform/commit/gpg-identity require me to add a GPG key and re-sign commits using it?

You can ignore the gpg check, it needs to be signed by one of our devs

[dsseng]

Ok, would be happy to hear and address reviews then

[smira]

@dsseng your PR looks good to me, I would like to refactor some machine configuration stuff and probably see if we can do an integration test. I will find some time to look into that, but it might not be quick.

[dsseng]

No problem, I'll do needed improvements as soon as you request something. Thanks for reviewing!

[dsseng]

Note: kernel changes are required to load watchdog drivers, I haven't committed those yet

[smira]

we don't stop old ticker here... do we even need a ticker?

we could do something like https://github.com/cosi-project/runtime/blob/main/pkg/controller/runtime/internal/qruntime/internal/timer/resettable.go, but for Tickers

[dsseng]

Doesn't a ticker stop when GC'ed? Actually we can make use of resettable timer and reset it at each trigger, or develop an in-tree wrapper (or one contributed to the Cosi runtime) for ticker yes.

[dsseng]

Added ticker.Stop

[smira]

I meant to have a resettable Ticker here copying the approach from the above (to some extent).

The reason is that we don't want to have a ticker if there's no watchdog.

Or it could be implemented easier (there are plenty of examples in the codebase) by using a channel variable and setting it to nil when ticket is inactive.

[dsseng]

Will update the kernel once more and rebase/squash stuff

[smira]

@dsseng refactored controller a bit, other changes are config-related:

• moved configuration to a separate machine config document (we're slowly moving towards multi-doc)
• validation for the config, use proper time.Duration type
• introduced intermediate resource/controller to simplify the Watchdog controller

I will ask you to do integration test as a separate PR.

[smira]

/ok-to-test

[smira]

@dsseng added WatchdogTimerStatus, we can even try to read this:

All watchdog drivers are required return more information about the system,
some do temperature, fan and power level monitoring, some can tell you
the reason for the last reboot of the system.  The GETSUPPORT ioctl is
available to ask what the device can do:

	struct watchdog_info ident;
	ioctl(fd, WDIOC_GETSUPPORT, &ident);

the fields returned in the ident struct are:

        identity		a string identifying the watchdog driver
	firmware_version	the firmware version of the card if available
	options			a flags describing what the device supports

[frezbo]

i guess we also mention this is only available for amd64?

[dsseng]

It is available on aarch64. We actually had all drivers built-in previously, so I didn't have to modify aarch64 config except for sysfs

[frezbo]

oh, were they built in? I guess we need to keep them also as modules if not, just to be in parity with amd64 🤔 . I'm not so sure, @smira wdyt?

[dsseng]

https://github.com/siderolabs/pkgs/blob/6364d991db023e5f614cbbc450b4afd471e16203/kernel/build/config-arm64#L4441

Maybe some of those mustn't be modules due to the way they need to be probed, so that should be checked

[frezbo]

it supports PCI id database https://cateee.net/lkddb/web-lkddb/WATCHDOG.html, but we might hit other issue like we try to read before udev picks them up, I was more talking about these:

❯ grep IPMI_WA
kernel/build/config-arm64
3586:# CONFIG_IPMI_WATCHDOG is not set

kernel/build/config-amd64
3157:CONFIG_IPMI_WATCHDOG=m

❯ grep MFD_CORE
kernel/build/config-arm64
4514:CONFIG_MFD_CORE=y

kernel/build/config-amd64
3630:CONFIG_MFD_CORE=m

❯ grep SP5100
kernel/build/config-amd64
3581:CONFIG_SP5100_TCO=m

which are not consistent across amd64 and arm64

[smira]

we can fix it up, but it shouldn't be related to to this PR specifically.

I think arm64 in general needs a module cleanup the way I did for amd64 - try to make everything which can be a module to be a module.

arm64 kernel is not compressed, so moving to initramfs.xz is a good thing imho

[frezbo]

yeh, arm64 needs some cleanup

[dsseng]

SP5100 is AMD WDT, MFD is for Intel one, but IPMI might work for ARM. Regarding PCI ID DB: aarch64 WDTs are typically part of the SoC

[frezbo]

hmm why does eventsink need watchdogtimer method implemented?

[smira]

that's the way I implemented Runtime() config interface - all documents implement all methods, but return nil if it's not their thing. it might be good or bad idea, idk, but it is this way right now ;)

[dsseng]

@dsseng added WatchdogTimerStatus, we can even try to read this:

All watchdog drivers are required return more information about the system,
some do temperature, fan and power level monitoring, some can tell you
the reason for the last reboot of the system.  The GETSUPPORT ioctl is
available to ask what the device can do:

	struct watchdog_info ident;
	ioctl(fd, WDIOC_GETSUPPORT, &ident);

the fields returned in the ident struct are:

        identity		a string identifying the watchdog driver
	firmware_version	the firmware version of the card if available
	options			a flags describing what the device supports

We should probably report that using sysfs to also know timeout and timeleft

[smira]

We should probably report that using sysfs to also know timeout and timeleft

Timeout we already report (as we set it), while timeleft makes sense only in the moment, and the controller wakes up on feedInterval, so basically from controller point of view it's always timeleft == timeout, as we ping the watchdog.

[dsseng]

/m