On 08/22/2013 01:41 PM, Laszlo Ersek wrote:
> On 08/22/13 21:19, Paolo Bonzini wrote:
>> Il 22/08/2013 19:15, Laszlo Ersek ha scritto:
>>>> 2) On all versions, <on_crash> will only work if the element is there.
>>>
>>> I like this, because, if on_crash doesn't work without panic_notifier
>>> *at all*, then we can just drop panic_notifier, and make on_crash mean
>>> (on_crash && panic_notifier) in the original sense.
>>>
>>> IOW, drop "panic_notifier", and make "on_crash" work *always*.
>>
>> No, we cannot because of backwards compatibility.  VMs could have no
>> on_crash element (which means <on_crash>destroy</on_crash>) and yet the
>> guest admin could expect them to reboot on panic.
> 
> Ah. I thought "no on_crash" meant <on_crash>ignore</on_crash>, or
> something like that -- if on_crash was absent, the guest wouldn't see a
> working pvpanic device in ACPI, and wouldn't trigger the event in qemu.

Unfortunately, <on_crash>ignore</on_crash> does not exist in current
libvirt codebase, and <on_crash> is always present on output (if omitted
on input, it is present as <on_crash>destroy</on_crash> on output; but
MOST vms have it as <on_crash>restart</on_crash> thanks to
virt-install's defaults).

In short, libvirt's problem is that older libvirt basically ignored the
setting (whether default of destroy or set by virt-manager to restart),
BOTH of those common options are most sensibly implemented by having a
panic device, but adding a panic device is guest visible, and therefore
must be controlled by some NEW piece of XML.  If we add
<on_crash>ignore</on_crash, and teach virt-install to start using it,
that will help new guests, but won't change the problem for existing guests.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org