Re: [PATCH] migration: Apply migration specific keep-alive defaults to inet socket

["Daniel P. Berrangé" <berrange@redhat.com>]

On Tue, Sep 09, 2025 at 05:58:49PM -0400, Peter Xu wrote:
> On Tue, Sep 09, 2025 at 04:09:23PM +0100, Daniel P. Berrangé wrote:
> > On Tue, Sep 09, 2025 at 05:01:24PM +0200, Juraj Marcin wrote:
> > > From: Juraj Marcin <jmarcin@redhat.com>
> > > 
> > > Usual system defaults for TCP keep-alive options are too long for
> > > migration workload. On Linux, a TCP connection waits idle for 2 hours
> > > before it starts checking if the connection is not broken.
> > > 
> > > Now when InetSocketAddress supports keep-alive options [1], this patch
> > > applies migration specific defaults if they are not supplied by the user
> > > or the management software. With these defaults, a migration TCP stream
> > > waits idle for 1 minute and then sends 5 TCP keep-alive packets in 30
> > > second interval before considering the connection as broken.
> > > 
> > > System defaults can be still used by explicitly setting these parameters
> > > to 0.
> > 
> > IMHO this is not a good idea. This is a very short default, which
> > may be fine for the scenario where your network conn is permanently
> > dead, but it is going to cause undesirable failures when the network
> > conn is only temporarily dead.
> > 
> > Optimizing defaults for temporary outages is much more preferrable
> > as that maximises reliability of migration. In the case of permanent
> > outages, it is already possible to tear down the connection without
> > waiting for a keep-alive timeout, and liveliness checks can also be
> > perform by the mgmt app at a higher level too. The TCP keepalives
> > are just an eventual failsafe, and having those work on a long
> > timeframe is OK.
> 
> For precopy it looks fine indeed, because migrate_cancel should always work
> on src if src socket hanged, and even if dest QEMU socket hanged, it can
> simply be killed if src QEMU can be gracefully cancelled and rolled back to
> RUNNING, disregarding the socket status on dest QEMU.
> 
> For postcopy, we could still use migrate_pause to enforce src shutdown().
> Initially I thought we have no way of doing that for dest QEMU, but I just
> noticed two years ago I added that to dest QEMU for migrate_paused when
> working on commit f8c543e808f20b..  So looks like that part is covered too,
> so that if dest QEMU socket hanged we can also kick it out.
> 
> I'm not 100% sure though, on whether shutdown() would always be able to
> successfully kick out the hanged socket while the keepalive is ticking.  Is
> it guaranteed?

I don't know about shutdown(), but close() certainly works. If shutdown()
is not sufficient, then IMHO the migration code would need the ability to
use close() to deal with this situation.


> I also am not sure if that happens, whether libvirt would automatically do
> that, or provide some way so the user can trigger that.  The goal IIUC here
> is we shouldn't put user into a situation where the migration hanged but
> without any way to either cancel or recover.  With the default values Juraj
> provided here, it makes sure the hang won't happen more than a few minutes,
> which sounds like a sane timeout value.

Sufficient migration QMP commands should exist to ensure migration can
always be cancelled. Short keepalive timeouts should not be considered
a solution to any gaps in that respect.

Also there is yank, but IMHO apps shouldn't have to rely on yank - I see
yank as a safety net for apps to workaround limitations in QEMU.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|