Hardware Watchdog Device in pSeries?
alanr at unix.sh
Thu Oct 14 14:41:26 EST 2004
Linas Vepstas wrote:
> On Wed, Oct 13, 2004 at 03:30:02PM -0600, Alan Robertson was heard to remark:
>>Mike Strosaker wrote:
>>>Linas Vepstas wrote:
>>>>I might have volunteered to hack this up real quick, were it not for
>>>>Mike Strosaker's correction, that the surveillance featues were taken
>>>>out of Power5.
>>>>Anyone on this list know why?
>>>I sent the reason I got from the hardware RAS folks to this list a while
>>>Luckily, it's still in my sent mail folder:
>>>"Because of the virtualization layer and partitioning, the surveillance
>>>requirement was moved to PHYP<->SP. Apparently, this was a hotly
>>>contested issue among the platform design folks (especially considering
>>>partitioned power4 systems still have OS<->SP surveillance). I think
>>>is: If an OS goes down, its not likely a server problem, hence no
>>>to monitor from the server side.
>>>At least the platform gets notified of panics via os-term. I gather
>>>that some user space tools are expected to monitor for deadlocks/hangs
>>>(maybe clustering tools). "
>>This is about half-right.
>>There is one particular circumstance which can ONLY be monitored from a
> Heh. I think I can clarify, after talking to the firmware folks.
> The core thinking behind the the "platform architecture" was to make
> sure that the underlying hardware, i.e. the "platform" wasn't hung.
> They were not concerned about the OS itself; they assumed that OS'es
> have thier own independent mechanisms for detecting hung-ness.
>>From the platform point of view, they are concerned that they'll
> have a machine with a dozen different partitons on it (a dozen
> different OS'es), and a hardware hang will take down all twelve.
> So they've got the hypervisor and service processor montioring
> each other, keeping things humming. If just one partition goes
> down due to a kernel hang/crash, well, that's too bad, but its
> not the end of the world from the platform point of view.
And this is a great set of goals as far as they go. But, not sufficient
when looking at the platform as something which actually delivers services,
not just runs the hypervisor.
[[I guess I forgot to say that in addition to being the architect for IBM's
OSS Linux strategy and product, I worked for 21 years for Bell Labs on
highly reliable telecommunications systems before this. So, I have some
reasonable knowledge of how these kinds of things work in well-tested,
well-proven systems. Typically, telephone systems are considered extremely
reliable - because they follow a well-proven discipline of design. The
international telephone system is in effect the worlds largest
ultra-reliable computer. And, it has been since back when telephone
switches were made with discrete transistors - largely because of good HA
> I think Alan's point of view is from the other side of the table:
> why should someone buy 12 pci-card watchdogs, one for each partition,
> chewing up 12 pci slots, when the pSeries is already capable of doing
> watchdog functions? To add insult to injury, the sysadmin now needs
> to duct-tape each of the watchdog cards to some sort of kill-switch,
> to reboot a dead partition. The kill-switch needs to then ssh to
> the fsp or the hmc to start the reboot. So it gets pretty byzantine
> for something that could have been 'simple' and built-in. Never mind
> that the reliability goes down: the kill switch could fail, the
> pci watchdog card could fail (or get EEH'ed out), causing a reboot
> when no reboot was necessary, etc.
Linas is right about the cost and complexity of the monitoring cards and
the whole system. In addition, if we're trying to see pSeries as a premium
highly-reliable system better than the competition, it just doesn't send
the right message if you tell a customer that this is what they have to do.
It looks really Rube Goldberg-ish (to say the least).
In addition, from a technical perspective, there is a basic principle in HA
systems which is being ignored here...
A sick system cannot reliably monitor itself.
If you're relying on a system which you believe to be sick to monitor
itself, it will be unable to do this reliably under all circumstances -
it's sick, and therefore not reliable -- by definition. Crazy people may
not think they're insane ;-). The hardware watchdog timer is a 3rd party
monitoring system, and therefore is likely to be reliable when the thing it
is watching is sick - because its sanity is uncorrelated to the failure of
the thing it is watching.
For example, if by a programming error in the kernel, you halt or loop with
interrupts disabled -- you're screwed with no way out. In mainframes I
think this is called a disabled wait state. Of course, there are more
complex ways to do this, but hopefully one example makes the point.
This is the point of the hierarchy of monitoring I described before. This
is very much standard operating procedure for reliable systems in the
telecom industry (and many others). In fact, such a watchdog timer is a
requirement for Carrier Grade Linux (CGL).
Here is the standard way which highly available systems are architected to
work -- and it's consistent with 35-year industry practice in telephony
systems, the formal CGL requirements, and the architecture of the Linux-HA
The hardware watchdog timer times out when it doesn't get
a heartbeat in the allotted time. (duhhh!)
Just before loading the BIOS, the watchdog timer should be set
for some "reasonable" amount of time (like a few
seconds) for the BIOS to load and begin executing.
The BIOS should set the timer for a reasonable
time for the bootstrap program to load. It must tickle
it periodically while waiting for input from humans.*
The bootstrap loader should work much the
same way. Before it jumps to the OS, it should set
the timer for a reasonable amount of time for
the OS to take over the tickling.*
When it first comes up, the OS takes over and tickles the
When the HA monitoring subsystem comes up, it takes over
and tickles the watchdog timer.
As HA-aware processes start up, they tickle individual watchdog
timers maintained by the HA monitoring subsystem (apphbd). If they
die, or hang, they are restarted by the Recovery
Manager. As a special case, apphbd will restart the
recovery manager as described below.
The recovery manager registers with the HA monitoring subsystem
and receives notification of insane or dead
processes. If they're insane it kills them.
When they die, it restarts them.
If the recovery manager dies (or goes insane), then
apphbd will (kill and) restart the recovery manager.**
When the system panics, then the watchdog timer needs to be
tickled while waiting for human input, and while making
progress taking a dump. [but only when actually
When the OS jumps back into the BIOS for any reason
then the timer is reset to some value suitable
for the BIOS to take over and start tickling it.
(~ same as the original value).
Now if the BIOS or OS or bootstrap loader, or dump process craps out and
hangs, or the hard disk can't boot, or a peripherial hangs the bus, then
this watchdog timer will trigger, and the system will be reset - and you'll
get a chance to try it again. [[If you fail too often in too short a
period of time, then "phone home" or cry "uncle" or sit and cry if you
like. Or, you can just keep persisting...]]
Later on when HA monitoring system is running, if it (or the scheduler or
other piece of the OS) craps out and the HA monitoring system doesn't (or
isn't able to) tickle this watchdog timer - for whatever reason - then
everything will reboot just like it should.
Notice how many different kinds of errors this one single timer can detect
and recover from - and how many of them cannot easily be recovered from at
all without it. Note how handy it is in designing the system to know that
your underlying hardware has this capability built-in. It eliminates a lot
of complexity from several pieces of software, and does a better job too!
Without this timer, you can't easily design a truly reliable system. (and
maybe not at all).
The lowest level monitor should be the simplest and most reliable. It
monitors the OS. The driver for this in the kernel should also be solid
and no-frills. The base-level HA monitoring system (which monitors
processes for their health) should also be as simple as possible.
Complexity is the enemy of reliability. If any of these components fail,
then the system will be rebooted unnecessarily. This is a BadThing(TM).
Now, to use this "right", the thing that any subsystem tickling the timer
at the next higher level should do is periodically schedule something to
evaluate its internal sanity (data structure consistency or queue lengths
or whatever), and tickle the watchdog timer only when it passes whatever
its internal sanity measure is.
Then, if you go into an infinite loop, or doubt your own sanity long
enough, someone else will eventually do something about it - you'll be
killed and restarted (if a process) -- or rebooted (if you're the HA
process monitor, or the BIOS, or bootstrap loader or OS).
Of course, this doesn't *replace* external monitoring (see the note above
about declaring oneself sick), but it is a good orthogonal measure, and
simpler to implement for subsystems with limited external interfaces - like
the bootstrap loader.
* = Note that these layers may have to deal with bootstrap loaders and/or
OSes which won't tickle the watchdog timer - so they have to shut it off
(or set it really long) when booting a layer under them which isn't
** = The reason why the recovery manager is not part of the apphbd process
in our design is because the apphbd process should be as simple as it can
be - because it's death or insanity would trigger a system restart.
Putting it in a separate process lessens the liklihood of an unnecessary
system restart. This is not a necessity, but I believe it to be a good
design choice - after all it was my design choice ;-)
It is certainly true that we don't have to implement all these things
today, or at all, but with the hardware watchdog timer, they're possible.
And, without it, they're not.
Even without implementing all these extra HA features, it still monitors
the OS more reliably than it can monitor itself. So, I think this is a
very worthwhile feature for the platform to have.
Hope this helps!
Alan Robertson <alanr at unix.sh>
"Openness is the foundation and preservative of friendship... Let me claim
from you at all times your undisguised opinions." - William Wilberforce
More information about the Linuxppc64-dev