[Done] Disable watchdog in XML by default?

Patrick · December 18, 2014, 2:08pm

Refering to:
https://github.com/Whonix/Whonix/pull/386

<watchdog model='i6300esb' action=reset'/>

What is the watchdog good for?

Was reading this for reference:
https://wiki.openstack.org/wiki/LibvirtWatchdog

I think “reset on hang” is an interesting feature for servers and server admins might like to manually enable it. However, for most users I think it would be desirable to have this disabled by default. Because should the VM hang, the current output might be helpful to figure out what actually caused the hang/crash. Auto reset would make debugging much harder.

HulaHoop · December 18, 2014, 2:20pm

Instead of removing watchdog we can change its behavior to assist users in debugging by using ‘dump’ instead of ‘reset’. What do you think?

Patrick · December 18, 2014, 2:22pm

Hm. What to do with the core dump then? Sent to KVM developers?

There is another issue. Just tried the new xml files on Debian jessie with latest updates.

virsh -c qemu:///system define ~/Downloads/Whonix-Gateway_kvm.xml error: Failed to define domain from /home/user/Downloads/Whonix-Gateway_kvm.xml error: (domain_definition):61: AttValue: " or ' expected <watchdog model='i6300esb' action=reset'/> --------------------------------------^

HulaHoop · December 18, 2014, 2:37pm

A core dump is like a memory dump for diagnosing crashes. I guess users need to send that to Debian developers. You don’t touch the kernel so any bugs are likely upstream and not related to Whonix.

At worst watchdog won’t be visible to users and will only kick in when a crash happens, providing slightly more helpful information than without.

I forgot a single quote ’ around reset and thats why its not working. Should I change it or you? I’ll do that when I get the go ahead for the dump feature.

Patrick · December 18, 2014, 3:04pm

I know. And depending on the type of the core dump and privacy considerations it may or may not include private data such as contents of RAM. Perhaps that should be researched before deciding further?

I forgot a single quote ' around [b]reset[/b] and thats why its not working.

Fixed in git master.

HulaHoop · December 18, 2014, 3:30pm

And depending on the type of the core dump and privacy considerations it may or may not include private data such as contents of RAM. Perhaps that should be researched before deciding further?

Then I’m not really enthusiastic about having it set to dump.

Watchdog would only be useful to server admins (our Hidden Service target users)
Would make things harder for others trying to figure out a crash
non experienced users most probably won’t even know how to debug a crash so it doesn’t matter
Those that know how will have the ability to disable watchdog temporarily.
Note that watchdog is added by default by I removed it in the past because of wrong security assumptions.

My opinion is to leave it as it is set to reset? If not convinced do what you think is best.

Patrick · December 18, 2014, 3:42pm

Even for experienced users, I think this auto-reset enabled by default that they have to disable first is super confusing. Then they come to the forum and say their VM restarted out of nowhere. Then we tell them to disable that auto reboot feature first so they can come back and report a bug? Not a great workflow.

Also makes debugging hard to reproduce bugs much harder.

To me it looks like a real bad idea, opt-in looks much better to me here than opt-out, but it’s up to you.

Patrick · December 19, 2014, 7:17am

Public update:
Just merged your pull request that disabled watchdog. Thanks!