Alexis Richardson <alexis.richardson@gmail.com> writes:
I am interested in how EH and GG deal with exceptions. Chris?
We try to flag all the significant errors synchronously during the create call. If you get success back, a VM exists and is running with the requested drives and network interfaces. Conversely you'll always get an immediate error back if (say) you try to specify an IP that doesn't belong to you, or use a drive which doesn't exist, or has exclusive locking enabling and is already mounted elsewhere, or whatever. Our API only operates at the virtual machine level. As far as we're concerned, measuring or interfering with the guest OS other than by providing virtual hardware for it would be a gross layering violation. Since like Amazon we have no concept of stopped servers at the API level (they exist in the web interface for convenience), this means we only have one user-visible guest state: if a guest exists at all, it is active and running. Migration of storage and guests within our infrastructure is only allowed if it is completely transparent to users, so again this isn't signalled to unprivileged users. Thus the only cases we have to deal with are when a guest exits (ACPI power down) or if an infrastructure host explodes and a guest must be revived (which looks like a hard reset from outside). At infrastructure level, our API between the management system and the individual hosts is the same API our users use, but with extra 'privileged' features. There we have HTTP callbacks ('callback:exit' key) available to signal when a guest disappears or is revived following a host crash, which are used internally for billing amongst other things. Although I don't think these are exposed to our end users through our unprivileged API yet, they will be. (However, for what it's worth, real users seem to prefer to do their "I've just booted" and "I'm going to shut down now" notifications within their guest OSes where they get a free choice of mechanism, and usually monitor their virtual machines over IP like they would physical servers, so we never had anyone ask for the callback stuff.) Cheers, Chris.