s6-rc shutdown timing issue

From: Colin Booth <cathexis_at_gmail.com>
Date: Sun, 13 Sep 2015 00:08:54 -0700

Hey there,

I've been digging into managing a system completely under s6 and I
can't seem to find the right time to run `s6-rc -da change'. Run it
before sending s6-svscan the shutdown/reboot/halt commands and can end
up with a situation where your read/write drive has been set read-only
before your services have come down. Run it after telling s6-svscan to
start taking the system down, and s6rc-oneshot-runner is stopped by
the time s6-rc tries to disassemble the system.

There are a few solutions that I've come up with, none of them terribly great.

1) Have s6-rc handle setup but not teardown and just ignore oneshots
on shutdown by not calling s6-rc from within the stage3 script.
2) Ignore s6-rc entirely during shutdown, letting s6-svscan's native
signaling to s6-supervise handle longruns and manually trigger a list
of oneshots to destroy after the process table is cleared.
3) Call s6-rc before signaling s6-svscan but make sure that s6-rc
doesn't know about system-critical shutdown routines, and instead call
those directly from stage3 after s6-svscan has destroyed the
supervision tree.
4) Give s6-ipcserverd a flag to ignore SIGTERM like s6-log has, then
call s6-rc -d in stage3 before firing off s6-nuke.

Like I said, all those solutions aren't great. The first limits the
use of down scripts for oneshots and might leave a system in an
undesierable state before shutdown. The second and third both require
that the oneshot list (at least those that need to be fired on
shutdown) to be maintained in two places - both s6-rc and an
in-sequence triggered set. The last requires changes to s6-ipcserverd
and makes a third nominally unkillable service.

All four end up with oneshots and longruns being decoupled from each
other, though in the grand scheme of things that isn't the end of the
world. My current solution is number two, though I'd like to be able
to write a handful of ./down scripts for those oneshots that I need to
worry about and let a late run of `s6-rc -da change' take care of it.

One other question that doesn't really belong here but doesn't need
its own thread. If I have a oneshot that only does any work on
shutdown, can I get away with having the required ./up script be
empty, or do I need to write something like
#!/command/execlineb
exit 0

To satisfy the requirement of up existing.

Cheers!
-Colin

-- 
"If the doors of perception were cleansed every thing would appear to
man as it is, infinite. For man has closed himself up, till he sees
all things thru' narrow chinks of his cavern."
  --  William Blake
Received on Sun Sep 13 2015 - 07:08:54 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:38:49 UTC