New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pid1: add SurviveFinalKillSignal= to skip units on final sigterm/sigkill spree #28545
Conversation
66616ba
to
aa46b30
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
superficial comments only.
aa46b30
to
f8a1a49
Compare
Hmm, so we'd be supposed to put services in a special slice. But slices are a mechanism for resource management, generally unrelated to how services behave during shutdown or other state transitions. I liked the previous approach with a setting that can be attached to any unit much more. |
Well, ish - there's init.scope, and the forthcoming init-workers.scope, that also have semantic meaning outside of resource management. Also, there's the whole delegation mechanism, that is also not about resource management, but process management. The caveat for this feature is that I think managing processes by cgroup is the way to go, and the key thing we need to do for this is killing a subset of live processes on soft-reboot. I think it fits very well with the hierarchical cgroup model, and having to reimplement that manually (going unit by unit to check a boolean) would be much worse. Then there's the issue that @poettering did not like the boolean, so I'm trying to get two birds with one stone here. |
IMO that's a false similarity. Yes, we have a |
Do you have any such real-world examples? I have a dozen of them or so, and only one fits that description, but it's a one-shot remain-after-exit that configures hardware on early boot, so that also doesn't fit quite well. Everything else is a normal service from any other point of view.
We do not. I am very strongly against half-arsing this. It is very important to me and my use cases to have a first-class, well-defined, intelligible, supported and consistent interface for this. This is not any different from many of the other well-defined, high level interfaces we have. For example, pretty much everything that deals with images, directories or mounts could be removed, and is doable with the single MountImage and BindPath settings. Everything else is redundant - RootImage, RootEphemeral, ExtensionImages, PrivateTmp, TemporaryFileSystem etc. Why do we have all of these redundant then? Because often it's not enough to enable some very low level functionality, but we want to offer a first class interface, that comes with a promise that whatever else we change, it will keep working as advertised, and models some common and specific behaviour that we want to encode and expose. For me, this is one of those cases. |
c69b83c
to
7f435f8
Compare
7f435f8
to
7c13002
Compare
7c13002
to
b2a66dc
Compare
…ill spree Add a new boolean for units, SurviveFinalKillSignal=yes/no. Units that set it will not have their process receive the final sigterm/sigkill in the shutdown phase. This is implemented by checking if a process is part of a cgroup marked with a user.survive_final_kill_signal xattr (or a trusted xattr if we can't set a user one, which were added only in kernel v5.7 and are not supported in CentOS 8).
b2a66dc
to
2c0ca3e
Compare
Add a new boolean for units, SurviveFinalKillSignal=yes/no. Units that
set it will not have their process receive the final sigterm/sigkill in
the shutdown phase.