From: Rich Felker <dalias@aerifal.cx>
To: musl@lists.openwall.com
Subject: Re: Re: Vision for new platform
Date: Sun, 10 Jun 2012 12:33:59 -0400 [thread overview]
Message-ID: <20120610163359.GJ163@brightrain.aerifal.cx> (raw)
In-Reply-To: <20120610235125.31f38cd7@sibserver.ru>
On Sun, Jun 10, 2012 at 11:51:25PM +0800, orc wrote:
> > I don't think you're getting the issue at hand. Suppose you want to be
> > able to automatically bring down a particular daemon -- perhaps to
> > restart it with completely new configuration or to switch to a new
> > version of it. This could happen as part of an automated upgrade
> > process or under manual admin control.
>
> 'Automated' often becomes the source of problems, if this automated
> subsystem is not engineered properly. If we want daemon that will be
> responsible for other's daemons status and it will start and stop them
> automatically based on the admin's decision than it must be
> well-engineered and tested in many types of situations first.
Without "automated", how do you intend for non-technical users to
upgrade important system components when their old version has a
critical vulnerability? Even if the system has a technically qualified
admin, nobody wants to go manually upgrading/restarting daemons on
tens, hundreds, or thousands of boxes...
I agree automation is a huge source of problems, but I think they're
fundamental problems you can't just pretend don't exist.
> > (even one run by a user as opposed to by root with a
> > separate config file and running on a separate port)
>
> Killing processes based on uid/gid and cmdline can be achieved with
> pkill already,
No, it cannot. Before you can solve any of these problems you must
understand that you can't use resource handles that belong to another
process which could invalidate them behind your back. This is a core
principle of concurrency programming, and pids are such a resource.
As an aside, I used to really dislike the push towards multi-threaded
programming because concurrency is error-prone and hard to get right.
Then I realized that basically all unix systems programming is
concurrent programming, just disguised to look safe...
> > to killing
> > unrelated processes (by scanning /proc or reading a pid file, then
> > subsequently killing the pid which might not belong to a different
> > process).
>
> Again, pkill much better than "traditional"
> "kill $(cat /var/run/daemon.pid)" that most of init script use today
> (Am I right?)
No. The pkill approach is the "doing things as stupid as killing any
instance of the daemon" in my text you quoted.
At least with pid files, you know the pid you kill _at one time_
belonged to the daemon you wanted to kill. With pkill, you'll pick up
completely independent instances of the same program binary.
> > If daemons really didn't exit unexpectedly, the only race condition in
> > pid-based approaches to lifetime management would be races between
> > multiple scripted administrative actions (e.g. 2 admins trying to down
> > the daemon at the same time) which could be fixed by locking at the
> > script level.
>
> Hm, for me that situation sounds a bit strange: even script will exit
> with 'daemon already stopped' or script will send an additional signal
No. It will send a TERM/KILL signal to a new process that happens to
have the same PID as the already-killed daemon. If you get lucky, no
such new process exists, but that's called "getting lucky" which has
no place in robust systems.
> I partially agree with approach that such daemon for monitoring status
> of other daemons should be developed, but I think this daemon should
> control only critical processes for admin, such as:
My view is this:
1. On a hobbyist or fully self-maintained system where you're willing
to manually do all the work of upgrading/restarting things, or on
certain embedded systems where reboot-on-upgrade is acceptable or
where you're sure you won't need security updates (because the system
does not interact with potentially-dangerous inputs), just start all
the daemons from your init script with no management and be done with
it. Components should not be designed in ways that _preclude_ this
ultra-simple setup.
2. On everything else, use your choice of robust daemon management
tool that starts daemons as direct children and therefore can observe
their death and/or intentionally kill them without any race
conditions.
Rich
next prev parent reply other threads:[~2012-06-10 16:33 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-18 1:06 Rich Felker
2012-05-18 3:11 ` Isaac Dunham
2012-05-18 3:26 ` Rich Felker
2012-05-19 1:28 ` Isaac Dunham
2012-05-18 6:07 ` Szabolcs Nagy
2012-05-21 20:05 ` aep
2012-05-21 20:17 ` Rich Felker
2012-05-21 20:51 ` nwmcsween
2012-05-21 20:59 ` Rich Felker
2012-05-21 21:18 ` Rich Felker
2012-05-21 21:51 ` aep
2012-05-21 22:25 ` Rich Felker
2012-05-22 0:53 ` aep
2012-05-22 1:54 ` Rich Felker
2012-05-22 12:55 ` Christoph Lohmann
2012-06-09 11:27 ` orc
2012-06-09 14:44 ` Isaac Dunham
2012-06-09 15:25 ` orc
2012-06-09 21:24 ` Rich Felker
2012-06-09 22:38 ` Christian Neukirchen
2012-06-10 12:53 ` Daniel Cegiełka
2012-06-10 13:22 ` Rich Felker
2012-06-10 14:52 ` orc
2012-06-10 14:55 ` orc
2012-06-10 15:13 ` Rich Felker
2012-06-10 15:51 ` orc
2012-06-10 16:33 ` Rich Felker [this message]
2012-06-10 17:53 ` orc
2012-06-10 18:03 ` Daniel Cegiełka
2012-06-10 18:26 ` orc
2012-06-10 18:38 ` Daniel Cegiełka
2012-06-10 18:58 ` orc
2012-06-10 19:19 ` Daniel Cegiełka
2012-06-10 19:33 ` Rich Felker
2012-06-10 20:13 ` Daniel Cegiełka
2012-06-11 7:24 ` orc
2012-06-11 12:54 ` Init system (Re: [musl] Re: Vision for new platform) aep
2012-06-12 0:59 ` Re: Vision for new platform Isaac Dunham
2012-06-12 1:48 ` Rich Felker
2012-06-12 5:37 ` idunham
2012-06-12 5:48 ` Kurt H Maier
2012-06-12 8:20 ` aep
2012-06-12 14:32 ` Rich Felker
2012-06-14 4:28 ` Isaac Dunham
2012-06-12 14:30 ` Rich Felker
2012-06-12 7:46 ` orc
2012-06-12 8:27 ` nwmcsween
2012-06-12 8:41 ` orc
2012-06-12 8:44 ` aep
2012-06-12 9:02 ` orc
2012-06-12 10:28 ` aep
2012-06-12 10:33 ` orc
2012-06-10 15:17 ` Daniel Cegiełka
2012-06-10 15:27 ` Rich Felker
2012-06-10 15:12 ` Jeremy Huntwork
2012-06-10 18:03 ` Kurt H Maier
2012-06-10 18:15 ` Jeremy Huntwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120610163359.GJ163@brightrain.aerifal.cx \
--to=dalias@aerifal.cx \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).