[systemd-devel] Allow stop jobs to be killed during shutdown
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Mon Jan 27 07:13:16 PST 2014
On Mon, Jan 27, 2014 at 03:51:34PM +0100, Lennart Poettering wrote:
> On Sun, 26.01.14 17:23, Tom Gundersen (teg at jklm.no) wrote:
>
> > > I rebuilt systemd without this restriction, set KillMode=process for
> > > user at .service and this fixed things here.
> > >
> > > So there are two problems associated with user instance.
> > >
> > > 1. Using KillMode=control-group is wrong. Each service managed by user
> > > instance has own requirements how it is stopped. Just sending everything
> > > SIGTERM without even trying service ExecStop first is obviously
> > > incorrect.
> >
> > I guess what we want is to first send SIGTERM only to the systemd
> > --user process, and only after a timeout start sending SIGTERM to all
> > the processes in the control group? I.e., wouldn't a ExecStop entry in
> > user at .service give us the required timeout?
>
> Well, it would, but I am really sure KillMode=mixed would be the better approach...
> >
> > > 2. user at .service has single timeout, but it manages unknown in advance
> > > number of services each needing unknown timeout. While having some
> > > capping to total timeout looks sensible, only user itself may estimate
> > > the value. But service user at .system is system-level service which use
> > > cannot configure ...
> >
> > I think it really makes sense to have a system-wide timeout on these
> > things (possibly a high one), we don't want the user to delay things
> > without limit. The user already has the possibility of putting their
> > own limits if they want to (but they must of course be shorter than
> > the system-wide one).
>
> Yeah, I fully agree. We need a timeout here that is mandated by the
> system, and cannot be overridden, so that the user cannot find a way to
> circumvent kill requests by the admin. However, it certainly makes sense
> to make it a bit higher than the systemd user instance's own timeouts.
A bit higher is probably not enough, since a user instance might need
to shutdown a few things in order, and more than one might have to time
out. It'd probably make sense to decrease the timeouts in --user instances
to something substantially smaller than in --system, and than make the
timeout for user at .service a multiple of that.
Zbyszek
More information about the systemd-devel
mailing list