From mboxrd@z Thu Jan 1 00:00:00 1970 From: sbaugh@catern.com Subject: Using CHILD_SUBREAPER in GNU Shepherd Date: Sat, 03 Jun 2017 16:29:40 -0400 Message-ID: <87wp8s24sr.fsf@catern.com> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60722) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dHFgJ-0007SK-Nl for guix-devel@gnu.org; Sat, 03 Jun 2017 16:29:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dHFgG-00032I-Ix for guix-devel@gnu.org; Sat, 03 Jun 2017 16:29:55 -0400 Received: from [195.159.176.226] (port=36978 helo=blaine.gmane.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dHFgG-00030K-Cu for guix-devel@gnu.org; Sat, 03 Jun 2017 16:29:52 -0400 Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1dHFg7-00062Q-Kt for guix-devel@gnu.org; Sat, 03 Jun 2017 22:29:43 +0200 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Hi, There is a feature present in Linux: CHILD_SUBREAPER. It changes the logic for reparenting orphaned processes. Instead of an orphaned process being reparented to pid1, an orphaned process is reparented to the nearest parent that is marked as a CHILD_SUBREAPER. A process can mark itself as a CHILD_SUBREAPER without privileges. See PR_SET_CHILD_SUBREAPER in prctl(2) for maybe more precise information: http://man7.org/linux/man-pages/man2/prctl.2.html What this boils down to is allowing process supervisors to be much more reliable, even when not running as init, because they can track not just their children, but their children's children, and in general all transitive children. I'd like to add it to GNU Shepherd. It may require some re-architecting to take full advantage of it. I'm not sure yet. I wrote a small tool using CHILD_SUBREAPER to provide some useful process supervision features: https://github.com/catern/supervise The relevant features are: - Guaranteed cleanup of all started processes - Usable in nested situations I'd like to get such features into GNU Shepherd. (maybe the latter is already possible, but explicit support can't hurt) Does this sound like a good idea? There aren't many process supervisors out there which actually use CHILD_SUBREAPER, which I find rather disappointing, because it allows container-like cleanup without actually having root privileges. In the longer term, if we had this feature in the shepherd, we could make some container-like guarantees about starting up daemons and applications out of Guix on foreign distros: Not only will the dependencies be pulled from the store, but also absolutely no processes can be remaining on the system after the daemon is terminated, if it is started with the shepherd. That would a really unique guarantee! It could also help with store garbage collection, perhaps? Thanks for Guix!