[lxc-devel] [PATCH 1/3] lxc-shutdown: switch from script to program using api.

Christian Seiler christian at iwakd.de
Fri May 17 20:55:22 UTC 2013 

Hi there,

> So my suggestion is basically to:
>  - Kill lxc-shutdown
>  - Change lxc-stop so that:
>    * Default behaviour is to call shutdown(), wait 15s for STOPPED, if
> not STOPPED, print a message to the user and call stop()
>    * We have a -r option to reboot the container (with proper check that
> the container indeed rebooted within the next 15s)
>    * We have a -s option to shutdown the container without the automatic
> fallback to stop()
>    * Add a -k option allowing a user to just kill a container
> (equivalent to old lxc-stop, no shutdown() call and no delay).
> 
> We'd therefore end up with a single binary which does shutdown, stop and
> reboot, properly checks that the actions are carried out and supports
> timing out and fallback to kill.

I would like to add that there currently is a setting lxc.stopsignal,
which overrides 0.9's lxc-stop, but not lxc-shutdown.

A few ideas on how to handle this:

 - Create 2 new signals,
     lxc.signal.halt    (halt container, default: see below)
     lxc.signal.reboot  (reboot container, default: SIGINT)
     lxc.signal.kill    (kill container, default: SIGKILL)
 - deprecate lxc.signal.stop (i.e. issue warning if it's used) but
   make it an initial alias for lxc.signal.halt
 - default for lxc.signal.halt:
     - container started by lxc-start: SIGPWR
        (templates should probably adjust that if necessary)
     - container started by lxc-execute: SIGTERM

> The 15s timeout would be over-ridable through -t, 15s is a guess as to
> how long users would be ready to wait for a container to die assuming
> some complex processes (database and similar) need enough time to sync
> their data and exit.

In my experience, containers running sysvinit usually take ~10s to shut
down if next to nothing is running inside them (at the very end they
wait 5s each to send SIGTERM and SIGKILL respectively to all of the
processes), so I would rather be a bit more conservative and make the
default 30s or even 60s instead of 15s. Containers with upstart or
systemd as init system shut down faster, so there it's not quite as
relevant.

It also would be nice to be able to override the default via
configuration file, i.e. lxc.timeout.shutdown = 120s. The precenedence
rule would be: lxc default (30s) overridden by config file overridden by
command line option. That way, one doesn't always need to specify the
timeout for a container that one knows to shut down much slower (due to
a running database or such) and can just do lxc-stop -n foo without
having to think too much.

> Does that sound reasonable to everyone?

Apart from the comments above: Yes, absolutely.

-- Christian

More information about the lxc-devel mailing list