Usage of prctl subreaper in upstart user session
Steve Langasek
steve.langasek at ubuntu.com
Tue Dec 11 01:59:03 UTC 2012
On Mon, Dec 10, 2012 at 02:30:16PM -0600, Ted Gould wrote:
> On Mon, 2012-12-10 at 14:23 -0500, Stéphane Graber wrote:
> > Would the above work for you or do you see any potential problem with
> > that or think of a better way to deal with the 12.04->14.04 upgrade
> > scenario?
> I think so. And to be further more precise, it really is only someone
> who upgrades to 14.04, logs out of their session and back in without
> rebooting.
There are other plausible scenarios here, to wit:
- user is halfway through the upgrade; upstart, and desktop packages which
depend on user session support, have been unpacked (and possibly even
configured), but the kernel package has not; the user experiences a power
event / kernel crash; on reboot the system comes up, but is still booted
to the old kernel
- user is partway through the upgrade when X hangs. they're able to kill
the X server and restart it, getting back to the lightdm login screen
These are both real-world scenarios that affect a number of users each
upgrade, and we should handle them gracefully in Ubuntu. There are a number
of ways we could (in theory) decide to handle them:
- Require subreaper for user session process supervision, and provide user
sessions with reduced capabilities when subreaper is not supported.
- Require subreaper for process supervision, and fail hard when it's
absent; provide some other facility for finishing the dist-upgrade when
the user is no longer able to log in due to the user session failing.
- Use subreaper for process supervision; disallow all user jobs in Ubuntu
until after the 14.04 release (unlikely to be a popular option ;).
- Use something other than subreaper support for user job process
supervision.
> If there were a critical issue there, I'd rather just make it so someone
> can't log back in to a full session until there's a reboot. Seems like
> someone would only do this by mistake in almost all situations.
As above, rebooting is not guaranteed to fix the user's problem.
On Mon, Dec 10, 2012 at 03:35:42PM -0500, Stéphane Graber wrote:
> Right, the other reason why I didn't want to make upstart just fail to
> start entirely in such case is for people who for whatever reason are
> asked to test an older kernel which may not have the feature.
I don't think that's a scenario that should drive the design here. I'm
pretty sure the kernel team isn't going to ask 14.04 users to test a kernel
from 12.04.
> Same thing for someone who would run a raring container on a precise
> host, although userspace would support the feature in such case, they
> kernel won't. So in such case I think it's best to offer a session with
> a few restricted features (and have a way to detect it) than just plain
> fail.
This is at least plausible (along with: running in a chroot; and running in
a VM where you don't control the kernel). I don't think it's a requirement
per se to support these configurations, but there's a chance that whatever
we decide we need for the upgrade scenario addresses this too.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/upstart-devel/attachments/20121210/262fbd0b/attachment.pgp>
More information about the upstart-devel
mailing list