[RFC]: Enhanced User Sessions and session shutdown

Steve Langasek steve.langasek at ubuntu.com
Thu Jan 24 07:25:54 UTC 2013 

Hi James,

On Fri, Jan 18, 2013 at 05:35:45PM +0000, James Hunt wrote:
> I've recently updated the spec above to include details of session shutdown [1].
> If anyone has comments, please weigh in:

> https://wiki.ubuntu.com/FoundationsTeam/Specs/RaringUpstartUserSessions#Desktop_Session_Shutdown

> Note that on Ubuntu, when the gnome-session job ends, gnome-session will
> potentially first signal ConsoleKit to shutdown the system. This will ultimately
> result in the display manager (lightdm on Ubuntu) sending SIGTERM to each
> Session Init [2] which should preclude the need for a final "shutdown" job that
> reacts to the session-exiting event, although it may be necessary to modify the
> 'kill timeout' for the lightdm job.

You write here:

  With Upstart sessions, the Session Init will be terminated by:

    * The desktop session sending an initctl command request to shutdown.
    * The Session Init Instance will react to this, stop all the jobs and
      then exit itself, closing the session in the process.

I don't think that's accurate.  The decision about whether or not the system
can be shutdown/rebooted by the user needs to be made via system-level
policy; the shutdown request thus needs to be referred to a system-level
service before we shut down *any* jobs from the session init.

Only once the system init has been signalled to change runlevels via the
shutdown command, and the lightdm service has been asked to stop, should the
session init start generate a session-end event (in response to being
signalled itself).

So the first half of the architecture should remain entirely unchanged, we
only want to switch out some of the components:

  * The indicator, or the power button dialog calls 'initctl shutdown' with
    the correct logout, reboot, or shutdown '--type' argument.
  * The session init checks whether the shutdown has been blocked with the
    org.gnome.SessionManager.Inhibit() D-Bus API call (which something
    associated with the upstart session will need to implement).
  * Once the shutdown is not blocked, on shutdown/reboot:
    * the session init, or a job acting on its behalf, calls the
      corresponding method of ConsoleKit or systemd.
    * ConsoleKit ultimately calls /usr/lib/ConsoleKit/scripts/ck-system-stop,
      which in turn calls shutdown(8).
    * shutdown(8) emits the "runlevel" Upstart event.
    * This triggers stopping of the lightdm jobs (among others)
    * The lightdm job sends SIGTERM to all clients (upstart session init
      processes).
    * The session init generates a session-end event, which is processed
      normally.
    * Either the user jobs correctly end in a timely manner in response to
      this event; or they do not, in which case they are instead reaped by
      /etc/init.d/sendsigs.  There should not be any need for complex
      timeout handling in the session init itself.  (Note however that
      /etc/init.d/sendsigs probably needs some changes in order to not go
      killing user jobs - and session init processes - with *no* delay,
      depriving them of the opportunity to shut down gracefully.)
    * If all session jobs exit and the session init is quiesced (i.e., no
      remaining "blocked" events), the session init exits.  Otherwise, it
      will be killed externally (by lightdm or by sendsigs).
    * lightdm exits.
    * The rest of the shutdown sequence completes.

This architecture has the following important properties:

 - We don't assume the shutdown command has been accepted (and start killing
   user jobs in response) until acknowledged as such by a root daemon
 - We preserve the existing interface for inhibiting shutdown that's used by
   existing software
 - We aren't relying on the user's session init to do the cleanup, beyond
   making sure it tells the jobs to shutdown; instead the logic for timeout
   handling is all at the system level, where it needs to be.

Does this make sense?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/upstart-devel/attachments/20130123/87710008/attachment.pgp>

More information about the upstart-devel mailing list