From d450612953e6881e2dcbbad7e638160b73a83d77 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 12 Jul 2016 17:18:43 +0200
Subject: shutdown: use 90s SIGKILL timeout

There's really no reason to use 10s here, let's instead default to 90s like we
do for everything else.

The SIGKILL during the final killing spree is in most regards the fourth level
of a safety net, after all: any normal service should have already been stopped
during the normal service shutdown logic, first via SIGTERM and then SIGKILL,
and then also via SIGTERM during the finall killing spree before we send
SIGKILL. And as a fourth level safety net it should only be required in
exceptional cases, which means it's safe to rais the default timeout, as normal
shutdowns should never be delayed by it.

Note that journald excludes itself from the normal service shutdown, and relies
on the final killing spree to terminate it (this is because it wants to cover
the normal shutdown phase's complete logging). If the system's IO is
excessively slow, then the 10s might not be enough for journald to sync
everything to disk and logs might get lost during shutdown.
---
 src/core/killall.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/core/killall.c b/src/core/killall.c
index e1359b72d2..a8b814e868 100644
--- a/src/core/killall.c
+++ b/src/core/killall.c
@@ -23,6 +23,7 @@
 #include <unistd.h>
 
 #include "alloc-util.h"
+#include "def.h"
 #include "fd-util.h"
 #include "formats-util.h"
 #include "killall.h"
@@ -33,8 +34,6 @@
 #include "terminal-util.h"
 #include "util.h"
 
-#define TIMEOUT_USEC (10 * USEC_PER_SEC)
-
 static bool ignore_proc(pid_t pid, bool warn_rootfs) {
         _cleanup_fclose_ FILE *f = NULL;
         char c;
@@ -99,7 +98,7 @@ static void wait_for_children(Set *pids, sigset_t *mask) {
         if (set_isempty(pids))
                 return;
 
-        until = now(CLOCK_MONOTONIC) + TIMEOUT_USEC;
+        until = now(CLOCK_MONOTONIC) + DEFAULT_TIMEOUT_USEC;
         for (;;) {
                 struct timespec ts;
                 int k;
-- 
cgit v1.2.3-54-g00ecf


From 2e79d1828a8da9b3af1b052297e3617905ec94f3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 12 Jul 2016 17:26:52 +0200
Subject: shutdown: already sync IO before we enter the final killing spree

This way, slow IO journald has to wait for can't cause it to reach the killing
spree timeout and is hit by SIGKILL in addition to SIGTERM.
---
 src/core/shutdown.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

(limited to 'src')

diff --git a/src/core/shutdown.c b/src/core/shutdown.c
index e14755d84e..a795d875bb 100644
--- a/src/core/shutdown.c
+++ b/src/core/shutdown.c
@@ -157,7 +157,6 @@ static int switch_root_initramfs(void) {
         return switch_root("/run/initramfs", "/oldroot", false, MS_BIND);
 }
 
-
 int main(int argc, char *argv[]) {
         bool need_umount, need_swapoff, need_loop_detach, need_dm_detach;
         bool in_container, use_watchdog = false;
@@ -203,20 +202,25 @@ int main(int argc, char *argv[]) {
         }
 
         (void) cg_get_root_path(&cgroup);
+        in_container = detect_container() > 0;
 
         use_watchdog = !!getenv("WATCHDOG_USEC");
 
-        /* lock us into memory */
+        /* Lock us into memory */
         mlockall(MCL_CURRENT|MCL_FUTURE);
 
+        /* Synchronize everything that is not written to disk yet at this point already. This is a good idea so that
+         * slow IO is processed here already and the final process killing spree is not impacted by processes
+         * desperately trying to sync IO to disk within their timeout. */
+        if (!in_container)
+                sync();
+
         log_info("Sending SIGTERM to remaining processes...");
         broadcast_signal(SIGTERM, true, true);
 
         log_info("Sending SIGKILL to remaining processes...");
         broadcast_signal(SIGKILL, true, false);
 
-        in_container = detect_container() > 0;
-
         need_umount = !in_container;
         need_swapoff = !in_container;
         need_loop_detach = !in_container;
@@ -345,10 +349,10 @@ int main(int argc, char *argv[]) {
                           need_loop_detach ? " loop devices," : "",
                           need_dm_detach ? " DM devices," : "");
 
-        /* The kernel will automaticall flush ATA disks and suchlike
-         * on reboot(), but the file systems need to be synce'd
-         * explicitly in advance. So let's do this here, but not
-         * needlessly slow down containers. */
+        /* The kernel will automatically flush ATA disks and suchlike on reboot(), but the file systems need to be
+         * sync'ed explicitly in advance. So let's do this here, but not needlessly slow down containers. Note that we
+         * sync'ed things already once above, but we did some more work since then which might have caused IO, hence
+         * let's doit once more. */
         if (!in_container)
                 sync();
 
-- 
cgit v1.2.3-54-g00ecf