| Subject: | [PATCH] Restarting DHCP safely whilst avoiding partner-down state |
| Date: | Mon, 16 May 2016 16:58:36 +0100 |
| To: | dhcp-suggest@isc.org, dhcp-bugs@isc.org, "Shawn Routhier" <sar@isc.org> |
| From: | "Terry Burton" <tez@terryburton.co.uk> |
Dear sir/madam,
The following contribution is the result of a discussion [1] on the
dhcp-users mailing list, but I am also forwarding to these address as
suggested here [2].
Known related bugs are: #32692, #34945, #36066.
[1] https://lists.isc.org/pipermail/dhcp-users/2016-May/020071.html
[2] https://www.isc.org/git/guidelines/
Many thanks,
Terry
---------- Forwarded message ----------
From: Terry Burton <tez@terryburton.co.uk>
Date: 16 May 2016 at 14:11
Subject: [PATCH] Re: Restarting DHCP safely whilst avoiding partner-down state
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
On 13 May 2016 at 20:30, Terry Burton <tez@terryburton.co.uk> wrote:
>
> So currently there are no trap handlers for SIGTERM or SIGINT and
> therefore no cleanup whatsoever at exit.
>
> There is a compiled-out option ENABLE_GENTLE_SHUTDOWN which installs
> handlers for these signals but when this was activated it implemented
> the harmful semantics of putting the server through a
> recovery+partner-down transition which isn't useful for a quick
> configuration reload:
>
> /* Enable the gentle shutdown signal handling. Currently this
> means that on SIGINT or SIGTERM a client will release its
> address and a server in a failover pair will go through
> partner down. Both of which can be undesireable in some
> situations. We plan to revisit this feature and may
> make non-backwards compatible changes including the
> removal of this define. Use at your own risk. */
> /* #define ENABLE_GENTLE_SHUTDOWN */
>
> #if defined(ENABLE_GENTLE_SHUTDOWN)
> /* no signal handlers until we deal with the side effects */
> /* install signal handlers */
> signal(SIGINT, dhcp_signal_handler); /* control-c */
> signal(SIGTERM, dhcp_signal_handler); /* kill */
> #endif
>
> Having a more basic signal handler that defers the exit in order to
> continue to write out an outstanding lease seems better. Perhaps once
> could even differentiate these exit semantics based on SIGINT vs
> SIGTERM.
>
> If someone who can speak for ISC is able to indicate whether this
> would be a sensible approach then I am happy to work up a patch.
Dear ISC DHCP devs,
Please could you review and if suitable pull the following:
https://github.com/terryburton/isc-dhcp/commit/90f6e8617f13b7bc9575d275bd37b7a418b6139d
As a patch (also attached):
https://github.com/terryburton/isc-dhcp/commit/90f6e8617f13b7bc9575d275bd37b7a418b6139d.diff
Summary below...
Many thanks,
Terry
----
Safely shutdown dhcpd when signalled.
This patch reintroduces signal handlers to ensure that dhcpd safely exits when
signalled mitigating the existing risk that the leases file is truncated at
shutdown.
It provides the expected behaviour that SIGTERM and SIGINT will cause a safe
shutdown that does not place a failover pair into recovery on restart, so they
remain suitable for a basic configuration reload - only safer.
Using OMAPI to set the state of a control object to shutdown (2) retains the
existing behaviour of placing the peer into partner-down and performing a
recovery on restart. Equivalently, SIGUSR2 will now shutdown dhcpd and perform
a recovery on restart.
SIGTERM, SIGINT - Clean shutdown, suitable for a configuration reload.
SIGUSR2, OMAPI - Put failover peer into partner-down state and exit performing
a recovery on startup, suitable for an extended outage.
Since this is intended to be a sane set of defaults the GENTLE_SHUTDOWN define
no longer applies to dhcpd, i.e. safe handling of signals for selectable
operational semantics is provided by default.
Message body is not shown because sender requested not to inline it.