Shut down gracefully on SIGTERM.

[igorpeshansky]

This doesn't fully work, because the agent gets stuck waiting on joining threads, but a second SIGTERM usually does the trick. It does shut down the server first, though.

[supriyagarg]

Why is the exit code 128 + signum?

[igorpeshansky]

Unix tradtion: http://tldp.org/LDP/abs/html/exitcodes.html.

[supriyagarg]

Is this line required given the lock guard in L84?
Alternatively, should this lock be released after server.start()?

[igorpeshansky]

The lock guard was supposed to deadlock this thread to prevent it from going into the destructor. However, with the suggestion from @bmoyles0117, this is no longer necessary.

[bmoyles0117]

We need to find some way of doing this in parallel. If the first updater gets stuck while stopping, it shouldn't prevent the other updaters from a fair chance of shutting down.

[igorpeshansky]

This is a good point, but I think we can just request that the implementation of these methods does not block.

[bmoyles0117]

What do you think about having a cleanup_state.wait() method that can manage the lock instead?

[igorpeshansky]

Good idea. In fact, it should encapsulate the stopping of the server/updaters as well. Done.

[igorpeshansky]

PTAL.

[igorpeshansky]

Unix tradtion: http://tldp.org/LDP/abs/html/exitcodes.html.

[igorpeshansky]

This is a good point, but I think we can just request that the implementation of these methods does not block.

[igorpeshansky]

Good idea. In fact, it should encapsulate the stopping of the server/updaters as well. Done.

[igorpeshansky]

The lock guard was supposed to deadlock this thread to prevent it from going into the destructor. However, with the suggestion from @bmoyles0117, this is no longer necessary.

[supriyagarg]

LGTM

[bmoyles0117]

Let's rename this PR to focus on the fact that we're handling server shutdowns.

"Ensure that the http server shuts down on sigterm."

[bmoyles0117]

If we're not going to use this, let's remove it for now.

[igorpeshansky]

Done.

[bmoyles0117]

As we're renaming stop to notifyStop, we should rename this accordingly.

[igorpeshansky]

Renamed.

[bmoyles0117]

Let's rename this to notifyStop, or something similar to ensure that it's clear that this simply signals threads that we're shutting down.

[igorpeshansky]

This specific one does stop listening to the socket, so I would keep this as Stop.

[igorpeshansky]

I got everything to shut down cleanly by eliminating all thread::join() calls from the shutdown path. PTAL.

[igorpeshansky]

Done.

[igorpeshansky]

Renamed.

[igorpeshansky]

This specific one does stop listening to the socket, so I would keep this as Stop.

[bmoyles0117]

Is this guaranteed to be enough time?

[igorpeshansky]

Empirically, smaller delays were also sufficient, as this just needs enough time for the thread to notice the timer unlock notification and exit the loop. For poller threads, even if it doesn't, nothing bad is going to happen, so I hesitate to introduce a larger wait here.

[bmoyles0117]

It seems to me, that unlocking the server_wait_mutex is essentially a noop, so why wait at all?

[igorpeshansky]

Unlocking server_wait_mutex allows the destructors to start executing, which will start joining threads. More cleanup that can proceed in parallel.

[bmoyles0117]

SGTM

[bmoyles0117]

If we have Stop in this destructor, should we also call stop in MetadataAgent's destructor for consistency? I'm primary concerned about the inconsistency, I'm not sure what the negative effects would be.

[igorpeshansky]

MetadataAgent's destructor will deallocate both the API server and the reporter, which will invoke their respective destructors.

[bmoyles0117]

I'm confused, why are we calling Stop from MetadataAgent, if we're relying on the destructor? I may not be clear, but it seems confusing that stop gets propagated through multiple channels simultaneously.

https://github.com/Stackdriver/metadata-agent/pull/136/files#diff-61b93c57ea92f91ec66fdd4a280d8e8bR40

[igorpeshansky]

Stop() is idempotent. It's just a notification under the covers, so it's ok to call it more than once. Calling it from the destructor guarantees that the server will also shut down cleanly when the object is deleted.

[bmoyles0117]

SGTM

[bmoyles0117]

Exit code should be 0 if we terminate successfully. If it's anything but 0, Kubernetes will think that the pod crashed.

[igorpeshansky]

This will only happen when a pod is killed by a health check. Do we really want to report a successful exit in that case? I seem to recall that there was a distinction in pod restart behavior between success and failure exits...

[bmoyles0117]

I believe that we do, as this is the way we have implemented it for the logging agent (we didn't do anything to explicitly return 0, it just does, when it exits cleanly.)

[igorpeshansky]

That's a fluentd thing. Any other process will exit with exactly this exit code (i.e., 143) on SIGTERM. That's just a Unix convention. I bet heapster would exit with 143 as well.

[bmoyles0117]

We spoke offline, I believe we're going to go with a 0 exit status code on a healthy exit after looking further into how it could positively impact docker.

[igorpeshansky]

Done.

[igorpeshansky]

PTAL

[igorpeshansky]

Unlocking server_wait_mutex allows the destructors to start executing, which will start joining threads. More cleanup that can proceed in parallel.

[igorpeshansky]

That's a fluentd thing. Any other process will exit with exactly this exit code (i.e., 143) on SIGTERM. That's just a Unix convention. I bet heapster would exit with 143 as well.

[igorpeshansky]

Stop() is idempotent. It's just a notification under the covers, so it's ok to call it more than once. Calling it from the destructor guarantees that the server will also shut down cleanly when the object is deleted.

[bmoyles0117]

LGTM 🛰