[PATCH shepherd] Allow replacement of services

> This is a relatively simple patch adding a replacement slot to

> services in the Shepherd. When stopping a service, the replacement

> slot is checked and, if it has a value, is used to upgrade the current

> service.

>

> I've chosen to modify the existing service, rather than creating a new

> one, but that was mostly because it was easier for me to implement

> quickly, and I didn't have a huge amount of time.

>

> I'm hopeful that this, or something like it, can be used by GuixSD to

> allow people to restart services after reconfiguring without rebooting

> (or remembering to stop, reconfigure, start).

> From e03290041c91813f1a301c7e9c4dbb9ee768b400 Mon Sep 17 00:00:00 2001

> From: Carlo Zancanaro <carlo@zancanaro.id.au>

> Date: Thu, 9 Aug 2018 22:30:38 +1000

> Subject: [PATCH] service: Add a replacement slot for delayed service

> replacement.

>

> * modules/shepherd/service.scm (<service>): Add replacement slot

> (replace-service): New procedure.

> (stop): Call replace-service after stopping a service.

> * tests/replacement.sh: Add a test for it.

> * Makefile.am (TESTS): Add the new test.

> * doc/shepherd.texi (Slots of services): Document it.

> +(define (replace-service service)

> + (let ((replacement (slot-ref service 'replacement)))

> + (define (copy-slot! slot)

> + (slot-set! service slot (slot-ref replacement slot)))

> + (when replacement

> + (copy-slot! 'provides)

> + (copy-slot! 'requires)

> + (copy-slot! 'respawn?)

> + (copy-slot! 'start)

> + (copy-slot! 'stop)

> + (copy-slot! 'actions)

> + (copy-slot! 'running)

> + (copy-slot! 'docstring))

> + service))

> +cat - > "$rconf"<<EOF

> +(let ((service (lookup-running 'test)))

> + (slot-set! service 'replacement

> + (make <service>

> +if test `cat $stamp` != "Goodbye"; then

> We’ll still want to be able to special-case things like nginx

> that can be “hot-replaced”, though. So perhaps, in addition to

> this patch on the Shepherd side, we’ll need extra stuff in (gnu

> services shepherd).

> For instance, the ‘actions’ field of <shepherd-service> could,

> by default, include an “upgrade” action that simply sets the

> ‘replacement’ slot. For nginx, we’d provide a custom “upgrade”

> action that does “nginx -s restart” or whatever it is that needs

> to be done.

>

> ‘guix system reconfigure’ would automatically invoke the

> ‘upgrade’ action for each new service.

>

> WDYT?

>> + (let ((replacement (slot-ref service 'replacement)))

>> + (define (copy-slot! slot)

>> + (slot-set! service slot (slot-ref replacement slot)))

>> + (when replacement

>> + (copy-slot! 'provides)

>> + (copy-slot! 'requires)

>> + (copy-slot! 'respawn?)

>> + (copy-slot! 'start)

>> + (copy-slot! 'stop)

>> + (copy-slot! 'actions)

>> + (copy-slot! 'running)

>> + (copy-slot! 'docstring))

>> + service))

>

> Having a hardcoded list of slots sounds error-prone—surely we’ll

> forget to update it down the road. I wonder what else could be

> done.

>

> One option would be to grab the block asyncs and atomically

> replace the service in the ‘%services’ hash table. Then we only

> need to copy the ‘last-respawns’ slot to the new service, I

> believe. (This changes the object identity of the service but I

> think its OK.)

>

> Another option would be to use GOOPS tricks to iterate over the

> list of slots and have a list of slots *not* to copy. I’m not a

> big fan of this option, though.

>> +(let ((service (lookup-running 'test)))

>> + (slot-set! service 'replacement

>> + (make <service>

>

> I wonder if we should let users fiddle with ‘replacement’

> directly, or if we should provide a higher-level construct.

>

> For instance, ‘register-services’ could transparently set the

> ‘replacement’ field for services already registered instead of

> doing:

>

> (assert (null? (lookup-services (canonical-name new))))

>

> Not sure if there are cases where this behavior would be

> undesirable, though.

>

> Thoughts?

> On Tue, Aug 21 2018, Ludovic Courtès wrote:

>> For instance, the ‘actions’ field of <shepherd-service> could, by

>> default, include an “upgrade” action that simply sets the

>> ‘replacement’ slot. For nginx, we’d provide a custom “upgrade”

>> action that does “nginx -s restart” or whatever it is that needs to

>> be done.

>>

>> ‘guix system reconfigure’ would automatically invoke the ‘upgrade’

>> action for each new service.

>>

>> WDYT?

>

> How many services can we meaningfully upgrade like this?

> My understanding is that most of our system services a fed an immutable

> configuration file, and thus restarting/reloading won't actually

> upgrade them. In order to make an upgrade action work the service

> would have to mutate itself into a new correct configuration, as well

> as restarting/reloading the underlying daemon. It's even trickier if

> the daemon itself has been upgraded, because then the process will

> have to be restarted anyway.

> At any rate, I think the replacement mechanism (this patch) is just

> one way that a service can be reloaded. It would probably be a good

> idea to create a higher-level abstraction over it. I think other

> mechanisms (like a upgrade/reload action) should be handled on the

> Guix side of things.

>>> + (let ((replacement (slot-ref service 'replacement)))

>>> + (define (copy-slot! slot)

>>> + (slot-set! service slot (slot-ref replacement slot)))

>>> + (when replacement

>>> + (copy-slot! 'provides)

>>> + (copy-slot! 'requires)

>>> + (copy-slot! 'respawn?)

>>> + (copy-slot! 'start)

>>> + (copy-slot! 'stop)

>>> + (copy-slot! 'actions)

>>> + (copy-slot! 'running)

>>> + (copy-slot! 'docstring))

>>> + service))

>>

>> Having a hardcoded list of slots sounds error-prone—surely we’ll

>> forget to update it down the road. I wonder what else could be

>> done.

>>

>> One option would be to grab the block asyncs and atomically replace

>> the service in the ‘%services’ hash table. Then we only need to

>> copy the ‘last-respawns’ slot to the new service, I believe. (This

>> changes the object identity of the service but I think its OK.)

>>

>> Another option would be to use GOOPS tricks to iterate over the list

>> of slots and have a list of slots *not* to copy. I’m not a big fan

>> of this option, though.

>

> My favourite option for this would be to separate the <service> object

> into an immutable <service> and a mutable <service-state>. The

> <service-state> object would have a reference to a <service> object in

> order to invoke actions on it, and it could also hold a second

> <service> object as a replacement. Then the swap would be much more

> straightforward. I haven't done any real work towards this, though.

> In the short term, I'd rather replace it in the %services hash

> table. I did it by copying slots because I wasn't sure I would get the

> details of the swap right and didn't have time to properly work out

> how to do it. I'll give it a go!

>>> +(let ((service (lookup-running 'test)))

>>> + (slot-set! service 'replacement

>>> + (make <service>

>>

>> I wonder if we should let users fiddle with ‘replacement’ directly,

>> or if we should provide a higher-level construct.

>>

>> For instance, ‘register-services’ could transparently set the

>> ‘replacement’ field for services already registered instead of

>> doing:

>>

>> (assert (null? (lookup-services (canonical-name new))))

>>

>> Not sure if there are cases where this behavior would be

>> undesirable, though.

>>

>> Thoughts?

>

> With this current patch the replacement field is only checked at the

> point when the service is stopped, so the field could only be set when

> the service is actually running. I think it makes the most sense to

> just replace the service directly if it's not stopped.

>

> I can't think of any undesirable cases, but having a higher-level

> interface is a good idea.

> At the very least we need to control the inherent race condition

> involved in (if running? do-x do-y) for if the service is stopped

> after the running? check. At the moment I think the only thing we have

> to worry about there is signals, but if we're going to move to have

> more parallelism through fibers then we might need to be even more

> careful.

> herd eval root '(register-services (load "a.scm") (load

> "b.scm"))'

>> At the very least we need to control the inherent race

>> condition [...]

>

> Indeed.

> I've attached an updated patch. I couldn't think of any unwanted

> consequences, so I took your idea of making register-services handle

> most of the details of replacement. With my patch, something like

>> herd eval root '(register-services (load "a.scm") (load

>> "b.scm"))'

> will deal with a conflict by either replacing the old service (if it's

> not running), arranging for the old service to be replaced when it's

> stopped, or raising an error. This seems like a sensible way for

> things to function.

> Despite my desire to deal with the race condition, I haven't done

> anything about it in this patch. The modification of %services that

> was done in register-services was already racy, and I don't think this

> patch will make it worse. If it hasn't been a problem up until now,

> then I don't think this will make it a problem.

> From 9ec5c0000e9a45441417a6ee4138cdcbf1b1f2b2 Mon Sep 17 00:00:00 2001

> From: Carlo Zancanaro <carlo@zancanaro.id.au>

> Date: Thu, 9 Aug 2018 22:30:38 +1000

> Subject: [PATCH] service: Add a replacement slot for delayed service

> replacement.

>

> * modules/shepherd/service.scm (<service>): Add replacement slot

> (replace-service): New procedure.

> (stop): Call replace-service after stopping a service.

> (register-services): Replace existing services where possible, setting the new

> replacement slot if they are currently running.

> * tests/replacement.sh: Add a test for it.

> * Makefile.am (TESTS): Add the new test.

> * doc/shepherd.texi (Slots of services): Document it.