[Users] Debian-style init scripts considered harmful?

Steve Wray steve.wray at cwa.co.nz
Wed Jul 16 21:41:24 EDT 2008

Kir Kolyshkin wrote:
> Steve Wray wrote:
>> Hi there,
>> Debian uses start-stop-daemon in the init scripts to, for one thing, 
>> stop services.
>> From the man page:
>> Note:  unless --pidfile is specified, start-stop-daemon behaves similar
>> to killall(1).  start-stop-daemon will scan the process  table  looking
>> for  any  processes  which  match the process name, uid, and/or gid (if
>> specified). Any matching process will prevent --start from starting the
>> daemon.  All  matching processes will be sent the KILL signal if --stop
>> is specified. For daemons which have long-lived children which need  to
>> live through a --stop you must specify a pidfile.
>> For example, nfs-kernel-server does not use --pidfile. It looks for 
>> nfsd processes to kill.
>> Suppose that the Openvz host and one of its guests were running NFS 
>> and, on the host, one were to run /etc/init.d/nfs-kernel-server stop
>> As I understand it this would have the side-effect of killing off the 
>> nfsd processes on the guest.
> That is right, and this is just one of the reasons why we don't 
> recommend to run anything (but the needed bare minimum like sshd) on the 
> host system.

In my case, this isn't practical; I use cfengine to manage and maintain 
virtually all of our servers. We have a lot of servers.

In fact, it was cfengine which brought this to my attention; I restarted 
it on the openvz host and then started to get nagios alerts about 
cfengine not running on any of the guests.

It was at this point that I realised that openvz isn't a virtualisation 
environment; its a very *very* sophisticated chroot.

> There is a solution and a workaround for the problem. The solution is, 
> right, to fix bad initscripts. I mean, it's not OpenVZ-specific -- 
> relying on process names is wrong, any user can run a process named nfsd 
> and it should not be killed.
> The workaround is to introduce a feature to hide guests' processes from 
> the host system. This is implemented in OpenVZ kernels >= 2.6.24 as per 
> bug #511 (http://bugzilla.openvz.org/511).

Well I look forward to trying this out some time!

More information about the Users mailing list