lightningd: make shutdown smoother and safer

[SimonVrouwe]

Another proof of concept (should I make this a draft PR?), to address issues raised in #4785 #4790 and #4883

The point of shutdown is to break-down or reduce activity. Starting a new io_loop in order to write shutdown notifications to plugins and wait for them to terminate, should not trigger new activity other then logging and (maybe?) notifications.

So before restarting this io_loop we shutdown subdaemons and disable handling of all JSON RPC requests and responses with an "id" field in it. Hook callback's will abandon already and without subdaemons or JSON RPC no new hooks can be called. All of that should prevent any db_write's and we can safely start the io_loop and shutdown all plugins.

Also cleans up some dead code related to unused destroy_utxos destructor.

TODO:

• documentation

[SimonVrouwe]

Rebased.

A little back and forth on what to do with RPC command in shutdown: failing them results in some ** BROKEN ** logs by plugins that subscribed to shutdown (all build-in plugins in DEVELOPER=1) which happen to receive the result of a (previous) RPC command when waiting in the 30s shutdown loop. This could be solved by lightningd not returning any result (command_still_pending forever) when in shutdown. But that would make RPC calls made (maybe just by chance) in the 30s shutdown loop hang forever which is not nice in my opinion.

So I choose to return error code -32601 with message lightningd is shutting down and will see if its possible to not make our tests fail on that particular error.

@cdecker BTW: I see #4883 was closed, but that test (same as 9aeeae5 in this PR) about consistent hook-semantics-in-shutdown still fails on v0.10.2rc2

[cdecker]

@cdecker BTW: I see #4883 was closed, but that test (same as 9aeeae5 in this PR) about consistent hook-semantics-in-shutdown still fails on v0.10.2rc2

Sorry about that, i must've tagged the wrong issue in the PR.

[SimonVrouwe]

Considered all these troubles and the fact that shutdown notification is currently only used for build-in plugin's to do a memleak_check:

lightning/plugins/libplugin.c

Lines 1265 to 1267 in 1268967

	bool is_shutdown = streq(cmd->methodname, "shutdown");
	if (is_shutdown)
	memleak_check(plugin, cmd);

No intention to hold up the release but if there is no time, maybe the shutdown notification can be made a developer-only option (for now)? Before plugin developers get the wrong impression what they can or should do with it.

[ZmnSCPxj]

No intention to hold up the release but if there is no time, maybe the shutdown notification can be made a developer-only option (for now)? Before plugin developers get the wrong impression what they can or should do with it.

I object! It should be a developer-only option forever. I think plugins should really just handle EOF on their input, as that handles the case where lightningd crashes unexpectedly.

[rustyrussell]

Probably drop final commit?

[ZmnSCPxj]

How about deprecating the shutdown notification and instead create a new clean-shutdown chainable hook?

Then the shutdown command first triggers the hook and waits for all registered plugins to handle the hook before it actually sets the internal flag.

Using a hook provides cleaner semantics: we know exactly when plugins have finished whatever clean-shutdown-related work they have, because then they would respond with {"result": "continue"}. No more phasing and no more heuristic-based waiting --- what if the node scales up and clean shutdown requires more than 30 seconds for a plugin to handle?

It also strongly implies that it only works for a clean shutdown, and not for all shutdown conditions. Plugins are still strongly encouraged to not break if lightningd dies from under them.

[SimonVrouwe]

Still one failing test test_hsmtool_secret_decryption.
I managed to reproduce the hang, but it only happens occasionally, but by setting TIMEOUT in pyln.testing.utils to large value and then:
while pytest tests/ -s -k 'test_hsmtool_secret_decryption' --maxfail=1; do echo "ok"; done
after a while one of the runs seems to hang, only printing lines gossipd: seeker: no peers, waiting
(NOTE: I was also running a full pytest /tests in another terminal, not sure if relevant.)

But it seems to hang on
tools/hsmtool decrypt /tmp/ltests-x5nqrv48/test_hsmtool_secret_decryption_1/lightning-1/regtest/hsm_secret

connect gdb to that, show backtrace:

0x00007f109fc1a461 in __GI___libc_read (fd=0, buf=0x559ab854d1e0, nbytes=1024) at ../sysdeps/unix/sysv/linux/read.c:26
26      ../sysdeps/unix/sysv/linux/read.c: No such file or directory.
(gdb) bt
#0  0x00007f109fc1a461 in __GI___libc_read (fd=0, buf=0x559ab854d1e0, nbytes=1024) at ../sysdeps/unix/sysv/linux/read.c:26
#1  0x00007f109fbac670 in _IO_new_file_underflow (fp=0x7f109fceba00 <_IO_2_1_stdin_>) at libioP.h:839
#2  0x00007f109fba0e38 in _IO_getdelim (lineptr=0x7fff42ec6d10, n=0x7fff42ec6d18, delimiter=10, fp=0x7f109fceba00 <_IO_2_1_stdin_>) at iogetdelim.c:73
#3  0x0000559ab66f317b in getline_stdin_pass (passwd=0x7fff42ec6d10, passwd_size=0x7fff42ec6d18) at common/hsm_encryption.c:83
#4  0x0000559ab66f3316 in read_stdin_pass (reason=0x7fff42ec6de0) at common/hsm_encryption.c:111
#5  0x0000559ab66c0340 in decrypt_hsm (hsm_secret_path=0x7fff42ec8192 "/tmp/ltests-x5nqrv48/test_hsmtool_secret_decryption_1/lightning-1/regtest/hsm_secret") at tools/hsmtool.c:172
#6  0x0000559ab66c191c in main (argc=3, argv=0x7fff42ec7008) at tools/hsmtool.c:599

is somewhere here in our test

lightning/tests/test_wallet.py

Lines 1083 to 1090 in efeb1bc

	# We can't use a wrong password !
	master_fd, slave_fd = os.openpty()
	hsmtool = HsmTool("decrypt", hsm_path)
	hsmtool.start(stdin=slave_fd,
	stdout=subprocess.PIPE, stderr=subprocess.PIPE)
	hsmtool.wait_for_log(r"Enter hsm_secret password:")
	write_all(master_fd, "A wrong pass\n\n".encode("utf-8"))
	hsmtool.proc.wait(WAIT_TIMEOUT)

Well at least we know where to look now.
Maybe the test framework can be tweaked, so that in case the TimeoutError is raised, it looks around for such hangs and show back traces in log report?

[SimonVrouwe]

Rebased, modified commit messages but no code changes except 2 suggestion made by rustyrussel
and added a commit that fixes the hsmtool hang by using TSCANOW flag (for the interested, have a look at this demo )

Added documentation.

[SimonVrouwe]

I think this can be merged.

How about deprecating the shutdown notification and instead create a new clean-shutdown chainable hook?

@ZmnSCPxj Not sure if it needs to be depricated, this PR makes it safe I think but it needs documentation.

I agree with a clean-shutdown hook, but how many use cases are there? Some of such functionality can be also accomplished with a method shutdown_clean such as in this example.

[SimonVrouwe]

Bugs keep coming.

Rebased it again, mostly a change to fix the (previous) failure, by adding checks around io_break calls.

lightning/lightningd/jsonrpc.c

Lines 980 to 982 in ff0d591

	if (jcon->ld->stop_conn == conn && jcon->ld->state == LD_STATE_RUNNING) {
	/* Return us to toplevel lightningd.c */
	io_break(jcon->ld);

lightning/lightningd/plugin.c

Line 194 in ff0d591

io_break(destroy_plugin);

lightning/lightningd/plugin.c

Line 2089 in ff0d591

io_break(plugin_shutdown_timeout);

lightning/lightningd/plugin.c

Lines 2119 to 2120 in ff0d591

	void *ret = io_loop_with_timers(ld);
	assert(ret == plugin_shutdown_timeout || ret == destroy_plugin);

Maybe something similar is useful for #4936?

[rustyrussell]

Ack ff0d591

[rustyrussell]

This would be far neater as a enum lightningd_state, but we can patch that afterwards.

[rustyrussell]

I theory this can break our debug tests is list_del_from() if a timer were to delete itself, but luckily we don't use that.

[rustyrussell]

OK, I have a fix for the leak valgrind discovered, in my other PR (#4921) so I'll apply this after that one...

[rustyrussell]

Actually, applying this now since it fixes the hsm encryption flake which is hitting our other PRs!