Tired of PID files, needing root access, and writing init scripts just to have your UNIX apps start when your server boots? Want a simpler, better alternative that will also restart them if they crash? If so, then read this quick-start introduction to process supervision with runit/daemontools.
Background
Classic init scripts, e.g. /etc/init.d/apache, are widely used for
starting processes at system boot time, when they are executed by
init. Sadly, init scripts are cumbersome and error-prone to write,
they must typically be edited and run as root, and the processes they
launch do not get restarted automatically if they crash.
In an alternative scheme called “process supervision”, each important
process is looked after by a tiny supervising process, which deals
with starting and stopping the important process on request, and
re-starting it when it exits unexpectedly. Those supervising
processes are in turn reliably supervised by other supervising
processes, in a hierarchy extending up to the “master” UNIX process
with PID 1, typically init.
(The process supervision pattern is long-established, and is even built into the programming language Erlang, which is used for ultra-reliable telecoms applications.)
It’s possible to replace all init scripts with supervised processes, but not necessary. As application developers we can get most of the benefits simply by using process supervision to run our applications as non-root users, leaving the init scripts in place for system services.
Daemontools and runit
Dan Bernstein (of qmail fame) wrote the seminal process supervision toolkit daemontools, which is a beautifully-designed set of small, ultra-reliable and highly-specialised programs that cooperate in the UNIX tradition to manage process supervision trees.
Runit is a more conveniently licensed and more actively maintained reimplementation of daemontools, written by Gerrit Pape.
For the purposes of this article I’ll use runit. It is widely available, and I personally use the packages for Debian and Homebrew.
Service directories and scripts
In runit parlance a “service” is simply a directory containing a ‘run’ script. More on those later.
There are just two key programs in runit. Firstly, runsv supervises
the process for an individual service. Service directories themselves
sit inside a containing directory, and the runsvdir program
supervises that directory, running one child runsv process for the
service in each subdirectory. Out of the box on Debian, for example,
an instance of runsvdir supervises services in subdirectories of
/var/service/.
Let’s add a simple play service, as root for now:
# mkdir /etc/runit/sleeper
Now we create a run script for the service; run scripts should not
fork, exit or maintain their own PID files. We’ll use a 5-minute
sleep command to simulate a long-running service that occasionally
crashes. We create /etc/runit/sleeper/run as follows:
#!/bin/sh -e
exec sleep 300
And we make it executable:
# chmod +x /etc/runit/sleeper/run
Remember that runsvdir is actually watching /var/service/ – watch
what happens when we make our service definition appear there:
# ln -s /etc/runit/sleeper /var/service/sleeper
Now pstree shows us this:
init-+-atd
|-cron
.........
|-runsvdir---runsv---sleep
`-sshd
Yes, runsvdir noticed the new service, and started running it with its own runsv.
To stop and start the service, we talk to that runsv process using the sv utility:
# sv status sleeper
run: sleeper: (pid 32493) 147s
# sv stop sleeper
ok: down: sleeper: 1s, normally up
# sv status sleeper
down: sleeper: 4s, normally up
Note that if we tell the service to stop, it stays stopped.
However, when the service is running then runsv will attempt to keep
it running; if the service exits unexpectedly, then runsv will restart
it automatically within a few seconds:
# sv start sleeper
ok: run: sleeper: (pid 32627) 0s
# sv restart sleeper
ok: run: sleeper: (pid 32629) 0s
# killall sleep
# sv status sleeper
run: sleeper: (pid 32631) 4s
Our sleeper service will be started by runsvdir when the operating system starts up. (runsvdir itself is typically run from - and supervised reliably by - init.)
If we remove the sleeper symlink from /var/service/, then the
sleeper process will be stopped and removed from the supervision
tree.
Why the symlink?
Keeping our service definitions in one directory (/etc/runit/) lets us
start them manually in order to debug our run scripts, before
putting the services under the control of runit by adding symlinks
under /var/service.
Reliable services for unprivileged users
Using this machinery, we can arrange for non-root users to have
supervised services too. We simply give our application user (login
appuser) a ~/service directory, and then set up a service under
/var/service that will reliably run an instance of runsvdir for that
directory with appuser’s privileges:
# mkdir /etc/service/appuser
The run script at /etc/service/appuser/run looks like this:
#!/bin/sh -e
exec 2>&1
exec chpst -u appuser runsvdir /home/appuser/service 'log: ...........................................................................................................................................................................................................................................................................................................................................................................................................'
Now appuser can create (or symlink) services under
~appuser/service, and they will be managed in the same reliable
manner as our global sleeper service earlier.
Note that appuser must pass the full path to his services when
controlling them using sv, since sv otherwise assumes that service
names correspond to service directories under /var/service:
% sv restart ~/service/myapplication
The following is an example process tree on a server running three
applications, each as its own user with a ~/service directory:
init-+-atd
|-lighttpd
.......
|-postgres---11*[postgres]
|-runsvdir-+-runsv---runsvdir-+-2*[runsv---ruby---{ruby}]
| | |-3*[runsv---mongrel_rails---{mongrel_rails}]
| | `-runsv---pen
| |-runsv---runsvdir-+-runsv---ruby---{ruby}
| | |-5*[runsv---mongrel_rails---{mongrel_rails}]
| | `-runsv---pen
| `-runsv---runsvdir-+-runsv---mongrel_rails---{mongrel_rails}
| `-runsv---pen
`-sshd
Debugging service definitions
If runsvdir is unable to execute a run script for some reason, then
by default it will write log messages to its process title: look at
the output of ps aux for a clue (this is the reason for the long
...... line above). If possible, try starting your run script by
hand before symlinking the service directory into the location
runsvdir is watching.
Other capabilities
Runit can do much more than I have presented here; it can manage
reliable logging of stdout/stderr output as an alternative to (or
in addition to) syslog; take a look at svlogd. Setting up logging can
make it much easier to figure out why services don’t seem to be
starting correctly.
Simple mechanisms also exist for specifying dependencies between services, such that one will not start before another is up and running. That’s typically less an issue for application administrators than it is for system administrators.
Under the covers
The design of runit is full of elegant touches; for example, runsv
creates a supervision subdirectory of the service directory it is
supervising. In that directory it writes a PID file and a named pipe
connected to itself. svthen simply writes rudimentary commands to
the pipe, to which runsv then reacts.
Monitoring tools such as monit can be easily configured to report on the status of service processes by pointing them at the PID files.
Unprivileged processes, privileged ports
Sometimes people run applications as root simply because they need to listen on privileged ports (ie. ports below 1024). If you need such a port, you can still run your application as an unprivileged service; consider using iptables or a tcp proxy like pen to proxy that port through to your unprivileged runit services listening on unprivileged ports.
More
If you found this article helpful, or want to read my forthcoming article about reliably running Ruby on Rails applications using runit, please subscribe to my feed.
Comments