Hey Troy,
Are you actually seeing a *problem*, or is it just the log noise that's
a concern?
Quoting Troy Farrell (2021-01-25 21:10:59)
> Also, I don't know how best to get the signal to the database server,
> so I'll have to work that out. I suspect that the Sandstorm HTTP
> bridge would receive the signal, and not pass it along to the other
> processes.
With the current situation you can't; SIGKILL is special in that it
cannot be caught, and will kill the entire grain instantly, giving it no
chance to respond.
> I wonder if having Sandstorm send a SIGINT before a SIGKILL might be a
> reasonable thing to try.
This has come up a couple times before, and the consensus is it is not a
good idea. We should probably have an FAQ somewhere, but:
Sandstorm subscribes to a school of thought wrt the design of server
software that usually goes under the heading "crash only software" --
the idea is, if you include a "clean shutdown" command or the like
for your server, all you've really achieved is making sure the recovery
code path never gets tested. Ultimately there's nothing Sandstorm can to
do save apps from unclean shutdowns -- power outages happen, and so an
app *must* be able to recover. Not giving apps a way to "clean up"
before shutdown means that recovery after a crash is likely to be well
tested.
Fortunately any database worth its salt can recover just fine after a
crash -- postgres included -- so unless the app is actually misbehaving
in some way I would just not worry about it.
-Ian