The svclean-shutdown program

svclean-shutdown /service

The svclean-shutdown command permanently shuts down all services and loggers found in the given directory. (Loggers are not shut down until their corresponding services are down.) It creates the file "svclean/shutdown" in each service and tells supervise to take the service down and exit. When svscan restarts supervise, svclean's supervise wrapper will notice the "svclean/shutdown" file and exit without running supervise, so the filesystem(s) containing the service directories can be unmounted or remounted read-only.

svclean-shutdown takes a few seconds to run - in the current version, typically around 9 seconds - to make sure all services are really down. If it takes much longer, you may have a service that doesn't exit when it receives SIGTERM. You can find and kill such services while svclean-shutdown is running; it will exit when all services are down.

When svclean-shutdown exits 0, the intended guarantees are:

• All services and loggers are down.
• All supervises are down and will not be restarted.
• All logs have been written. (This can be thwarted if a logger has a "down" file. There is also a corner case where a supervise process might be killed while its service remains up, and svclean-shutdown would consider it successfully shut down.)

Unfortunately, there is a race condition that can result in services still being up after svclean-shutdown exits 0, but it requires that a ready-to-run process be overlooked by the kernel scheduler for a full second:

• svscan starts the supervise wrapper.
• The wrapper looks for and does not find a svclean/shutdown file, so it exec's supervise.
• The kernel ignores this supervise for a while.
• svclean-shutdown creates the svclean/shutdown file.
• svclean-shutdown sleeps for a second, to try to avoid this race condition.
• svclean-shutdown tries to do "svc -dx", but can't open the control pipe, and thus concludes that there is no supervise running and that the service is permanently down.
• The kernel finally gets back to supervise, which only now opens the control pipe to listen for commands.

I think complete, certain reliability would require patching svscan.

Using svclean-shutdown without the wrappers

svclean-shutdown can be used to shut down services that are not running under svclean's wrappers. Only the wrappers will prevent the supervises from being restarted, but svclean-shutdown is still useful to shut down services whose svscan is no longer running. Beware that without the wrappers, some logs may be lost; it's impossible to tell with certainty whether the log pipe is empty without having an open descriptor for the pipe. However, svclean-shutdown leaves the logger running for at least a second after the service is down, so the risk of losing logs when the wrappers are not in use is not too great. If you do not use the wrappers, it is recommended that you start the loggers for all services that have been up before running svclean-shutdown; if a service was running previously, but the logger was stopped before it wrote all the logs, the logs may be lost.