On Sat, Jul 9, 2016 at 7:27 PM, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote:
On Sat, Jul 9, 2016 at 5:09 PM, Ben Rosser <rosser.bjr@xxxxxxxxx> wrote:
> On Sat, Jul 9, 2016 at 4:56 PM, Chris Murphy <lists@xxxxxxxxxxxxxxxxx>
> wrote:
>>
>> I think this needs to be rethought. The options right now are, modify
>> an as yet unknown quantity of background programs so they aren't
>> killed on user logout; vs logout/restart/shutdown likely hanging for
>> 90 seconds. It seems the work around would be to modify screen and
>> tmux, and then run all such background tasks in either screen or tmux.
>> But, that's kinda, wow... bit of a hammer.
>
>
> A thought occurred to me: would it be possible to instead implement a
> whitelist of *binaries* that are allowed to linger, rather than going around
> patching everything? So for example rather than having to modify the
> codebase of screen, we have a (sysadmin-modifiable) whitelist that says
> /usr/bin/screen is allowed to linger? Perhaps this would be something
> shipped by the screen package, so /usr/bin/screen is only whitelisted if the
> package providing it installed.
This is pretty useless if systemd does no logging of having killed the
process. That's the difference between managing system resources, and
putting every backgrounded task on "double secret probation". It's
also pretty useless for newly written shell scripts written in any
language.
Well, the idea was that binaries shipped by Fedora that we *know* need to be whitelisted could have that information be part of the package that ships them, while admins could add whatever scripts they write themselves to a separate whitelist (that's what I meant by "sysadmin-modifiable"). But you're right, since systemd doesn't log what processes it kills there would be no way to implement such a thing at the moment.
Oh well.
Ben Rosser
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx