On Tue, 2008-11-04 at 14:46 -0500, Jeff Layton wrote: > On Tue, 04 Nov 2008 14:26:21 -0500 > Trond Myklebust <trond.myklebust@xxxxxxxxxx> wrote: > > > On Tue, 2008-11-04 at 13:42 -0500, Jeff Layton wrote: > > > While we're on the subject of signals... > > > > > > Do you have any thoughts/objections to just making the reclaimer thread > > > ignore them altogether? That would simplify the code a bit. > > > > How does the administrator then get out of the situation where the > > server dies (permanently) in the middle of a reclaim? > > > > Erm...Reboot? :) > > Ok, I'm convinced. I suppose that's a good enough argument for > continuing to allow SIGKILL. I guess the only change we need to make to > this patch for now is to remove the "memory leak" comment (unless there > is a leak and I'm just not seeing it). Hold on... I'm not saying that I'm absolutely wedded to the idea of SIGKILL. I'm just stating the reason for allowing it in the first place. All booting NLM servers will have a finite grace period during which lock recovery is allowed, so it is obvious that retrying each RPC call forever is not a good solution. The questions are then "How long do you wait before giving up?" and "What do you do after timing out?". One solution may be to let the administrator set a time-out via a sysctl, and then set a policy for how to deal with the failure. A reasonable set of possible policies may be to either retry recovery at a later time, or to wait for a new reboot notification from the server, or at some point to start sending out SIGLOST to the applications... Cheers Trond -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html