[ previous ] [ next ] [ threads ]
 
 From:  Kris Maglione <bsdaemon at comcast dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Service supervision
 Date:  Sun, 11 Sep 2005 20:48:56 -0400
I'd like to see m0n0wall gain a service supervision scheme. The services
provided by a firewall are usually extremely important to a network, and when
they die, untold havoc can ensue. I may be exaggerating, but it doesn't make
it any more important. As it stands now, if a program (such as dhcpd or
dnsmasq) dies on a m0n0wall box, it goes unnoticed and ignored. At that point,
an administrator would have to either change and apply a setting related to
the dead service, or simply reboot the box. Neither option is ideal.

There exists a useful, public domain, service supervision system called runit
(http://smarden.org/runit/) which monitors services based on a directory
structure. It is designed to replace init on unix systems, but that is
entirely optional. The entire system is over 400K, but we don't need anywhere
near that much of it.

There are only two programs that are important to us: runsv and runsvdir.
Each is roughly 20k. runsvdir makes sure that a runsv process is running for
each service, and respawns them if they die. runsv makes sure that it's
service is running, and respawns it if it dies. It would be possible to only
use runsv, and to ignore runsvdir.

The programs that we don't need include the init replacement and control
programs. The system, however, is written in a UNIX fashion, so these programs
are optional. runsv is controlled through a named pipe. Characters simply need
to be echoed to it to send a control message. Checking the status is done by
reading a named pipe. It also provides a hook to run a program on service
shutdown or death and supervision for logging programs in the same manner.

This is not meant to be an advertisement for runit, it just seems to be the
most appropriate tool for the job. Does anyone agree/disagree? I have some
experience with this type of system (it takes after DJB's daemontools), and
can answer questions if anyone has any.
-- 
Kris Maglione

Never insult an alligator
until after you have crossed the river.