path: root/doc/overview.html

<html>
  <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <meta http-equiv="Content-Language" content="en" />
    <title>s6: an overview</title>
    <meta name="Description" content="s6: an overview" />
    <meta name="Keywords" content="s6 overview supervision init process unix" />
    <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
  </head>
<body>

<p>
<a href="index.html">s6</a><br />
<a href="//skarnet.org/software/">Software</a><br />
<a href="//skarnet.org/">skarnet.org</a>
</p>

<h1> An overview of s6 </h1>

<p>
 s6 is a collection of utilities revolving around process supervision and
management, logging, and system initialization. This page is a high-level
description of the different parts of s6.
</p>

<h2> Process supervision </h2>

<p>
 At its core, s6 is a <em>process supervision suite</em>, like its ancestor
<a href="https://cr.yp.to/daemontools.html">daemontools</a> and its
close cousin
<a href="http://smarden.org/runit/">runit</a>.
</p>

<h3> Concept </h3>

<p>
 The concept of process supervision comes from several observations:
</p>

<ul>
 <li> Unix systems, even minimalistic ones, need to run
<em>long-lived processes</em>, aka <em>daemons</em>. That is one of the
core design principles of Unix: one service &rarr; one daemon. </li>
 <li> Daemons can die unexpectedly. Maybe they are missing a vital
resource and cannot handle a certain failure; maybe they tripped on a bug;
maybe a misconfigured administration program killed them; maybe the
kernel killed them. Processes are fragile, but daemons are vital to a
Unix system: a fundamental discrepancy that needs to be solved. </li>
 <li> Automatically restarting daemons when they die is generally a good
thing. In any case, sysadmin intervention is necessary, but at least the
daemon is providing service, or trying to, until the sysadmin can log in
and investigate the underlying problem. </li>
 <li> Ad-hoc shell scripts that restart daemons <strong>suck</strong>, for
several reasons that would each justify their own page. The difficulty of
keeping track of the PID, explained below, is one of those reasons. </li>
 <li> It is sometimes necessary to send signals to a daemon. To kill it,
of course, but also to make it read its config file again, for instance;
signalling a daemon is a natural and very common way of sending it
simple commands. </li>
 <li> Generally, to send a signal to a daemon, you need to know its PID.
Without a supervision suite, knowing the proper PID is hard. Most
non-supervision systems use a hack known as <em>.pid files</em>, i.e.
the script that starts the daemon stores its PID into a file, and other
scripts read that file. This is a bad mechanism for several reasons, and
the case against .pid files would also justify its own page; the most
important drawback of .pid files is that they create race conditions
and management scripts may kill the wrong process. </li>
 <li> Non-supervision systems provide scripts to start and stop daemons,
but those scripts may fail at boot time even though they work when run
manually,
and vice versa. If a sysadmin logs in and runs the script to restart a
daemon that has died, the result might not be the same as if the whole
system had been rebooted, and the daemon may exhibit strange behaviours!
This is because the boot-time environment and the restart-time environment
are not the same when the script is run; and a non-supervision system
just cannot ensure reproducibility of the environment. This is a core
problem of non-supervision systems: countless bugs have been falsely
reported because of simple environment differences or configuration errors,
countless man-hours have been wasted to try and understand what was
going on. </li>
</ul>

<p>
 A process supervision system organizes the process hierarchy in a
radically different way.
</p>

<ul>
 <li> A process supervision system starts an independent hierarchy of
processes at boot time, called a <em>supervision tree</em>. This
supervision tree never dies: when one of its components dies, it is
restarted automatically. To ensure availability of the supervision
tree at all times, it should be rooted in process 1, which cannot die. </li>
 <li> A daemon is never started, either manually or in a script, as a
scion of the script that starts it.
 Instead, to start a daemon, you configure a
specific directory which contains all the information about your daemon;
then you send a command to the supervision tree. The supervision tree
will start the daemon as a leaf. <strong>In a process supervision
system, daemons are always spawned by the supervision tree, and
never by an admin's shell.</strong> </li>
 <li> The parent of your daemon is a <em>supervisor</em>. Since your
daemon is its direct child, <strong>the supervisor always knows the
correct PID of your daemon</strong>. </li>
 <li> The supervisor watches your daemon and can restart it when it
dies, automatically. </li>
 <li> The supervision tree always has the same environment, so starting
conditions are reproducible. Your daemon will always be started with the
same environment, whether it is at boot time via init scripts or for the
100th automatic - or manual - restart. </li>
 <li> To send signals to your daemon, you send a command to its
supervisor, which will then send a signal to the daemon on your behalf.
Your daemon is identified by the directory containing its information,
which is stable, instead of by its PID, which is not stable; the supervisor
maintains the correct association without a race condition or the other
problems of .pid files. </li>
</ul>

<h3> Implementation </h3>

<p>
 s6 is a straightforward implementation of those concepts.
</p>

<ul>
 <li> The <a href="s6-svscan.html">s6-svscan</a> and
<a href="s6-supervise.html">s6-supervise</a> programs are the components
of the <em>supervision tree</em>. They are long-lived programs.
 <ul>
  <li> <a href="s6-supervise.html">s6-supervise</a> is a daemon's
<em>supervisor</em>, its direct parent. For every long-lived process on a
system, there is a corresponding <a href="s6-supervise.html">s6-supervise</a>
process watching it. This is okay, because every instance of
<a href="s6-supervise.html">s6-supervise</a> uses very few resources. </li>
  <li> <a href="s6-svscan.html">s6-svscan</a> is, in a manner of speaking,
a supervisor for the supervisors. It watches and maintains a collection of
<a href="s6-supervise.html">s6-supervise</a> processes: it is the branch
of the supervision tree that all supervisors are stemming from. It can be
run and
<a href="//skarnet.org/software/s6/s6-svscan-not-1.html">supervised
by your regular init process</a>, or it can
<a href="//skarnet.org/software/s6/s6-svscan-1.html">run as
process 1 itself</a>. Running s6-svscan as process 1 requires
some effort from the user, because of the inherent non-portability of
init processes; the
<a href="//skarnet.org/software/s6-linux-init/">s6-linux-init</a>
package automates that effort and allows users to run s6 as an init
replacement. </li>
  <li> The configuration of a daemon to be supervised by
<a href="s6-supervise.html">s6-supervise</a> is done via a
<a href="servicedir.html">service directory</a>. </li>
  <li> The place to gather all service directories to be watched by a
<a href="s6-svscan.html">s6-svscan</a> instance is called a
<a href="scandir.html">scan directory</a>. </li>
 </ul>
 <li> The command that controls a single supervisor, and allows you to
send signals to a daemon, is
<a href="s6-svc.html">s6-svc</a>. It is a short-lived program. </li>
 <li> The command that controls a set of supervisors, and allows you to
start and stop supervision trees, is
<a href="s6-svscanctl.html">s6-svscanctl</a>. It is a short-lived
program. </li>
</ul>

<p>
 These four programs,
<a href="s6-svscan.html">s6-svscan</a>,
<a href="s6-supervise.html">s6-supervise</a>,
<a href="s6-svscanctl.html">s6-svscanctl</a> and
<a href="s6-svc.html">s6-svc</a>,
are the very core of s6. Technically, once you have them, you have a
functional s6 installation, and the other utilities are just a bonus.
</p>

<h3> Practical usage </h3>

<p>
 To use s6's supervision features, you need to perform the following steps:
</p>

<ul>
 <li> For every daemon you potentially want supervised, write a
<a href="servicedir.html">service directory</a>. Make sure that
your daemon does not background itself when started in the
<tt>./run</tt> script! Auto-backgrounding is a historical hack
that was implemented when supervision suites did not exist; since
you're using a supervision suite, auto-backgrounding is unnecessary
and in this case detrimental. </li>
 <li> Write a single <a href="scandir.html">scan directory</a> for
the set of daemons you want to actually run. This set can be modified
at run time. </li>
 <li> At some point in your initialization scripts, run
<a href="s6-svscan.html">s6-svscan</a> on the scan directory. This will
start the supervision tree, including your set of daemons. The exact
way of running s6-svscan depends on your system: it is not quite the same
when you want to run it as process 1 on a real machine, or under another
init on a real machine, or as process 1 in a
<a href="https://www.docker.com/">Docker</a> container, or in another
context entirely. </li>
 <li> Alternatively, you can start <a href="s6-svscan.html">s6-svscan</a>
on an empty scan directory, then populate it step by step and send an
update command to s6-svscan via
<a href="s6-svscanctl.html">s6-svscanctl</a> whenever the supervision
tree should pick up the differences and start the services you added. </li>
 <li> That's it, your services are running. To control them manually,
you can use the <a href="s6-svc.html">s6-svc</a> command. </li>
 <li> At the end of the system's lifetime, you can use
<a href="s6-svscanctl.html">s6-svscanctl</a> to bring down the supervision
tree. </li>
</ul>

<h2> Service-specific logging </h2>

<p>
<a href="s6-svscan.html">s6-svscan</a> can monitor a supervision tree,
but it can also do one more thing. It can ensure that a daemon's log,
i.e. what the daemon outputs to its stdout (or stderr if you redirect it),
gets processed by another, supervised, long-lived process, called a
<em>logger</em>; and it can make sure that the logs are never lost
between the daemon and the logger - even if the daemon dies, even if the
logger dies.
</p>

<p>
 If your daemon is outputting messages, you have a decision to make
about where to send them.
</p>

<ul>
 <li> You can do as non-supervision systems do, and send the messages
to syslog. It's entirely possible with a supervision system too.
However, like auto-backgrounding, syslog is a historical mechanism that
predates supervision suites, and is technically inferior; it is
recommended that you do not use it whenever you can avoid it. </li>
 <li> You can send them to the daemon's stdout/stderr and do nothing special
about it. The logs will then be sent to s6-svscan's stdout/stderr;
what mechanism will read them depends on how you started s6-svscan. </li>
 <li> You can use s6-svscan's service-specific logging mechanism and
dedicate a logger process to your daemon's messages. </li>
</ul>

<p>
 s6 provides you with a long-lived process to use as a logger:
<a href="s6-log.html">s6-log</a>. It will store your logs in one (or
more) specific directory of your choice, and rotate them automatically.
</p>

<h2> Helpers for run scripts </h2>

<p>
 Creating a working
<a href="servicedir.html">service directory</a>, and especially a good
<em>run script</em>, is the most important part of the work when
adapting a daemon to a supervision framework.
</p>

<p>
 If you can find your daemon's invocation script on a non-supervision system,
for instance a System V-style init script, you can see the exact
options that the daemon is being run with: environment variables,
uid and gid, open descriptors, etc. This is what you
need to replicate in your run script.
</p>

<p>
 (Do not replicate the auto-backgrounding, or things like
<a href="http://man.he.net/man8/start-stop-daemon">start-stop-daemon</a>
invocation: start-stop-daemon and its friends are hideous and kludgy
attempts to work around the lack of proper supervision mechanisms. Now
that you have s6, you should remove them from your system, throw them
into a bonfire, and dance and laugh while they burn. Generally speaking,
as a system administrator you want daemons that have been designed
following the principles described
<a href="https://jdebp.eu/FGA/unix-daemon-design-mistakes-to-avoid.html">here</a>,
or at least you want to use the command-line options that make them
behave in such a way.) 
</p>

<p>
 The vast majority of the tools provided by s6 are meant to be used in
run scripts: they help you control the process state and
environment in your script before it executes into your daemon. Or,
sometimes, they are daemons themselves, designed to be supervised.
</p>

<p>
 s6, like other <a href="//skarnet.org/software/">skarnet.org
software</a>, makes heavy use of
<a href="https://en.wikipedia.org/wiki/Chain_loading#Chain_loading_in_Unix">chain
loading</a>, also known as "Bernstein chaining": a lot of s6 tools will
perform some action that changes the process state, then execute into the
rest of their command line. This allows the user to change the process state
in a very flexible way, by combining the right components in the right
order. Very often, a run script can be reduced to a single command line -
likely a long one, but still a single one. (That is the main reason why
using the
<a href="//skarnet.org/software/execline/">execline</a> language
to write run scripts is recommended: execline makes it natural to handle
long command lines made of massive amounts of chain loading. This is by no
means mandatory, though: a run script can be any executable file you want,
provided that running it eventually results in a long-lived process with
the same PID.)
</p>

<p>
 Some examples of s6 programs meant to be used in run scripts:
</p>

<ul>
 <li> The <a href="s6-log.html">s6-log</a> program is a long-lived
process. It is meant to be executed into by a <tt>./log/run</tt>
script: it will be supervised, and will process what it reads on
its stdin (i.e. the output of the <tt>./run</tt> daemon). </li>
 <li> The <a href="s6-envdir.html">s6-envdir</a> program is a
short-lived process that will update its current environment according
to what it reads in a given directory, then execute into the rest of its
command line. It is meant to be used in a run script to adjust the
environment with which the final daemon will be executed into. </li>
 <li> Similarly, the <a href="s6-softlimit.html">s6-softlimit</a> program
adjusts its resource limits, then executes into the rest of its command
line: it is meant to set the resources the final daemon will have
access to. </li>
 <li> The <a href="s6-applyuidgid.html">s6-applyuidgid</a> program,
part of the <tt>s6-*uidgid</tt> family, drops root privileges before
executing into the rest of its command line: it is meant to be used
in run scripts that need root privileges when starting but do not
need it for the execution of the long-lived process. </li>
 <li> <a href="s6-ipcserverd.html">s6-ipcserverd</a> is a daemon that
listens to a Unix socket and spawns a program for every connection.
It is meant to be supervised, so it should be used in a run script,
and it's also meant to be a flexible super-server that you can use
for different applications: so it is a building block that may appear in
several of your run scripts defining
<a href="localservice.html">local services</a>. </li>
</ul>

<h2> Readiness notification and dependency management </h2>

<p>
 Now that you have a supervision tree, and long-lived processes running
supervised, you may want to introduce dependencies between them: do not
perform an action (e.g. start (with <a href="s6-svc.html">s6-svc -u</a>)
the Web server connecting to a database)
before a given daemon is up and running (e.g. the database server).
s6 provides tools to do that:
</p>

<ul>
 <li> The <a href="s6-svwait.html">s6-svwait</a>,
<a href="s6-svlisten1.html">s6-svlisten1</a> and
<a href="s6-svlisten.html">s6-svlisten</a> programs will wait until a set of
daemons is up, ready, down (as soon as the <tt>./run</tt> process dies) or
really down (when the <tt>./finish</tt> process has also died). </li>
 <li> Unfortunately, a daemon being <em>up</em> does not mean that it is
<em>ready</em>:
<a href="notifywhenup.html">this page</a> goes into the details. s6
supports a simple mechanism: when a daemon wants to signal that it is
<em>ready</em>, it simply writes a newline to a file descriptor of its
choice, and <a href="s6-supervise.html">s6-supervise</a> will pick that
notification up and broadcast the information to processes waiting for
it. </li>
 <li> s6 also has a legacy mechanism for daemons that do not
notify their own readiness but provide a way for an external program
to check whether they're ready or not:
<a href="s6-notifyoncheck.html">s6-notifyoncheck</a>.
 This is polling, which is bad, but unfortunately necessary for
many daemons as of 2019. </li>
</ul>

<p>
 s6 does not provide a complete dependency management framework,
i.e. a program to automatically start (or stop) a set of services in a
specific order - that order being automatically computed from a graph of
dependencies between services.
 That functionality belongs to a <em>service manager</em>, and is
implemented for instance in the
<a href="//skarnet.org/software/s6-rc/">s6-rc</a> package.
</p>

<h2> Fine-grained control over services </h2>

<p>
 s6 provides you with a few more tools to control and monitor your
services. services. For instance:
</p>

<ul>
 <li> <a href="s6-svstat.html">s6-svstat</a> gives you access to
the detailed state of a service </li>
 <li> <a href="s6-svperms">s6-svperms</a> allows you to configure
what users can read that state, what users can send control
commands to your service, and what users can be notified of
service start/stop events </li>
 <li> <a href="s6-svdt.html">s6-svdt</a>
allows you to see what caused the latest deaths of a supervised
process </li>
</ul>

<p>
 These tools make s6 the most powerful and flexible of the existing
process supervision suites.
</p>

<h2> Additional utilities </h2>

<p>
 The other programs in the s6 package are various utilities that may be
useful in designing servers, and more generally multi-process software.
They can be used with or without a supervision environment, although
it is of course recommended to have one; but they are not part of the core s6
functionality, and you may safely ignore them for now if you are just getting
into the supervision world.
</p>

<h3> Generic inter-process notification </h3>

<p>
 The <tt>s6-ftrig*</tt> family of programs allows notifications between
unrelated processes: a set of processes can subscribe to a certain
channel - identified by a directory in the filesystem - and ask to be
notified of certain events on that channel; another set of processes can
send events to the channel.
</p>

<p>
 The underlying mechanism is the same as the one used by the supervision
tree for readiness notification, but the <tt>s6-ftrig*</tt> tools provide
a more generic access to that mechanism.
</p>

<h3> Helpers for designing local services </h3>

<p>
 Local services, i.e. daemons listening to a Unix domain socket, are a
powerful and flexible mechanism, especially with modern Unix systems
that allow client authentication. s6 includes tools to take advantage
of that mechanism.
</p>

<ul>
 <li> The <tt>s6-ipc*</tt> family of programs is about designing clients
or servers that communicate over Unix domain sockets. </li>
 <li> The <tt>s6-*access*</tt> and <a href="s6-connlimit.html">s6-connlimit</a>
family of programs is about client access control. </li>
 <li> The <tt>s6-sudo*</tt> family of programs is about using a local
service in order to give selected
clients the ability to run a command line with the privileges of the
server, without using suid programs. </li>
</ul>

<h3> Keeping file descriptors open </h3>

<p>
 Sometimes you want to keep a file descriptor open, even if the program
normally using it dies - so the program can restart and use the same
file descriptor without losing any data. To do that, you need to
<em>hold</em> the descriptor in another process, i.e. that process
should have it open but do nothing with it.
</p>

<p>
<a href="s6-svscan.html">s6-svscan</a>, for instance, holds the pipe
existing between a supervised daemon and its logger, so even if the
daemon or the logger dies while there are logs in the pipe, the pipe
remains open and the logs are not lost.
</p>

<p>
 s6 provides a mechanism to store and retrieve open file descriptors
in a totally generic way: the <tt>s6-fdholder*</tt> family of programs.
</p>

<ul>
 <li> The <a href="s6-fdholder-daemon.html">s6-fdholder-daemon</a> program
is a daemon (or, rather, executes into the
<a href="s6-fdholderd.html">s6-fdholderd</a> daemon), meant to be
supervised, that will hold file descriptors on its clients' behalf. </li>
 <li> Other programs in the family, such as
<a href="s6-fdholder-store.html">s6-fdholder-store</a>, are client
programs that interact with this daemon to store and retrieve file
descriptors. </li>
</ul>

<p>
 Note that "socket activation", one of the main advertised benefits of the
<a href="https://www.freedesktop.org/wiki/Software/systemd/">systemd</a>
init system, sounds similar to fd-holding.
The reality is that socket activation is a mixture of several different
mechanisms, one of which is fd-holding; s6 allows you to implement the
<a href="socket-activation.html">healthy parts</a> of socket activation.
</p>

<h3> Other miscellaneous utilities </h3>

<p>
 This page does not list or classify every s6 tool. Please
explore the "Reference" section of the
<a href="index.html">main s6 page</a> for details on a specific program.
</p>

</body>
</html>