feat: cleanup timeout for process termination (#207)

Implement configurable cleanup timeout to control how long the system waits
for process cleanup verification before triggering forced shutdown. This
replaces the hardcoded 10-second timeout with a user-configurable value.

Configuration:
- Add --cleanup-timeout CLI flag (default: 10s, env: COG_CLEANUP_TIMEOUT)
- Flow: CLI → Config → Runner for proper field injection

Implementation changes:
- Replace hardcoded timeout with context.WithTimeout() pattern
- Improve check interval from 100ms to 10ms for more responsive detection
- Add injectable verifyFn field to Runner for comprehensive testing
- Update terminology from "ungraceful shutdown" to "forced shutdown"

Testing improvements:
- Migrate time-dependent tests to Go 1.25 synctest for deterministic execution
- Add comprehensive test coverage for timeout scenarios and multiple ForceKill calls
- Use safe high PID values (9999999) and proper mocking to prevent real process operations
- Configure linter to handle synctest patterns correctly

This enables users to customize cleanup wait times based on their specific
workload requirements while maintaining safe defaults.

* Address leaking coglets from test

The test harness now properly cleans up orphaned coglet processes when interrupted:

Key Features:
- Cross-platform compatibility: Works on both macOS (Darwin) and Linux
- Robust process discovery: Uses pgrep -f coglet as primary method, falls back to ps with platform-specific flags
- Safe process killing: Validates we can signal processes before attempting to kill them
- Process group cleanup: Kills both process groups and individual processes
- Safety measures: Never kills ourselves, our parent, or PID 1
- Signal handling: Responds to both SIGINT (ctrl+c) and SIGTERM

Implementation Details:
- killAllChildProcesses() finds and kills coglet processes during cleanup
- findCogletProcesses() tries pgrep first, falls back to ps
- Platform-specific ps flags: -ax on macOS, -e on Linux
- Process ownership validation through signal testing before killing
- Integrated into existing TestMain signal handler

---------
Co-Authored-By: Michael Dwan <[email protected]>
Co-authored-by: Morgan Fainberg <[email protected]>

Author: michaeldwan

.golangci.yml

@@ -64,6 +64,9 @@ linters:
     - source: 'defer resp.Body.Close()'
       linters:
       - errcheck
+    - source: 'synctest\.Test\(t, func\(t \*testing\.T\)'
+      linters:
+      - thelper
   settings:
     errcheck:
       disable-default-exclusions: false

cmd/cog/main.go

@@ -19,13 +19,15 @@ import (
 )
 
 type ServerCmd struct {
-	Host                      string        `help:"Host address to bind the HTTP server to" default:"0.0.0.0"`
-	Port                      int           `help:"Port number for the HTTP server" default:"5000"`
-	UseProcedureMode          bool          `help:"Enable procedure mode for concurrent predictions" name:"use-procedure-mode"`
-	AwaitExplicitShutdown     bool          `help:"Wait for explicit shutdown signal instead of auto-shutdown" name:"await-explicit-shutdown"`
-	UploadURL                 string        `help:"Base URL for uploading prediction output files" name:"upload-url"`
-	WorkingDirectory          string        `help:"Override the working directory for predictions" name:"working-directory"`
-	RunnerShutdownGracePeriod time.Duration `help:"Grace period before force-killing prediction runners" name:"runner-shutdown-grace-period" default:"600s"`
+	Host                      string        `help:"Host address to bind the HTTP server to" default:"0.0.0.0" env:"COG_HOST"`
+	Port                      int           `help:"Port number for the HTTP server" default:"5000" env:"COG_PORT"`
+	UseProcedureMode          bool          `help:"Enable procedure mode for concurrent predictions" name:"use-procedure-mode" env:"COG_USE_PROCEDURE_MODE"`
+	AwaitExplicitShutdown     bool          `help:"Wait for explicit shutdown signal instead of auto-shutdown" name:"await-explicit-shutdown" env:"COG_AWAIT_EXPLICIT_SHUTDOWN"`
+	OneShot                   bool          `help:"Enable one-shot mode (single runner, wait for cleanup before ready)" name:"one-shot" env:"COG_ONE_SHOT"`
+	UploadURL                 string        `help:"Base URL for uploading prediction output files" name:"upload-url" env:"COG_UPLOAD_URL"`
+	WorkingDirectory          string        `help:"Override the working directory for predictions" name:"working-directory" env:"COG_WORKING_DIRECTORY"`
+	RunnerShutdownGracePeriod time.Duration `help:"Grace period before force-killing prediction runners" name:"runner-shutdown-grace-period" default:"600s" env:"COG_RUNNER_SHUTDOWN_GRACE_PERIOD"`
+	CleanupTimeout            time.Duration `help:"Maximum time to wait for process cleanup before hard exit" name:"cleanup-timeout" default:"10s" env:"COG_CLEANUP_TIMEOUT"`
 }
 
 type SchemaCmd struct{}
@@ -43,6 +45,12 @@ var logger = util.CreateLogger("cog")
 func (s *ServerCmd) Run() error {
 	log := logger.Sugar()
 
+	// One-shot mode requires procedure mode
+	if s.OneShot && !s.UseProcedureMode {
+		log.Errorw("one-shot mode requires procedure mode")
+		return fmt.Errorf("one-shot mode requires procedure mode, use --use-procedure-mode")
+	}
+
 	// Procedure mode implies await explicit shutdown
 	// i.e. Python process exit should not trigger shutdown
 	if s.UseProcedureMode {
@@ -51,6 +59,7 @@ func (s *ServerCmd) Run() error {
 	log.Infow("configuration",
 		"use-procedure-mode", s.UseProcedureMode,
 		"await-explicit-shutdown", s.AwaitExplicitShutdown,
+		"one-shot", s.OneShot,
 		"upload-url", s.UploadURL,
 	)
 
@@ -67,13 +76,18 @@ func (s *ServerCmd) Run() error {
 		}
 	}
 
+	forceShutdown := make(chan struct{}, 1)
+
 	serverCfg := server.Config{
 		UseProcedureMode:          s.UseProcedureMode,
 		AwaitExplicitShutdown:     s.AwaitExplicitShutdown,
+		OneShot:                   s.OneShot,
 		IPCUrl:                    fmt.Sprintf("http://localhost:%d/_ipc", s.Port),
 		UploadURL:                 s.UploadURL,
 		WorkingDirectory:          currentWorkingDirectory,
 		RunnerShutdownGracePeriod: s.RunnerShutdownGracePeriod,
+		CleanupTimeout:            s.CleanupTimeout,
+		ForceShutdown:             forceShutdown,
 	}
 	// FIXME: in non-procedure mode we do not support concurrency in a meaningful way, we
 	// statically create the runner list sized at 1.
@@ -107,15 +121,20 @@ func (s *ServerCmd) Run() error {
 		ch := make(chan os.Signal, 1)
 		signal.Notify(ch, os.Interrupt, syscall.SIGTERM)
 		for {
-			sig := <-ch
-			if sig == syscall.SIGTERM && s.AwaitExplicitShutdown {
-				log.Warnw("ignoring signal to stop", "signal", sig)
-			} else {
-				log.Infow("stopping Cog HTTP server", "signal", sig)
-				if err := h.Stop(); err != nil {
-					log.Errorw("failed to stop server handler", "error", err)
-					os.Exit(1)
+			select {
+			case sig := <-ch:
+				if sig == syscall.SIGTERM && s.AwaitExplicitShutdown {
+					log.Warnw("ignoring signal to stop", "signal", sig)
+				} else {
+					log.Infow("stopping Cog HTTP server", "signal", sig)
+					if err := h.Stop(); err != nil {
+						log.Errorw("failed to stop server handler", "error", err)
+						os.Exit(1)
+					}
 				}
+			case <-forceShutdown:
+				log.Errorw("cleanup timeout reached, forcing ungraceful shutdown")
+				os.Exit(1)
 			}
 		}
 	}()

internal/server/runner.go

@@ -78,6 +78,32 @@ func (pr *PendingPrediction) sendResponse() {
 // killFunc is the function signature for killing processes
 type killFunc func(pid int, sig syscall.Signal) error
 
+// verifyProcessGroupTerminatedFunc is the function signature for verifying process group termination
+type verifyProcessGroupTerminatedFunc func(pid int) bool
+
+// verifyProcessGroupTerminated checks if all processes in the group have been terminated
+// Returns true if all processes are gone, false if any are still running
+func verifyProcessGroupTerminated(pid int) bool {
+	log := logger.Sugar()
+
+	// Try to send signal 0 to the process group to check if any processes still exist
+	// Signal 0 doesn't actually send a signal but checks if the process exists
+	err := syscall.Kill(-pid, 0)
+	if err != nil {
+		if errors.Is(err, syscall.ESRCH) {
+			// No such process - process group is terminated
+			log.Debugw("process group fully terminated", "pid", pid)
+			return true
+		}
+		// Other errors (like EPERM) mean processes might still exist
+		log.Debugw("process group verification failed, assuming processes exist", "pid", pid, "error", err)
+		return false
+	}
+	// No error means at least one process in the group still exists
+	log.Debugw("process group still has running processes", "pid", pid)
+	return false
+}
+
 type Runner struct {
 	name                string
 	workingDir          string
@@ -93,8 +119,12 @@ type Runner struct {
 	pending             map[string]*PendingPrediction
 	uploadURL           string
 	shutdownGracePeriod time.Duration
-	killed              bool     // tracks if we've killed this process instance
-	killFn              killFunc // injectable kill function for testing
+	cleanupTimeout      time.Duration                    // timeout for process cleanup verification
+	killed              bool                             // tracks if we've killed this process instance
+	cleanupSlot         chan struct{}                    // buffered size 1, holds cleanup token (len()=1 means no cleanup, len()=0 means cleanup in progress)
+	forceShutdown       chan<- struct{}                  // signals that cleanup failed and forced shutdown is needed
+	killFn              killFunc                         // injectable kill function for testing
+	verifyFn            verifyProcessGroupTerminatedFunc // injectable verification function for testing
 	mu                  sync.Mutex
 	stopped             chan bool
 }
@@ -130,7 +160,7 @@ func NewRunner(name, cwd string, cfg Config) (*Runner, error) {
 
 	cmd.Env = mergeEnv(os.Environ(), cfg.EnvSet, cfg.EnvUnset)
 
-	return &Runner{
+	r := &Runner{
 		name:                name,
 		workingDir:          workingDir,
 		cmd:                 *cmd,
@@ -139,9 +169,18 @@ func NewRunner(name, cwd string, cfg Config) (*Runner, error) {
 		pending:             make(map[string]*PendingPrediction),
 		uploadURL:           cfg.UploadURL,
 		shutdownGracePeriod: cfg.RunnerShutdownGracePeriod,
+		cleanupTimeout:      cfg.CleanupTimeout,
 		killFn:              nil, // nil means use real syscall.Kill
+		verifyFn:            nil, // nil means use real verifyProcessGroupTerminated
+		cleanupSlot:         make(chan struct{}, 1),
+		forceShutdown:       cfg.ForceShutdown,
 		stopped:             make(chan bool),
-	}, nil
+	}
+
+	// Initialize cleanup slot with token available (no cleanup in progress)
+	r.cleanupSlot <- struct{}{}
+
+	return r, nil
 }
 
 func NewProcedureRunner(name, srcDir string, cfg Config) (*Runner, error) {
@@ -193,6 +232,16 @@ func (r *Runner) ForceKill() {
 
 	log.Infow("force killing process group", "pid", r.cmd.Process.Pid)
 
+	// Try to take cleanup token
+	gotToken := false
+	select {
+	case <-r.cleanupSlot:
+		gotToken = true
+		log.Infow("acquired cleanup token", "pid", r.cmd.Process.Pid)
+	default:
+		log.Infow("cleanup already in progress, but proceeding with kill", "pid", r.cmd.Process.Pid)
+	}
+
 	// Use injected kill function for testing, or real syscall.Kill
 	killFn := r.killFn
 	if killFn == nil {
@@ -204,10 +253,63 @@ func (r *Runner) ForceKill() {
 		if !errors.Is(err, syscall.ESRCH) {
 			log.Errorw("failed to kill process group", "pid", r.cmd.Process.Pid, "error", err)
 		}
+		// Return token only if we took it and kill failed (unless ESRCH which is OK)
+		if gotToken && !errors.Is(err, syscall.ESRCH) {
+			r.cleanupSlot <- struct{}{}
+			return
+		}
 	}
 
 	// Mark as killed to prevent PID reuse issues
 	r.killed = true
+
+	// Start verification of process termination in background only if we got the token
+	if gotToken {
+		go r.verifyProcessCleanup(r.cmd.Process.Pid)
+	}
+}
+
+// verifyProcessCleanup verifies that all processes in the group have been terminated
+// and updates the cleanup status accordingly
+func (r *Runner) verifyProcessCleanup(pid int) {
+	log := logger.Sugar()
+	const checkInterval = 10 * time.Millisecond
+
+	ctx, cancel := context.WithTimeout(context.Background(), r.cleanupTimeout)
+	defer cancel()
+
+	start := time.Now()
+	ticker := time.NewTicker(checkInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-r.stopped:
+			// Runner is being stopped, exit cleanup verification
+			log.Debugw("cleanup verification stopped due to runner shutdown", "pid", pid, "elapsed", time.Since(start))
+			return
+		case <-ctx.Done():
+			// Timeout reached - signal forced shutdown
+			log.Errorw("process cleanup verification timed out, signaling forced shutdown",
+				"pid", pid, "elapsed", time.Since(start))
+			select {
+			case r.forceShutdown <- struct{}{}:
+			default:
+			}
+			return
+		case <-ticker.C:
+			fn := verifyProcessGroupTerminated
+			if r.verifyFn != nil {
+				fn = r.verifyFn
+			}
+			if fn(pid) {
+				// Cleanup completed successfully, return token
+				r.cleanupSlot <- struct{}{}
+				log.Infow("process cleanup completed successfully, returned cleanup token", "pid", pid, "elapsed", time.Since(start))
+				return
+			}
+		}
+	}
 }
 
 func (r *Runner) Stop() error {
@@ -501,6 +603,7 @@ func (r *Runner) HandleIPC(s IPCStatus) error {
 	log := logger.Sugar()
 	switch s {
 	case IPCStatusReady:
+
 		if r.status == StatusStarting {
 			r.updateSchema()
 			r.updateSetupResult()