Respect SIGTERM & SIGINT so that application can exit cleanly (closes #127)

jbeemster · jbeemster · commit 2dc2a16a7536 · 2025-11-06T17:50:11.000+01:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,3 +22,5 @@ libc = "0.2.17"
 ifaces = "0.0.3"
 dns-lookup = "0.2.1"
 native-tls = "=0.2.13"
+signal-hook = "0.3"
+lazy_static = "1.4"
diff --git a/samples/sigterm-resistant.factfile b/samples/sigterm-resistant.factfile
@@ -0,0 +1,33 @@
+{
+    "schema": "iglu:com.snowplowanalytics.factotum/factfile/jsonschema/1-0-0",
+    "data": {
+        "name": "SIGTERM Resistant Task Example",
+        "tasks": [
+            {
+                "name": "IgnoresSIGTERM",
+                "executor": "shell",
+                "command": "sh",
+                "arguments": [
+                    "-c",
+                    "trap '' TERM; echo 'Task started, will ignore SIGTERM...'; sleep 30; echo 'Task completed normally'"
+                ],
+                "dependsOn": [],
+                "onResult": {
+                    "terminateJobWithSuccess": [],
+                    "continueJob": [ 0 ]
+                }
+            },
+            {
+                "name": "ShouldNotRun",
+                "executor": "shell",
+                "command": "echo",
+                "arguments": [ "This task should never run if shutdown happens" ],
+                "dependsOn": [ "IgnoresSIGTERM" ],
+                "onResult": {
+                    "terminateJobWithSuccess": [],
+                    "continueJob": [ 0 ]
+                }
+            }
+        ]
+    }
+}
diff --git a/src/factotum/executor/execution_strategy/mod.rs b/src/factotum/executor/execution_strategy/mod.rs
@@ -74,6 +74,10 @@ pub fn execute_os(name: &str, command: &mut Command) -> RunResult {
 
     match command.spawn() {
         Ok(mut child) => {
+            // Register child process for tracking during shutdown
+            let child_pid = child.id();
+            crate::factotum::shutdown::register_child_process(child_pid);
+
             let stdout = child.stdout.take().expect("Failed to capture stdout");
             let stderr = child.stderr.take().expect("Failed to capture stderr");
 
@@ -104,8 +108,47 @@ pub fn execute_os(name: &str, command: &mut Command) -> RunResult {
                 lines.join("\n")
             });
 
+            // Check if shutdown was requested before waiting
+            if crate::factotum::shutdown::is_shutting_down() {
+                // Kill the child process
+                let _ = child.kill();
+
+                // Wait for it to exit (reap zombie)
+                let _ = child.wait();
+
+                // Unregister since we're handling shutdown
+                crate::factotum::shutdown::unregister_child_process(child_pid);
+
+                // Join the streaming threads to capture any final output
+                let task_stdout = match stdout_handle.join() {
+                    Ok(output) => output,
+                    Err(_) => {
+                        warn!("stdout reader thread panicked for task '{}'", name);
+                        String::new()
+                    }
+                };
+                let task_stderr = match stderr_handle.join() {
+                    Ok(output) => output,
+                    Err(_) => {
+                        warn!("stderr reader thread panicked for task '{}'", name);
+                        String::new()
+                    }
+                };
+
+                return RunResult {
+                    duration: run_start.elapsed(),
+                    task_execution_error: Some("Task cancelled due to shutdown".to_string()),
+                    stdout: if task_stdout.is_empty() { None } else { Some(task_stdout) },
+                    stderr: if task_stderr.is_empty() { None } else { Some(task_stderr) },
+                    return_code: -1,
+                };
+            }
+
             match child.wait() {
                 Ok(status) => {
+                    // Unregister child process after it completes
+                    crate::factotum::shutdown::unregister_child_process(child_pid);
+
                     let run_duration = run_start.elapsed();
                     let return_code = status.code().unwrap_or(1);
 
diff --git a/src/factotum/executor/mod.rs b/src/factotum/executor/mod.rs
@@ -181,6 +181,12 @@ pub fn execute_factfile<'a, F>(factfile: &'a Factfile,
     }
 
     for task_grp_idx in 0..tasklist.tasks.len() {
+        // Check if shutdown has been requested before starting new task group
+        if crate::factotum::shutdown::is_shutting_down() {
+            eprintln!("Shutdown requested, skipping remaining task groups");
+            break;
+        }
+
         // everything in a task "group" gets run together
         let (tx, rx) = mpsc::channel::<(usize, RunResult)>();
 
diff --git a/src/factotum/mod.rs b/src/factotum/mod.rs
@@ -17,6 +17,7 @@ pub mod parser;
 pub mod executor;
 pub mod sequencer;
 pub mod webhook;
+pub mod shutdown;
 
 #[cfg(test)]
 mod tests;
diff --git a/src/factotum/shutdown.rs b/src/factotum/shutdown.rs
@@ -0,0 +1,145 @@
+use std::sync::Mutex;
+use std::sync::atomic::{AtomicBool, Ordering};
+use std::thread;
+use std::time::Duration;
+
+lazy_static! {
+    /// Global flag indicating shutdown has been requested
+    static ref SHUTDOWN_FLAG: AtomicBool = AtomicBool::new(false);
+
+    /// List of child process IDs that need to be terminated during shutdown
+    static ref CHILD_PROCESSES: Mutex<Vec<u32>> = Mutex::new(Vec::new());
+}
+
+/// Check if shutdown has been requested
+pub fn is_shutting_down() -> bool {
+    SHUTDOWN_FLAG.load(Ordering::SeqCst)
+}
+
+/// Signal that shutdown should begin
+pub fn request_shutdown() {
+    SHUTDOWN_FLAG.store(true, Ordering::SeqCst);
+}
+
+/// Register a child process for tracking during shutdown
+pub fn register_child_process(pid: u32) {
+    let mut processes = CHILD_PROCESSES.lock()
+        .unwrap_or_else(|poisoned| {
+            warn!("CHILD_PROCESSES mutex was poisoned during registration, recovering data");
+            poisoned.into_inner()
+        });
+    processes.push(pid);
+}
+
+/// Remove a child process from tracking (called when process exits normally)
+pub fn unregister_child_process(pid: u32) {
+    let mut processes = CHILD_PROCESSES.lock()
+        .unwrap_or_else(|poisoned| {
+            warn!("CHILD_PROCESSES mutex was poisoned during unregistration, recovering data");
+            poisoned.into_inner()
+        });
+    processes.retain(|&p| p != pid);
+}
+
+/// Gracefully terminate all child processes using a hybrid approach
+/// Phase 1: Broadcasts SIGTERM to process group (includes factotum but it has a handler)
+/// Phase 2: Sends SIGKILL only to individual child PIDs (excludes factotum)
+pub fn terminate_all_children() {
+    let pids = {
+        let processes = CHILD_PROCESSES.lock()
+            .unwrap_or_else(|poisoned| {
+                warn!("CHILD_PROCESSES mutex was poisoned during shutdown, recovering data");
+                poisoned.into_inner()
+            });
+        processes.clone()
+    };
+
+    if pids.is_empty() {
+        return;
+    }
+
+    println!("Terminating {} child process(es) gracefully...", pids.len());
+
+    // Phase 1: Broadcast SIGTERM to entire process group
+    // This includes factotum, but factotum has a signal handler so it won't die
+    // This is race-free - all processes get SIGTERM atomically
+    unsafe {
+        #[cfg(unix)]
+        {
+            // SAFETY: Sending SIGTERM to process group (pid 0).
+            // - Process group targeting (pid 0) is atomic and race-free
+            // - Factotum has signal handlers installed (see main.rs), so it will set
+            //   the shutdown flag but not terminate
+            // - All children spawned by factotum inherit the same process group and
+            //   will receive SIGTERM for graceful shutdown
+            // - PID recycling is not a concern here because we're targeting the entire
+            //   process group by ID, not individual PIDs
+            // - Platform: Unix-only. Non-Unix platforms don't reach this code path.
+            libc::kill(0, libc::SIGTERM);
+        }
+    }
+
+    // Wait 5 seconds for graceful shutdown
+    thread::sleep(Duration::from_secs(5));
+
+    // Phase 2: Check which child processes are still alive and SIGKILL them individually
+    // This excludes factotum - only tracked children are killed
+    let surviving_pids: Vec<u32> = pids.iter()
+        .filter(|&&pid| is_process_alive(pid))
+        .cloned()
+        .collect();
+
+    if !surviving_pids.is_empty() {
+        println!("Force-killing {} remaining process(es)...", surviving_pids.len());
+        for &pid in &surviving_pids {
+            unsafe {
+                #[cfg(unix)]
+                {
+                    // SAFETY: Sending SIGKILL to individual child PIDs.
+                    // - PIDs are obtained from CHILD_PROCESSES, which tracks all spawned children
+                    // - PIDs are valid because they were registered immediately after spawn
+                    // - PIDs are filtered by is_process_alive() so we only kill surviving processes
+                    // - PID recycling edge case: If a PID is recycled between the is_process_alive()
+                    //   check and this kill() call, we might signal an unrelated process. This is
+                    //   extremely rare because:
+                    //   1. We only target PIDs from children spawned seconds ago
+                    //   2. The check-to-kill window is microseconds
+                    //   3. Unix systems typically have PID wraparound delays
+                    //   4. Recycled PIDs are usually given to unrelated processes, not critical ones
+                    // - This approach ensures factotum survives to send webhooks and write logs
+                    // - Platform: Unix-only. Non-Unix platforms don't reach this code path.
+                    libc::kill(pid as i32, libc::SIGKILL);
+                }
+            }
+        }
+    }
+}
+
+/// Check if a process is still running
+fn is_process_alive(pid: u32) -> bool {
+    unsafe {
+        #[cfg(unix)]
+        {
+            // SAFETY: Sending signal 0 checks if process exists without sending a real signal.
+            // - Signal 0 is a null signal that performs permission and existence checks only
+            // - Returns 0 (true) if process exists and we have permission to signal it
+            // - Returns -1 (false) if process doesn't exist or permission is denied
+            // - No side effects on the target process - completely safe for checking
+            // - PID recycling: Could return true for a recycled PID (false positive), but this
+            //   is acceptable because we'll send SIGKILL to confirm termination. A false positive
+            //   just means we attempt to kill a process that may have changed identity, which is
+            //   handled by the SIGKILL safety invariants.
+            // - Platform: Unix-only, where signal 0 is well-defined behavior
+            libc::kill(pid as i32, 0) == 0
+        }
+        #[cfg(not(unix))]
+        {
+            // SAFETY: On non-Unix platforms (Windows, etc.), we conservatively return false.
+            // This means we'll always attempt SIGKILL in terminate_all_children(), which is
+            // safe but suboptimal (no process liveness check).
+            // TODO: Implement Windows-specific process checking using OpenProcess/GetExitCodeProcess
+            //       if Windows support is needed in the future.
+            false
+        }
+    }
+}
diff --git a/src/main.rs b/src/main.rs
@@ -29,6 +29,9 @@ extern crate hyper_native_tls;
 extern crate libc;
 extern crate ifaces;
 extern crate dns_lookup;
+extern crate signal_hook;
+#[macro_use]
+extern crate lazy_static;
 
 use docopt::Docopt;
 use std::fs;
@@ -630,6 +633,31 @@ fn init_logger() -> Result<(), String> {
     log4rs::init_config(log_config).map_err(|e| format!("couldn't initialize log configuration. Reason: {}", e.description()))
 }
 
+fn install_signal_handlers() -> Result<(), String> {
+    use signal_hook::consts::signal::{SIGTERM, SIGINT};
+    use signal_hook::iterator::Signals;
+    use std::thread;
+
+    let mut signals = Signals::new(&[SIGTERM, SIGINT])
+        .map_err(|e| format!("Failed to register signal handlers: {}", e))?;
+
+    thread::spawn(move || {
+        for sig in signals.forever() {
+            match sig {
+                SIGTERM | SIGINT => {
+                    println!("\nReceived shutdown signal, terminating gracefully...");
+                    factotum::shutdown::request_shutdown();
+                    factotum::shutdown::terminate_all_children();
+                    break;
+                }
+                _ => unreachable!(),
+            }
+        }
+    });
+
+    Ok(())
+}
+
 fn main() {
     std::process::exit(factotum())
 }
@@ -640,6 +668,12 @@ fn factotum() -> i32 {
         return PROC_OTHER_ERROR;
     }
 
+    // Install signal handlers for graceful shutdown
+    if let Err(e) = install_signal_handlers() {
+        println!("Failed to install signal handlers: {}", e);
+        return PROC_OTHER_ERROR;
+    }
+
     let args: Args = match Docopt::new(USAGE).and_then(|d| d.decode()) {
         Ok(a) => a,
         Err(e) => {
