| Date | Commit message (Collapse) |
|---|
|
Ensure we always fchmod our tempfile in case of client error to
avoid getting nuked in the next request cycle. Also, kill off
some unnecessary variables since this method has too many
variables anyways and we can overload the "nr" counter to do
what "accepted" and "reopen_logs" did..
|
|
So don't bother checking them again. Configurator already
ensures that they're Proc objects for us, and we've been
forgetting to check @before_fork since the beginning of
time anyways... Consistency + less code = good
|
|
We don't (and won't ever) do log rotation within the process.
That's the job of logrotate and tools like that. We just
reopen logs like other reasonable daemons out there.
|
|
Otherwise we get generally worthless backtraces and we don't
want to clobber those for other signals, either.
|
|
By reraising SignalException in workers. Since we just rely on
default signal handlers for the majority of signals now, ensure
those signals actually exit the process.
|
|
Instead of just worker.nr. This is a configuration file/API
change and will break existing configurations.
This allows worker.tempfile to be exposed to the hooks
so ownership changes can still happen on it.
On the other hand, I don't know of many people actually
using this feature (or Unicorn).
|
|
I'm golfing, really, but maybe we can be 0.00001% faster
if we avoid naming some variables...
|
|
Since signals and signal handlers are process-wide, just make
SIG_QUEUE a global constant since there's absolutely no reason
it should be otherwise...
Restore default signal handlers when building app in case our
app does anything strange or gets hung, it's nice to know
SIG{INT,TERM} can be used to kill it while it's loading.
Additionally, there's little point in clearing arrays before
nilling them: just trust the GC to do its job properly.
|
|
If someone changes ENV or umask in the master process (via
before_fork or when loading the config), assume it was
intentional and just preserve it across reexec.
|
|
We never write to the file anyways, and fchmod is never buffered
|
|
MRI 1.8 always sets O_NONBLOCK on sockets to implement green
threads correctly in the face of slow network I/O. Since we
already know what the I/O flags for a client socket should be,
we just set it to that instead.
Applications running on Unicorn continue to be green thread-safe
when used fast local traffic. Of course, Unicorn itself will
never use threads.
|
|
Unicorn is strictly for fast LAN and localhost clients. Unicorn
is not for slow, high-latency or trickling clients and cannot do
keepalive or pipelining.
None of the removed options actually make sense
in the environment Unicorn was designed for.
* DEFER_ACCEPT/ACCEPT_FILTER - these are useful for mitigating
connect() floods or trickling clients. We shouldn't have to
deal with those on a trusted LAN.
* TCP_CORK/TCP_NODELAY - we only send output in the response and
then immediately close the socket. Assuming the typical
response containing a small header and large strings in the
body: the Nagle algorithm would've corked the headers
regardless and any pending output would be immediately flushed
when the socket is closed immediately after sending.
These options would still be useful from the client-side on
the LAN, or if Unicorn supported keepalive.
Of course, I highly recommend enabling all of these options
you can possibly enable on nginx or another fully-buffering
reverse proxy when dealing with slow clients.
|
|
Apparently I was smoking crack and thought they weren't
changeable. Additionally, SO_REUSEADDR is set by TCPServer.new,
so there's no need to set it ourselves; so avoid putting
extra items in the purgatory.
This allows SIGHUP to change listen options.
|
|
Sockets may be unintentionally unlinked on the filesystem.
When reloading our config, ensure that the socket exists
on the filesystem. If not, close the listener (since it's
unusable by outside apps) and reopen it.
|
|
Rather than blindly appending to our listener set
with every "listen" directive read in the config
file, reset our internal array.
Listeners specified on the command-line are always
preserved between config reloads.
|
|
This fixes a long-standing bug where listeners would be removed
from the known listener set during a reload but never correctly
shut down (until reexec).
Additionally, test_server was working around this bug (my fault,
subconciously) as teardown did not unbind the socket, requiring
the tests to grab a new port.
|
|
* no need to show PID of process writing the logs,
the default log formatter already includes it
* Don't bother displaying classes of listeners, the address
themselves should be enough.
|
|
Just because I know regular expressions doesn't
mean I *have* to use them...
|
|
Multiple Unicorn applications one machine can get confusing
quickly. Regardless, make it easy to distinguish between
workers and the master process.
|
|
The newly open file descriptors live on as fd=1
and fd=2 anyways, so there's no reason to keep
duplicates around.
|
|
We'll allow before_exec to override that setting, however.
There are cases where someone setting
Logger.new("/path/to/file") will create new file descriptors in
the master process. This will prevent FD leakage
and a test case (for Linux only) proves it.
|
|
Prevent subtle leaks here, too.
|
|
FD_CLOEXEC is POSIX and we only run on POSIX. Things will
slowly leak over time if FD_CLOEXEC is not set, so raise
the issue ASAP.
|
|
Instead of trusting sysread/syswrite to throw EAGAIN if the pipe
is full (highly unlikely); just use non-blocking methods which
are indeed non-blocking and don't care for the #blocking= method
added to it.
|
|
Combining command-line and config file options in a reasonable
manner has and always will be a painful experience.
|
|
It makes test_exec more reliable and probably helps
other scripts people may run around this.
|
|
Instead of having global options for all listeners,
make all socket options per-listener. This allows
reverse-proxies to pick different listeners to get
different options on different sockets.
Given a cluster of machines (10.0.0.1, 10.0.0.2, 10.0.0.3)
running Unicorn with the following config:
------------------ 8< ----------------
listen "/tmp/local.sock", :backlog => 1
listen "*:8080" # use the backlog=1024 default
------------------ 8< ----------------
It is possible to configure a reverse proxy to try to use
"/tmp/local.sock" first and then fall back to using the
TCP listener on port 8080 in a failover configuration.
Thus the nginx upstream configuration on 10.0.0.1 to
compliment this would be:
------------------ 8< ----------------
upstream unicorn_cluster {
# reject connections ASAP if we are overloaded
server unix:/tmp/local.sock;
# fall back to other machines in the cluster via "backup"
# listeners which have a large backlog queue.
server 10.0.0.2:8080 backup;
server 10.0.0.3:8080 backup;
}
------------------ 8< ----------------
This removes the global "backlog" config option which
was inflexible with multiple machines in a cluster
and exposes the ability to change SO_SNDBUF/SO_RCVBUF
via setsockopt(2) for the first time.
|
|
This reworks error handling throughout the entire stack to be
more Ruby-ish. Exceptions are raised instead of forcing the
us to check return values.
If a client is sending us a bad request, we send a 400.
If unicorn or app breaks in an unexpected way, we'll
send a 500.
Both of these last-resort error responses are sent using
IO#write_nonblock to avoid tying Unicorn up longer than
necessary and all exceptions raised are ignored.
Sending a valid HTTP response back should reduce the chance of
us from being marked as down or broken by a load balancer.
Previously, some load balancers would mark us as down if we close
a socket without sending back a valid response; so make a best
effort to send one. If for some reason we cannot write a valid
response, we're still susceptible to being marked as down.
A successful HttpResponse.write() call will now close the socket
immediately (instead of doing it higher up the stack). This
ensures the errors will never get written to the socket on a
successful response.
|
|
Unicorn always uses lower-level sys{read,write} methods
when doing I/O so setting "client.sync=true" is just
a wasted operation.
|
|
They're easier for me to type and read and just barely faster
when doing comparisons on.
|
|
Instead of rotating logs immediately when SIGUSR1 is caught,
defer it until the current client is processing is complete.
This allows multi-line log messages generated by apps to not be
broken up if SIGUSR1 is received while the app is running.
If we're sleeping inside IO.select, we close a pipe in the
exceptfds set to cause EBADF to be raised.
This also adds a small reliability improvement to test_exec
so we wait until signals are ready before sending USR1
to rotate logs.
|
|
In case there are permissions problems that cause
log rotation to fail, we trap the error and defer
death until the current request finishes running.
|
|
bind_listen takes a hash as its second parameter now, allowing
the addition of :sndbuf and :rcvbuf options to specify the size
of the buffers in bytes. These correspond to the SO_SNDBUF and
SO_RCVBUF options via setsockopt(2) respectively.
This also adds support for per-listener backlogs to be used.
However, this is only an internal API change and the changes
have not yet been exposed to the user via Unicorn::Configurator,
yet.
Also add a bunch of SocketHelper tests
|
|
Since we always unlink existing sockets when binding, there's no
point in having code to unlink the sockets when we exit.
Additionally, the old code path was racy.
|
|
Only sleep if our signal queue is empty.
Remove redundant exception handling and go back to just
consuming the entire pipe since that's more efficient if we're
slammed with signals for whatever reason.
|
|
The master _may_ run with different user/group/umask than the
workers. Since the logs were always created by the master
process, the master should rotate them first to ensure correct
ownership and permissions.
This way if the workers fail log rotation and die, they'll
be automatically respawned with the new logs in place.
|
|
* Use waitpid2 to more reliably trap exit status
* Stop including Process namespace since it leads
to confusing conflicts.
|
|
This will only be enabled if we're daemonized and "real" WINCH
signals cannot be generated by resizing the terminal. This is
to avoid confusing developers who run in the foreground of a
terminal.
Additionally document procedures for reexecuting a running
binary.
|
|
Although I didn't like the idea initially, signal queueing
allows test_exec to run more reliably and the limited signal
queue size will prevent scary queued signal behavior.
Also, always wakeup the master immediately when CHLD is trapped
to reduce the performance impact of SIGHUP-based config
reloading. Combined with an extra check in test_exec, this
should make test_exec run much more reliably than before.
|
|
In nearly every app, if the current working directory
disappears, the app becomes broken, sometimes subtly. It can be
especially broken when preload_app is false (the default).
So just shut ourselves down to spare ourselves the
wasted CPU cycles on a dead app.
As a (hopefully) pleasant side effect, this allows
configurations with preload_app==false (the default) to do
application code reloads via SIGHUP (in addition to unicorn
config reloads).
|
|
This is useful for freeing certain resources you
do NOT want passed to child processes.
|
|
Unicorn will always continue to run in the directory it started
in, it does not chdir to "/". Since the default start_ctx[:cwd]
is symlink-aware, this should not be a problem for
Capistrano-deployed applications.
|
|
The $stderr/$stdout objects need to point to +File+ objects
and mot just +IO+ objects they default to for reopen_logs
to work.
|
|
Instead of blindly trying to bind to the default listener
(which is already the default as specified by Configurator).
|
|
|
|
As opposed to doing this in the shell, this allows the files to
be reopened reliably after rotation.
While we're at it, use $stderr/$stdout instead of STDERR/STDOUT
since they seem to be more favored.
|
|
This means processes will share less memory but things
should be compatible with all existing setups.
|
|
If we get woken up during an IO.select, just make a bet that we
spent some time doing something else and aggressively try to
accept new connections without trying to wait for I/O-readiness
notification.
|
|
I consider it a sensible default for long-running servers.
Additionally, there is no easy way to make USR1 rotate the
master process log without this.
|
|
Since I use it myself and also in the tests, we
might as well implement it correctly as a class method
so people can run it in their trap('USR2') hooks.
|