On 06/27/2012 08:34 AM, David M. Lloyd wrote:
On 6/26/12 7:13 PM, Bill Burke wrote:
> Are you sure explicity granting "permits" through a "Shutdown
> the way to go?
Yes, we are 100% sure.
> Having to interact with a central service that grants
> permits per-request is very worrisome. The subsystem may already have a
> better way to do graceful shutdown, or just cannot follow a permit pattern.
No, we went into great detail to work this out. But if you have a
specific case that you think warrants another look, feel free to raise it.
> Is it not simpler and gives more flexibility to a subsystem to drive
> this via events rather than explicit callbacks to a Shutdown Manager?
No, because the "suspended" state isn't really a state, and it is
certainly not detectable from each subsystem.
For example, there may be no remaining EJB sessions. However, that does
not mean that EJB can refuse new session creation. In particular, if
you are in a suspended state and deploy a singleton EJB which has a
@PostConstruct on it, and that interceptor causes a session to be
created, this is allowed as deployment must always gain a permit (else
Does deploying an application during the "suspended" state, cancel the
shutdown (bringing the server back to a "running" state?) You said
below that no permits are allowed in the "suspended" state, so a state
transition might be needed for deployment (I think). Or is deployment
only allowed in "Suspending/Running" states?
Note, people, that permits are a *conceptual* entity. There is no need
to have permit objects, nor even a semaphore, nor even a non-blocking
counter. I do know a thing or two about eliminating concurrency
> class Suspending extends ShutdownEvent
> void iFinishedSuspending(); // the callback to the Shutdown Manager
> GIves the subsystem flexibility on how best to implement a graceful
> On 6/26/12 11:00 AM, Jason T. Greene wrote:
>> We've worked out the rough outline of how graceful shutdown will work in
>> The process of graceful shutdown actually is reflected by a number of
>> 1. Running - all services acting normally
>> 2. Suspending - services refuse new "permits" (see below), existing
>> permits are allowed to be retained (and threads running under such a
>> permit may still acquire new permits)
>> 3. Suspended - no permits are present and none may be issued
>> 4. Shutting Down - our existing server stop process / reload admin mode
>> The following transitions are allowed:
>> 1. Running → Suspending: Transition occurs at user request (to suspend
>> or gracefully shut down).
>> 2. Suspending → Suspended: Transition occurs when all permits are cleared.
>> 3. Suspending → Running: Transition occurs at user request (to exit
>> suspend mode or cancel graceful shutdown before it completes).
>> 4. Suspended → Running: Transition occurs at user request (to exit
>> suspend mode).
>> 5. Suspended → Shutting Down: Transition occurs automatically (if a
>> graceful shutdown was requested) or at user request (if a shut down
>> request of any kind is entered in the Suspended state).
>> 6. Running → Shutting Down: Transition occurs at user request (to shut
>> down the server "un-gracefully").
>> 7. Suspending → Shutting Down (User aborts a graceful shutdown)
>> These "permits" are issued by the "Shutdown Manager", whose
job is to
>> manage these states. They are issued corresponding to the following events:
>> 1. The invocation of an EJB method
This sounds like an EJB component interceptor needs to be changed to
handle this part.
>> 2. The creation of a web session
Would this be handled by an org.apache.catalina.Valve or some equivalent?
>> 3. A creation of a transaction
What is the use case that requires this that is not already issuing a
permit at a higher (top level) container?
>> 4. MessageEndpoint and WorkManager aquire permit allowing for
>> from a thirdparty to indicate connection close.
What is the hook/API for plugging into these so the shutdown manager can
5. Unmanaged Thread use
No one has mentioned naked or unmanaged threads. Can naked threads also
call the Shutdown Manager? If yes, I think the Shutdown Manager API
needs to be public so that custom threads could also participate in
>> When a permit cannot be issued due to the server shutting down, a
>> standard exception message should be produced so that the user can see a
>> familiar error message regardless of what mechanism is used to access
>> the server.
Sounds like a good idea. The Shutdown Manager should probably throw the