Jump to: navigation, search

Hudson-ci/features/Restart Within Hudson

Restart Within Hudson

Configuration changes that require Hudson restart to take effect should provide a Restart link or button.

Unfortunately, the CLI restart or soft-restart methods, which call Hudson.restart and Hudson.safeRestart, respectively, don't handle many of the necessary use cases by default. A Hudson restart link based on these methods would too often fail. It is one thing to leave an opening for plugins to implement, but quite another to depend on the kindness of plugins for basic Hudson operations. The default Lifecycle implementation needs to be in some sense universal, even if it requires the cooperation of system administrators.

Requirements

In the following, "correct restart" means restart specifically tailored to the environment in which the Hudson instance is running. "System administrator" is a person who provisions and deploys the Hudson instance. "Hudson admin" is a person with admin privileges in Hudson. Sometimes these are the same people; sometimes not.

  • The current Lifecycle API must be preserved, for compatibility with existing plugin extensions. The new default mechanism will only be invoked if the hudson.lifecycle system property is not specified.
  • It must be possible for a system administrator to preconfigure Hudson for correct restart. This is particularly important for "no-admin" uses of Hudson.
  • Restart must require Hudson admin privileges (ACL.SYSTEM).

Design Approach

There are two ways to provide a safe restart. The first is to add a plugin that extends hudson.lifecycle.Lifecycle and add the hudson.lifecycle Java property to the command line that launches Hudson. This option was also available in previous releases. The second is by using a new feature, Restart Command, that allows restart with OS scripts.

The Restart Command allows a system administrator to specify a command or provide a script during Hudson startup. This is most suited to Hudson running in containers like Tomcat, etc. which provide easy application restart from the command line, but as the example shows, can be adapted to almost any scenario.

Restart Command

Correct restart is a multi-dimensional problem, different for each OS, service implementation and container (Tomcat, Jetty, GlassFish, etc.). The Lifecycle extension point is not well suited for multi-dimensional invocation, e.g., the OS is X AND the container is Y and (the container does not support single application restart OR the application name/war file location in the container is Z). While certain tricks, like replacing the Hudson WAR file, work to restart the application in many containers, to cover all the possibilites, Lifecycle would need an extension for every possible combination.

Yet, every system administrator already knows or can easily discover a command or script to restart any running Hudson instance. The best and most likely to be correct restart mechanism would leverage those commands/scripts and not try to replace it with Java code. The feature described below provides a generic Lifecycle that does.

Two new ways are provided for the system administrator to configure correct restart:

  • by providing a hudson-restart file in the $HUDSON_HOME provisioned for the Hudson instance or
  • by specifying a restart command on the command line when Hudson is invoked.

Command

In a nutshell, restart within Hudson will invoke a system administrator--supplied command.

Since the command is presumed to restart Hudson, it may not return at all. If it does return, it is expected to return successfully. If the restart command fails, restart will fail.

If the restart command is not specified, the existing default Lifecycle mechanism will be invoked.

If the hudson.lifecycle system property is specified, the restart command, if any, will not be used.

Default Restart Script

To allow system administrators to pre-configure Hudson for correct restart, if a restart script is present in HUDSON_HOME the initial value of the restart command will be set to invoke the script. The script must be named hudson_restart[.extension].

The script or program may have an extension, e.g., .bat on Windows or .sh, .bash, .py, etc. on Unix, but it doesn't matter what it is; in all cases, it will be invoked as a program.

The script must be executable.

The script should be specific to the environment in which the HUDSON_HOME is used.

Restart System Property

Even if a restart script is present in HUDSON_HOME, a system administrator may change the restart command to do something else, effectively ignoring the script, using the command line option:

-Dhudson.restart=value

The value of the hudson.restart system property will be used to initialize the restart command. The correct order of initialization is:

  • If -Dhudson.restart is specified, use that.
  • Otherwise, if a restart script is present, use a command that invokes the script.
  • Otherwise, the restart command is not specified.

Implementation

A new lifecycle, hudson.lifecycle.RestartCommandLifecycle, will be added to Hudson.

hudson.lifecycle.Lifecycle will be modified to use the RestartCommandLifecycle for restart if:

  • a restart script or command has been specified, and
  • the hudson.lifecycle system property is not defined.

The implementation will log a warning message if hudson.lifecycle has been specified and a restart script or command have been provided.

Example

This simple example shows how one might use the restart command to reliably restart Hudson no matter how it is started, with the added virtue that if Hudson exits for any reason, it will automatically restart. It involves two scripts, run-hudson and stop-hudson. If you put a hudson-restart script in HUDSON_HOME, it should call stop-hudson. Here, we will use the hudson.restart system property.

File ~/run-hudson.bash

#!/bin/bash
while :
do
    # start Hudson asynchronously, e.g., from war - note the kill.key and hudson.restart
    java -Dkill.key=secret -Dhudson.restart=/Users/bobfoster/stop-hudson.bash -jar <path-to-war>/hudson.war &
    trap "break" SIGINT SIGTERM
    # receiving trapped signal makes wait return, then trap executes
    wait ${!}
    sleep 1
    echo "Restarting Hudson"
done
echo "Killing child process"
pkill -P "$$"
exit

If the Java process running Hudson is stopped for any reason, run-hudson will restart it. So to restart Hudson, all we need is a script to kill the Java process. This is where the "secret key" comes in. The kill.key property means nothing to Hudson, but it can be used to identify the process.

File ~/stop-hudson.bash

#!/bin/bash
HUDSON_PID="`ps -axu bobfoster | grep "kill.key=secret" | grep -v grep | awk -F, 'BEGIN { FS = "[ \t]+" } { print $3}'`"
if [ "$HUDSON_PID" != "" ]
then
  echo "killing $HUDSON_PID"
  kill $HUDSON_PID
fi

When stop-hudson is called from the Restart button on the Plugin Manager page, the run-hudson output stream will look something like the following:

Jul 6, 2013 12:02:40 PM org.eclipse.hudson.plugins.PluginCenter doRestart
INFO: Safely restarting Hudson...
Jul 6, 2013 12:02:40 PM hudson.model.Hudson$17 run
INFO: Restart in 10 seconds
Jul 6, 2013 12:02:50 PM hudson.model.Hudson$17 run
SEVERE: Restarting VM as requested by bob
Jul 6, 2013 12:02:50 PM hudson.lifecycle.RestartCommandLifecycle restart
INFO: Executing restart command: /Users/bobfoster/stop-hudson.bash
2013-07-06 12:02:57.951:INFO:oejsh.ContextHandler:stopped o.e.j.w.WebAppContext{/,file:/Users/bobfoster/committer/org.eclipse.hudson.core/hudson-war/target/hudson-war-3.1.0-SNAPSHOT/},file:/Users/bobfoster/committer/org.eclipse.hudson.core/hudson-war/target/hudson-war-3.1.0-SNAPSHOT.war
2013-07-06 12:02:58.006:INFO:oejut.ShutdownThread:shutdown already commenced
Restarting Hudson
/Users/bobfoster/committer/org.eclipse.hudson.core/hudson-war/target/hudson-war-3.1.0-SNAPSHOT.war
...

The "Restarting Hudson" message comes from the run-hudson script. All others are from Hudson.

Notes:

  1. This technique of having another process restart Hudson is more reliable than having a child process of Hudson (the hudson-restart script) kill Hudson and relaunch it.
  2. While some servers allow you to restart a single application in the same JVM, it is risky to do so. Unless all instances and classes of the previously running Hudson are garbage-collected, several restarts will exhaust permgen. It is more reliable to relaunch the entire server. Therefore it is a good practice to run only one application per server, so other applications aren't affected.
  3. If the run-hudson script always restarts Hudson, how do you stop Hudson gracefully? Easy, just kill run-hudson. The trap will break out of the loop, kill the child (Java) process and exit.

Restart Links or Buttons

Restart links should not be shown unless Lifecycle.get().canRestart() returns true. Otherwise, a message like "Restart required for changes to take effect" should be displayed.

A restart link should show the single word Restart and should call Hudson.safeRestart.

Plugin Manager

The Plugin Manager will show a restart link if a) a plugin is updated or a plugin is loaded that requires restart, and b) if Lifecycle.get().canRestart() returns true.