= Proposed System Wide Change: KillUserProcesses=yes by default =
* Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl>
Set the default policy to terminate processes in session scope when
the user logs out. Specifically, systemd-logind's KillUserProcesses
setting, which currently is set to "no" to override the upstream
default, will be removed to follow the upstream default of "yes".
== Detailed Description ==
Since the introduction of systemd-logind a few years back, when a
session is created, systemd hooks into the PAM session creation step
to move the process that starts the session into a separate cgroup.
This means that processes which are started as part of the session can
be reliably tracked, even if they detach from the terminal and
daemonize. When a user session terminates, various processes started
as part of the user session (initally) remain alive. When the session
is terminated, remaining processes receive a HUP signal (*), which can
be and often is ignored.
Under the proposed setting of KillUserProcesses=yes, systemd will
forcibly terminate (using SIGTERM and then SIGKILL) all processes
which are part of the session scope (the cgroup created for the login
session) when the user logs out. In order for a process to avoid being
killed it has to be part of a different systemd unit. For user
processes this can be achieved in two primary ways: by starting the
unit as a service (e.g. 'systemd-run --user /usr/bin/foo', or creating
a dedicated user service unit), or by telling systemd to create a new
scope unit to encompass a specific process (e.g. 'systemd-run --user
--scope /usr/bin/foo', or making a dbus call to create a scope unit
directly). This step can be integrated directly into programs when
this makes sense for their primary use case, e.g. screen.
(*) Whether SIGHUP is sent depends on a few factors: bash sends it
children, tcsh does not, and the kernel also sends SIGHUP to processes
which have a terminal open.
== Scope ==
* Proposal owners:
- work upstream to clarify what is the best way for programs to mark
themselves to survive logout
- update the documentation with more explanations and examples, as we
learn what people find confusing in the current scheme of things
- evaluate a "permissive" mode for KillUserProcesses, to make it
easier to debug processes which stay around after a session terminates
- remove the compile-time override in the systemd package
- work with upstream authors and Fedora maintainers of programs like
screen and tmux to implement the ability to automatically start them
in a way that survives a user session, and if the system policy does
not allow that, to warn the user.
* Other developers:
- cooperate on the last item from previous point
- identify additional services which need to adapt to the changed default.
Different services might merit different handling here: some might be
updated them to start through the non-session-specific dbus instance,
some might need documentation changes, while others possibly should be
handled like tmux and screen.
* Release engineering: N/A
* List of deliverables: N/A (not a System Wide Change)
* Policies and guidelines:
- a Fedora Magazine article or similar to publicize the change would be nice
* Trademark approval: N/A (not needed for this Change)
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic