Fix system shutdown timeout handling by again supporting longer running

shutdown procedures (which have a duration of more than 120 seconds).

We have two user-space affecting shutdown timeouts: a "soft" one in
/etc/rc.shutdown and a "hard" one in init(8). The first one can be
configured via /etc/rc.conf variable "rcshutdown_timeout" and defaults
to 30 seconds. The second one was originally (in 1998) intended to be
configured via sysctl(8) variable "kern.shutdown_timeout" and defaults
to 120 seconds.

Unfortunately, the "kern.shutdown_timeout" was declared "unused" in 1999
(as it obviously is actually not used within the kernel itself) and
hence was intentionally but misleadingly removed in revision 1.107 from
init_main.c. Kernel sysctl(8) variables are certainly a wrong way to
control user-space processes in general, but in this particular case the
sysctl(8) variable should have remained as it supports init(8), which
isn't passed command line flags (which in turn could have been set via
/etc/rc.conf), etc.

As there is already a similar "kern.init_path" sysctl(8) variable which
directly affects init(8), resurrect the init(8) shutdown timeout under
sysctl(8) variable "kern.init_shutdown_timeout". But this time document
it as being intentionally unused within the kernel and used by init(8).
Also document it in the manpages init(8) and rc.conf(5).

Reviewed by: phk
MFC after: 2 weeks

4 files changed, 35 insertions, 3 deletions

diff --git a/sbin/init/init.8 b/sbin/init/init.8
index 6c39343..833e2f6 100644
--- a/sbin/init/init.8
+++ b/sbin/init/init.8
@@ -31,7 +31,7 @@
 .\"     @(#)init.8	8.3 (Berkeley) 4/18/94
 .\" $FreeBSD$
 .\"
-.Dd April 18, 1994
+.Dd September 15, 2005
 .Dt INIT 8
 .Os
 .Sh NAME
@@ -270,6 +270,12 @@ This script can be used to cleanly terminate specific programs such
 as
 .Nm innd
 (the InterNetNews server).
+If this script does not terminate within 120 seconds,
+.Nm
+will terminate it. The timeout can be configured via the
+.Xr sysctl 8
+variable
+.Va kern.init_shutdown_timeout .
 .Pp
 The role of
 .Nm
diff --git a/sbin/init/init.c b/sbin/init/init.c
index cfba319..393955f 100644
--- a/sbin/init/init.c
+++ b/sbin/init/init.c
@@ -1520,7 +1520,7 @@ runshutdown(void)
 	}
 
 	len = sizeof(shutdowntimeout);
-	if (sysctlbyname("kern.shutdown_timeout",
+	if (sysctlbyname("kern.init_shutdown_timeout",
 			 &shutdowntimeout,
 			 &len, NULL, 0) == -1 || shutdowntimeout < 2)
 	    shutdowntimeout = DEATH_SCRIPT;
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 8dc7d7f..8d4ac2b 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd September 8, 2005
+.Dd September 15, 2005
 .Dt RC.CONF 5
 .Os
 .Sh NAME
@@ -3170,6 +3170,21 @@ If set, start a watchdog timer in the background which will terminate
 if
 .Xr shutdown 8
 has not completed within the specified time (in seconds).
+Notice that in addition to this soft timeout,
+.Xr init 8
+also applies a hard timeout for the execution of
+.Pa rc.shutdown .
+This is configured via
+.Xr sysctl 8
+variable
+.Va kern.init_shutdown_timeout
+and defaults to 120 seconds. Setting the value of
+.Va rcshutdown_timeout
+to more than 120 seconds will have no effect until the
+.Xr sysctl 8
+variable
+.Va kern.init_shutdown_timeout
+is also increased.
 .It Va virecover_enable
 .Pq Vt bool
 Set to
diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c
index 1b35665..fd8ae7a 100644
--- a/sys/kern/init_main.c
+++ b/sys/kern/init_main.c
@@ -499,6 +499,17 @@ SYSCTL_STRING(_kern, OID_AUTO, init_path, CTLFLAG_RD, init_path, 0,
 	"Path used to search the init process");
 
 /*
+ * Shutdown timeout of init(8).
+ * Unused within kernel, but used to control init(8), hence do not remove.
+ */
+#ifndef INIT_SHUTDOWN_TIMEOUT
+#define INIT_SHUTDOWN_TIMEOUT 120
+#endif
+static int init_shutdown_timeout = INIT_SHUTDOWN_TIMEOUT;
+SYSCTL_INT(_kern, OID_AUTO, init_shutdown_timeout,
+	CTLFLAG_RW, &init_shutdown_timeout, 0, "");
+
+/*
  * Start the initial user process; try exec'ing each pathname in init_path.
  * The program is invoked with one argument containing the boot flags.
  */