El jue, 05-11-2009 a las 20:23 +0100, RalfGesellensetter escribió: > Am Thursday, 5. November 2009 schrieb RalfGesellensetter: > > Please follow recent IRC log on #debian-edu to find some alternative > > approaches on clearing left-behind processes deliberately (rather > > than killing arbitrary unidentified processes). > > > Dear list, only now I find the time to sumarize some thoughts from IRC: > > <RalfG> h01ger: I start to understand what you dislike about killer. It > kills processes not on purpose, but arbitrary -- like a redneck > (alternative package name?) shooting at everything that doesn't match > his patterns. > <RalfG> I tend to agree that this approach is "bad" as it must fail as > soon as you introduce new roles unknown to killer. > > <RalfG> On contrary, the clean-up-left-behind-processes-after-logout- > script should follow a simple and clean policy like this: > <RalfG> get a list of users who were logged in today - and if they > aren't logged in anymore, kill _their_ processes. > <RalfG> all needed for this can be found (again) in last. > <RalfG> alternatively, you could follow /var/log/auth.log and wait for > "logout" messages. But this log is on tjener, I think. > > <RalfG> Yet another approach could be to have processes of users killed, > that are member in a given group (student) unless they are still logged > in. > > <RalfG> h01ger: this command shows all user sessions that have been > closed today: > grep "session closed" /var/log/auth.log |grep -v "user root" | grep -v > \ "user daemon" | grep -v "user nobody" |grep "`LANG=C date +"%b %_d"`" > \|cut "-d " -f12 |sort -u | grep ... | tr '[A-Z]' '[a-z]' > > <RalfG> Now find users who are still logged in: > LANG=C last |grep "still logged in" | cut "-d " -f1 | sort -u > > <RalfG> note: here might be ambigious names as logins are truncated to 8 > characters. > <RalfG> Now I could do a "grep -v" on every line there to remove still > logged in users... > > <RalfG> rather than triggering the clean-up-left-behind-processes-after- > logout-script every hour, wouldn't it be great just to write a watchdog > for auth.log - something like "tail -f /var/log/auth.log" that issues a > pkill whenever a (regular) user closes their sessioN? > <RalfG> of course, this would mean, that all processes are killed of one > of several sessions owned by the same user is closed (unless > doublechecking "who"). > <RalfG> and, of course, this script should not regard old entries in > auth.log in case it is started much after boot time > > Now, I think a combination of both should be possible (do the filtering > on tail -f) -- and yes, of course, users who are permanently logged in > will not be regarded (maybe by nightkill in debian-edu-config?). > > There was also a discussion that virtually the session manager (like > LDM) should do the job in a propper way, but then, there is also KDM and > GDM, and it is hard to convince their upstreams to find a common way of > purging closed sessions. Hence the watchdog for auth.log seems to be a > straight forward way to go (to me), what do you think? > > First steps could be auxialary scripts like test-if-user-is-logged-in > (checking in who). > > Then I wonder, if there isn't a mother process to all processes run > within a session, so that the only thing to do is killing this embedding > process at logout time? Just in case it might help: Last year when I given up using killer because of it killing ssh sessions, I implemented that kind of routine in ControlAula. In http://paste.debian.net/50868/ you can see the code (for 72 hours since now) When using gnome, one of the common zombie processes is gnome-panel, if an user logins with gnome-panel running as a zombie with his own login, the desktop is totally broken, so ControlAula is calling this killer() routine with a watch timer every 10 seconds. The approach is similar to yours, but using 'who' instead of 'last'. It just gets a list of the logged users and another list with the logged processes with their user id. It compares them and kills all the processes whose uid are not logged and between 1000 and 65535 (to avoid killing services and processes launched under the "nobody" user). It's quite simple and has been working perfectly for our purposes for about a year in our schools. Regards.
Attachment:
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente