Re: rc and smf

[Bill Hacker <wbh@xxxxxxxxxxxxx>]

Dan Melomedman wrote:

> Joerg Sonnenberger wrote:
>
> > Actually, this is exactly one of the situations where I don't want
> > automatic, silent restarts. It hides problems, which is in my position
> > even more problematic. "Magic restart" doesn't solve every problem.
> >
> > Joerg
>
>
> Nothing solves every problem. Supervision solves the 'Oops, something
> crashed, and needs to be restarted' problem. If my nearby nuclear power
> plant's reactor monitoring software running on a Unix box gets killed
> due to a memory leak, I want it restarted immediately, not wait for the
> administrator to find out by the time the reactor melts down. 

No you do not.

What you DO want, when *any* fault occurs of that nature, is for a 
totally separate system - usually a 'state machine' - or even *gravity* 
to take over and 'safe' that plant until the real cause is scrutinized 
by a team of experts.  Too much is at stake to blindly restart a daemon 
OR the OS.

Unix has no more business running nuke power plants than Windows.  That 
is specialized RT OS ground.  Or state machines monitored by specialized 
computers. Or both.

> All fault
> tolerant systems have some kind of supervision in software.

All seriously critical ones have hardware / firmware fall-backs and 
manual overrides as well.

All failures be they oil-refinery, chemical plant, power plant or web 
and mail servers *should* be brought to human attention, examined and 
attended to by folks with brains.  That way we can fix them, not be 
victims of them.

Bill