Design notes for graceful startup

Version 5

    Overview

    In EAP 7.0 we introduced the concept of graceful shutdown, which waits for tasks to be complete before a server is shut down, and also introduces the concept of 'suspending' a server, allowing requests to be rejected while the server is suspended.

     

    Unfortunately at the moment there is no way to start a server in suspended mode, and during the startup process it is possible for requests to be accepted by the server before all required services have started. Although these are two separate issues their solution is similar, so they are both being covered by this document.

     

    Issue Metadata

    [WFCORE-1829] Allow server to start in suspended mode - JBoss Issue Tracker

    https://issues.jboss.org/browse/EAP7-636

     

    Issues that are a result of requests being handled too early:

    [JBEAP-867] UT005023: Exception handling request: NullPointerException - JBoss Issue Tracker

     

    Design

    All servers will initially start in a suspended state. By default they will be automatically resumed as soon as the boot process has finished. This means that a server that is still in the process of booting will not accept any requests until the server has completely started.

     

    It will also be possible to start a server suspended and not have it resume, allowing modifications to be made before it starts accepting requests. This can be done in the following manner:

     

    • Pass in --start-mode=suspended as a command line argument to a standalone server. Note that this means that if the server is then restated (using :shutdown(restart=true)) the server will also restart in suspended mode (which is consistent with the current --admin-only behavior). There are no plans to allow the :shutdown command to control the suspend state of the restarted server at this stage. The --start-mode command can be one of the following: normal, suspended, admin-only. Specifying both --admin-only and --start-mode is disallowed.
    • A new 'start-mode' argument will be added to the :reload command. If this is 'suspended' then the servers will be suspended on start. The allowable values are normal, suspended, admin-only. The existing admin-only flag will be deprecated. Specifying both admin-only and start-mode will be an error.
    • The domain mode start-server(s), restart-server(s) and reload-server(s) commands will have an additional boolean 'suspend' argument added to them to allow domain mode servers to be started, restarted and reloaded into suspended mode.

     

    In addition to the changes to graceful startup some deployment entry points will be modified so they are not activated until the MSC container has reached stability. This does not affect server startup, but will affect deployment to a resumed server. This means that remote requests will not be accepted by deployments that have not fully deployed.

     

    Initially this will include:

     

    • Undertow deployments will not be registered until stability is achieved
    • Remote EJB will be not be available until stability is achieved