Our current abortAync method has accrued some complexity because we are, in effect, directly mutating global state. (IE see the reason ExitDisabledTest exists at all).

      Also, there are the only two cases in which we quit Marathon:

      • A TERM signal was sent (in which case, hooks added by sys.addShutdownHook are run)
      • We need to crash because something terrible happened (lost leadership, connection to zookeeper)

      Coming down gracefully involves, at best, abdicating our leadership; something which will happen by virtue of terminating the TCP socket, which the kernel / JVM should handle for us.

      You can make arguments that we should try and finish any pending writes to zookeeper... but, relying on being able to finish writes is not ideal. We should generally write our code counting on the fact that things could crash and burn at any time. As such, we should probably just crash hard.

      Therefore, I propose we:

      • implement a CrashStrategy interface with a single method: crash.
      • At best, make this method crash immediately by calling runtime.halt. At worst, have this method call sys.exit, and then, after time, runtime.halt. Either way, the method returns Nothing in much the same way that throwing an Exception returns nothing.
      • Delete ExitDisabledTest and, instead, provide an instance for CrashStrategy in tests which simply throws a java.lang.Error, and then provides some getter to check to see if crash was called.


          Issue Links



              • Assignee:
                ivanchernetsky Ivan Chernetsky
                tharper Tim Harper
                Orchestration Team
                Jason Gilanfarr (Inactive), Marco Monaco
              • Watchers:
                2 Start watching this issue


                • Created: