On Mon, 09 May 2005, Daniel Carosone wrote:
> > It might be worse to consider raid on cgd on vnd on ffs.  The raid's
> > shutdown hooks will be run [potentially?] after the ffs is unmounted.
> 
> If this is a problem, perhaps the solution is to make the filesystem
> unmounts be shutdown hooks too (added at mount time) so the ordering
> is appropriately preserved.

This is the problem that I was worried about when I asked whether the
shutdownhook mechanism was adequate to the task.  I now believe that
the shutdownhook mechanism is fine, but the vfs_shutdown() mechanism is
broken.

At present, filesystems are unmounted using a mechanism that
predates shutdownhooks.  See the MD cpu_reboot() functions in
src/sys/arch/*/*/*machdep.c, which call vfs_shutdown() before calling
doshutdownhooks().  I think it would make sense to change that, and use
shutdownhooks for unmounting.  To match current behaviour, the unmount
hooks would have to honour the RB_NOSYNC flag.

My proposal is:

   Every mount of every filesystem registers a shutdownhook which will
   unmount the filesystem with or without syncing, depending on the
   RB_NOSYNC flag.  (One shutdownhook per mount, not one per filesystem
   type.)  vfs_shutdown() is replaced by these shutdownhooks.

   Every cgd, raidframe, ccd, vnd, and similar device registers a
   shutdownhook which will unconfigure the device cleanly or quickly,
   depending on the RB_NOSYNC flag.  (One shutdownhook per device, not
   one per driver.)

   Every swap partition registers a shutdownhook which will unconfigure
   the device.  (One shutdownhook per partition.)

   Most of the other stuff that is done by MD cpu_reboot() is also moved
   to shutdownhooks.  For stuff that is currently invoked conditionally,
   move the conditional test from cpu_reboot() into the shutdownhook.

--apb (Alan Barrett)