Ë BjTCãó—UdZddlmZddlZddlZddlZddlZddlZddlZddl m Z ddlmZm Z mZmZiZded<dD]Zeeed«Ze€Œeeee«<Œdd „Zdd „Zdd„Zdd„Zddd „Zddœ dd„Zdd„Zdd„Zdd„Zdd„Zy)uShutdown forensics â€” capture context when the gateway receives SIGTERM/SIGINT. The gateway's ``shutdown_signal_handler`` runs synchronously inside the asyncio event loop. We can't safely block it for long, but we DO want a durable record of who/what triggered the shutdown so that "the gateway keeps dying" incidents can be diagnosed after the fact. This module exposes :func:`snapshot_shutdown_context`, a fast (<10ms), non-blocking probe that returns a structured dict the signal handler can log immediately, plus :func:`spawn_async_diagnostic`, a fire-and-forget ``ps`` walk that runs as a detached subprocess so it can't block teardown even if /proc is wedged. Anything that needs to wait (e.g. shelling out to ``ps aux``) belongs in the async helper, never in the synchronous probe. é)ÚannotationsN)ÚPath)ÚAnyÚDictÚListÚOptionalzDict[int, str]Ú_SIGNAL_NAME_BY_NUM)ÚSIGTERMÚSIGINTÚSIGHUPÚSIGQUITÚSIGUSR1ÚSIGUSR2có’—|€y t|«}tj|d|›«S#ttf$rt|«cYSwxYw)zBReturn a human-readable signal name (or ``str(sig)`` as fallback).ÚUNKNOWNzsignal#)ÚintÚ TypeErrorÚ ValueErrorÚstrr Úget)ÚsigÚsig_ints ú?/home/ubuntu/.hermes/hermes-agent/gateway/shutdown_forensics.pyÚ_signal_namer%sS€à €{ØðÜc“(ˆô×"Ñ" 7¨g°g°YÐ,?Ó@Ð@øô ”zÐ"òÜ3‹xŠðús…)©AÁAcó— td|›dd¬«5}|D]D}|j|dz«sŒ|jdd«dj«ccddd«S ddd«y#1swYyxYw#tt tf$rYywxYw)zIRead a single field from /proc//status. Linux only; None elsewhere.ú/proc/z/statusúutf-8©Úencodingú:éN)ÚopenÚ startswithÚsplitÚstripÚFileNotFoundErrorÚPermissionErrorÚOSError)ÚpidÚkeyÚfhÚlines rÚ_read_proc_fieldr-0s›€ð Ü F˜3˜%˜wÐ'°'Ô :ð 9¸bØò 9Ø—?‘? 3¨¡9Õ-ØŸ:™: c¨1Ó-¨aÑ0×6Ñ6Ó8Ñ8÷ 9ñ 9ñ 9÷ 9ð÷ 9ðûô œ´Ð8ò ØØð ús?‚A3“A'®$A'Á A3ÁA'ÁA3Á'A0Á,A3Á0A3Á3B Â B có — td|›dd«5}|j«}ddd«sy|jdd«j dd¬ «j«S#1swYŒ=xYw#tttf$rYywxYw) zLRead /proc//cmdline as a printable string. Linux only; None elsewhere.rz/cmdlineÚrbNóó rÚreplace)Úerrors)r"Úreadr&r'r(r2Údecoder%)r)r+Údatas rÚ_read_proc_cmdliner7<s†€ðÜ F˜3˜%˜xÐ(¨$Ó /ð °2Ø—7‘7“9ˆD÷ ñØà<‰<˜ Ó&×-Ñ-¨g¸iÐ-ÓH×NÑNÓPÐP÷ ð ûäœ´Ð8òÙðús'‚A+’A£A+ÁA(Á$A+Á+BÂBcó:—d|i}|dkr|St|d«}|||d<t|d«}|||d<t|d«}| t|«|d <t|d «}||r|j«dn||d<t |«}|r|dd|d <|S#t$rYŒJwxYw)zŒCompact /proc/ snapshot: pid, ppid, state, uid, cmdline. Best-effort. Missing fields are simply omitted rather than raising. r)rÚNameNÚnameÚStateÚstateÚPPidÚppidÚUidÚuidé,Úcmdline)r-rrr$r7)r)Úsummaryr:r<r>r@rBs rÚ _proc_summaryrDIsÔ€ð % c˜l€GØ ˆa‚xØˆÜ˜C Ó(€DØÐØˆ‰Ü˜S 'Ó*€EØÐØ ˆÑÜ˜C Ó(€DØÐð Ü! $›iˆGF‰Oô˜3 Ó &€CØ €á+.˜Ÿ™› Qš°Cˆ‰Ü Ó%€GÙà$ T c˜]ˆ ÑØ€Nøôò Ùð úsÁBÂ BÂBc óÄ—tj«}tj«}tj«}tj«}||t|«|t |«nd||t|«t|«dœ}tjjd«}|r||d<tjjd«}|r||d<t|«xs|dk(|d< tj«d |d < t|d«}|N|dk7rI|j«rt |«n||d <|j«rtt |««nd|d< tjjd«} | r‡t%| «dz} | j'«r. | j)d¬«}|dd|d<d|›|vxsd|›|v|d<t%| «dz}|j'«r |j)d¬«}|dd|d<|S|S#ttf$rYŒwxYw#t t"f$rYŒÒwxYw#t$rYŒswxYw#t$rY|SwxYw#t*$rY|SwxYw)a'Fast (<10ms) snapshot of who/what is asking us to shut down. Captures: * The signal number/name (so SIGINT vs SIGTERM is visible) * Our own PID/ppid + parent process info from /proc (Linux) * Whether systemd is our parent (``ppid==1`` or ``INVOCATION_ID`` set) * Whether takeover/planned-stop markers exist (consumed lazily by the caller) * /proc/self limits + load average (1-min) * Wall-clock and monotonic timestamps for cross-correlating later phases Pure stdlib, never raises, never blocks on subprocesses. N)ÚtsÚts_monotonicÚsignalÚ signal_numr)r>ÚparentÚselfÚ INVOCATION_IDÚsystemd_invocation_idÚJOURNAL_STREAMÚsystemd_journal_streamr!Ú under_systemdrÚ loadavg_1mÚ TracerPidÚ0Ú tracer_pidÚtracerÚHERMES_HOMEz.gateway-takeover.jsonrrrAÚtakeover_markerz"target_pid": z'target_pid': Útakeover_marker_for_selfz.gateway-planned-stop.jsonÚplanned_stop_marker)ÚtimeÚ monotonicÚosÚgetpidÚgetppidrrrDÚenvironrÚboolÚ getloadavgr(ÚAttributeErrorr-ÚisdigitrrrÚexistsÚ read_textÚ Exception) Úreceived_signalÚnowr[r)r>ÚctxÚ invocation_idÚjournal_streamrUÚhermes_home_strÚ takeover_pathÚrawÚplanned_stop_paths rÚsnapshot_shutdown_contextrphs‹€ô)‰)‹+€CÜ—‘Ó €IÜ )‰)‹+€CÜ :‰:‹<€DðØ!Ü˜Ó/Ø.=Ð.I”c˜/Ô*ÈtØØÜ Ó%Ü˜cÓ"ñ €Cô—J‘J—N‘N ?Ó3€MÙØ'4ˆÐ#Ñ$Ü—Z‘Z—^‘^Ð$4Ó5€NÙØ(6ˆÐ$Ñ%Ü Ó.Ò;°$¸!±)€CˆÑð ÜŸM™M›O¨AÑ.ˆˆLÑð Ü! # {Ó3ˆØÐ &¨C¢-Ø/5¯~©~Ô/?¤ F¤ÀVˆCÑØ:@¿.¹.Ô:JœM¬#¨f«+Ô6ÐPTˆC‰Mð ÜŸ*™*Ÿ.™.¨Ó7ˆÙÜ Ó1Ð4LÑLˆMØ×#Ñ#Ô%ðØ'×1Ñ1¸7Ð1ÓCCØ-0°°#¨YCÐ)Ñ*à(¨¨Ð.°#Ð5ò9Ø+¨C¨5Ð1°SÐ8ðÐ2Ñ3ô!% _Ó 5Ð8TÑ TÐØ ×'Ñ'Ô)ðØ+×5Ñ5¸wÐ5ÓGCØ14°T°c°CÐ-Ñ.ð€Jˆ3€Jøô[ ”^Ð$ò Úð ûô ”zÐ"ò Ùð ûô,òÙðûôòØð€Jðûäò Øà€Jð úsyÃ&HÄAHÅ?IÆ-H3ÇIÇ*IÈHÈHÈH0È/H0È3 H?ÈH?È?IÉ IÉIÉIÉIÉ IÉIg@)Útimeout_secondscó†— |jjdd¬«tjdk(ryd|›dtj«›d} tjt|«t jt jzt jzd«} tjd |d ›dd|g|tjtjdd¬ «} tj"|«|j$S#t$rYywxYw#t$rYywxYw#t tf$rN tj"|«n#t$rYnwxYwY tj"|«y#t$rYywxYwwxYw#t$rY|j$SwxYw# tj"|«w#t$rYwwxYwxYw)aœFire-and-forget ``ps``-style snapshot written to ``log_path``. Runs as a detached subprocess so it can't block the asyncio event loop or compete with platform teardown. The subprocess uses its own ``timeout`` so a wedged ``ps`` still self-cleans within ``timeout_seconds``. Returns the subprocess PID on success, ``None`` on failure. Never raises. We deliberately avoid ``subprocess.run(["ps", "aux"])`` from inside the signal handler (the pre-existing pattern): on a busy host with hundreds of processes, ``ps aux`` can take >2s to walk /proc, during which the asyncio loop is frozen and adapter teardown can't begin. T)ÚparentsÚexist_okNÚwin32z echo '=== shutdown diagnostic @ zº ==='; echo '--- date ---'; date -u +%Y-%m-%dT%H:%M:%SZ; echo '--- ps auxf (top 60 by cpu) ---'; ps auxf --sort=-pcpu 2>/dev/null | head -60; echo '--- pstree of self ---'; pstree -plau a 2>/dev/null | head -40 || true; echo '--- /proc/loadavg ---'; cat /proc/loadavg 2>/dev/null || true; echo '--- recent dmesg (oom/killed) ---'; dmesg -T 2>/dev/null | tail -20 || journalctl --user -n 20 --no-pager 2>/dev/null | tail -20 || true; echo '=== end ==='i¤Útimeoutz.0fÚbashz-c)ÚstdoutÚstderrÚstdinÚstart_new_sessionÚ close_fds)rJÚmkdirr(ÚsysÚplatformr\r]r"rÚO_WRONLYÚO_CREATÚO_APPENDÚ subprocessÚPopenÚSTDOUTÚDEVNULLr&Úcloser))Úlog_pathÚsignal_namerqÚscriptÚfdÚprocs rÚspawn_async_diagnosticrÅs®€ð*Ø‰×Ñ d°TÐÔ:ô‡||wÒØð+¨;¨-ð8ô Ÿ ™ ›}ð%ð ððôW‰W”S˜“]¤B§K¡K´"·*±*Ñ$<¼r¿{¹{Ñ$JÈEÓ Rˆðô×ÑØ ˜?¨3Ð/°&¸$ÀÐGØÜ×$Ñ$Ü×$Ñ$Ø"Øô ‰ð ÜH‰HRŒLð8‰8€OøôuòÙðûô8òÙðûô" œwÐ'òð ÜH‰HRLøÜò Ùð úàð ÜH‰HRLøÜò Ùð úðûôò Øà8‰8€Oð ûð ÜH‰HRLøÜò Ùð ýs´‚DÁADÂ >DÃ E?Ä D ÄD Ä DÄDÄE<Ä/EÅE<Å EÅE<ÅEÅE<ÅFÅE,Å, E8Å7E8Å;E<Å$s‘ÀC€HØ€FØ ‡wwÐ Ó!Ð-Ø—7‘7Ð5Ó6ˆØ ‰ Ø&±¡v¸wÐ&GÐHô ð‡wwÐ$Ó%Ð1Ø ‰ Ð7Ô8Ø ‡wwˆ|ÔØ ‰ ˜ C¨Ñ$5Ð#6Ð7Ô8Ù-3#˜Ÿ™ Ó(Ò(¸€Jð#ðØ&˜ð(Ø \ð"Ø"mð$ØZØˆ,ðØ$˜ð )ðócóf— tj|td¬«S#ttf$rYywxYw)zFJSON-serialise a context dict for structured ingestion. Never raises.T)ÚdefaultÚ sort_keysz{})ÚjsonÚdumpsrrr)ris rÚcontext_as_jsonr¨:s1€ðÜz‰z˜#¤s°dÔ;Ð;øÜ”zÐ"òÙðús‚ž0¯0cój—tjjd«}|syd} tdd¬«5}|D]O}d|vsŒ|j «jd«}t |«D]}|jd«sŒ|}n|sŒOnddd«|syd}dggfD]¸} tjd g|¢d ‘|‘d‘ddd ¬«} | jdk7rŒ6| jj«D]b}|j!d«sŒ|jdd«dj «} | j#«rt%| «}nt'| «}|€Œbn|€Œ¸n|€y|dz}d}||z} |||| || kdœS#1swYŒèxYw#ttf$rYŒüwxYw#ttjtf$rYŒwxYw)u.At startup, sanity-check that systemd's TimeoutStopSec >= drain_timeout. When the gateway is run under a stale systemd unit file (e.g. the user upgraded hermes-agent but never re-ran ``hermes setup`` to regenerate the unit), ``TimeoutStopSec`` can be smaller than the configured ``restart_drain_timeout``. Result: SIGTERM arrives, the drain starts, and systemd SIGKILLs the cgroup mid-drain â€” looks like a phantom kill in the journal because the journal only logs ``code=killed status=9``. Returns ``None`` when the alignment is fine OR we can't determine it (not running under systemd, ``systemctl`` unavailable, etc.). Returns a dict with ``timeout_stop_sec`` + ``drain_timeout`` + ``mismatch`` bool when we have data to report. Best-effort. Never raises. rLNz/proc/self/cgrouprrz.serviceú/z--userÚ systemctlÚshowz--property=TimeoutStopUSecTg@)Úcapture_outputÚtextrvrzTimeoutStopUSec=Ú=r!g€„.Ag>@)ÚunitÚtimeout_stop_secÚ drain_timeoutÚexpected_minÚmismatch)r\r_rr"r%r$ÚreversedÚendswithr(r&rƒÚrunÚTimeoutExpiredÚ returncoderxÚ splitlinesr#rcrÚ_parse_systemd_duration_to_us)r²rjÚ unit_namer+r,ÚpartsÚpÚ timeout_usÚflagÚresultÚvaluer±ÚheadroomÚexpecteds rÚcheck_systemd_timing_alignmentrÅBs €ô"—J‘J—N‘N ?Ó3€MÙØð $€Ið ä Ð%°Ô 8ð ¸BØò à Ò%Ø ŸJ™J›L×.Ñ.¨sÓ3EÜ% e›_ò"˜ØŸ:™: jÕ1Ø()˜IÙ!ð"ò!Ùð ÷ ñØð !%€JØ˜RÐ òˆð Ü—^‘^ØÐU˜tÐU VÐU¨YÐUÐ8TÐUØ#¨$¸ôˆFð×Ñ Ò!Øà—M‘M×,Ñ,Ó.ò ˆDØ‰Ð1Õ2ØŸ ™ 3¨Ó*¨1Ñ-×3Ñ3Ó5à—=‘=”?Ü!$ U£‘Jä!>¸uÓ!EJØÑ)Ùð ðÑ!Ùð-ð0ÐØà! KÑ/Ðð€HØ˜xÑ'€HàØ,Ø&Ø Ø$ xÑ/ñð÷k ð ûô Ô&Ð'ò Ùð ûô"¤:×#<Ñ#<¼gÐFò Úð úsK¦ E;³ E/¾>E/Á=E/ÂE/ÂE;Â"FÅ/E8Å4E;Å;F ÆF ÆF2Æ1F2cóp—|syddddddddœ}d}d }d }|d zD]ã}|j«s|dk(rL|rD|j|j««}||sy |tt |«|z«z }d }d }||z }Œd|j «r||z }Œz|rE|rC|j|j««}|€y |tt |«|z«z }d }d }ŒÁ|sŒÄ|rŒÇ |tt |«dz«z }d }Œå|dkDr|SdS#t $rYywxYw#t $rYywxYw#t $rYywxYw)zÕParse 'TimeoutStopUSec=1min 30s' / '90s' style values to microseconds. systemd accepts a wide grammar; we cover the common cases (s, ms, min, h) and return None on anything unexpected. Never raises. Nr!ièi@Bi‡“l$'-)ÚusÚmsÚsÚsecÚminÚhÚhrrr”r“ú.)rcrÚlowerrr–rÚisalpha)rnÚunitsÚtotal_usÚtokenÚdigitsÚchÚ multipliers rr»r»™s‚€ñØàØØ ØØØ Øñ €Eð€HØ€EØ €FØC‰iò ˆØ :‰:Œ<˜2 š9Ùà"ŸY™Y u§{¡{£}Ó5 ØÐ%©VÙð Ø¤¤E¨&£M°JÑ$>Ó ?Ñ?HðØØb‰L‰FØ Z‰ZŒ\ØR‰K‰EÙ ™ØŸ™ 5§;¡;£=Ó1ˆJØÐ!Ùð ØœC¤ f£ ° Ñ :Ó;Ñ;ðˆFØ‰EÚ šEð ØœC¤ f£ ° Ñ 9Ó:Ñ:ð‰FðA ðB !’|ˆ8Ð-¨Ð-øô1"ò Úð ûôò Úð ûôò Úð ús6ÁDÂ;DÃ!D(Ä DÄDÄ D%Ä$D%Ä( D5Ä4D5)rrÚreturnr)r)rr*rr×ú Optional[str])r)rr×rØ)r)rr×úDict[str, Any])N)rgrr×rÙ)rˆrr‰rrqr–r×ú Optional[int])rirÙr×r)r²r–r×zOptional[Dict[str, Any]])rnrr×rÚ) Ú__doc__Ú __future__rr¦r\rHrƒr~rZÚpathlibrÚtypingrrrrr Ú__annotations__Ú_nameÚgetattrÚ_valrrr-r7rDrprr¡r¨rÅr»©r¢rúräsÑðòõ"#ãÛ Û ÛÛ ÛÝß,Ó,ð')Ð^Ó(Ø Mò/€EÙ6˜5 $Ó'€DØÑØ).Ð™C ›IÒ&ð/óAó ó Qóô>ZðB!ñ QØðQàðQðð Qð óQóhóBóTôn5.r¢