== Problem: Define the uid reservation lifecycle == #none Situation: Several processes are engaged in uid reservation, use, or collection. A precise description of the life-cycle for uids will help avoid race conditions between these processes. Thoughts: A state-cell is created in the 'launching_' state. (uid is known, but not yet in use.) The reservation is atomically symlinked to the pre-initialized state-cell. This way, the reservation always starts off in a consistent state. Perhaps, the launch succeeds in dropping privileges: - The reservation can be now be marked 'launch_succeeded'. - 'launch_succeeded' uids can be collected whenever there are no processes running under 'uid'. - However, because permissions were dropped, some other process will need to update the state-cell. Perhaps, the launch fails to drop privileges and exits abnormally or diverges: - Since divergence will be rare, we can speed things up by marking the reservations of known-failed launches as 'launch_failed'. - 'launch_failed' uids can be collected at any time. - Divergent uids will be halted by reboots and their reservations can be collected at system startup. From time to time, a gc step examines reservations. Reservations for '' marked as 'launching_' should be collected if is no longer running. - (How do we handle reboot detection?) Reservations marked as 'launch_succeeded' should be collected marked 'launch_succeeded', 'launch_failed': the gc process may decide to claim the reservation by marking it 'gcing_' gc succeeds: reservation is deleted. gc fails: the reservation will never be touched by rainbow-daemon again. (other collection tools might be applied, but only under controlled circumstances)