6 files changed, 43 insertions, 3 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 83a0fea9..c31966b9 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -54,6 +54,7 @@
 #define CONFDB_SERVICE_DEBUG_MICROSECONDS "debug_microseconds"
 #define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files"
 #define CONFDB_SERVICE_TIMEOUT "timeout"
+#define CONFDB_SERVICE_FORCE_TIMEOUT "force_timeout"
 #define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries"
 #define CONFDB_SERVICE_FD_LIMIT "fd_limit"
 
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index f4987997..20cd2a28 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -41,6 +41,7 @@ option_strings = {
     'debug_microseconds' : _('Include microseconds in timestamps in debug logs'),
     'debug_to_files' : _('Write debug messages to logfiles'),
     'timeout' : _('Ping timeout before restarting service'),
+    'force_timeout' : _('Timeout between three failed ping checks and forcibly killing the service'),
     'command' : _('Command to start service'),
     'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
     'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 000c7dba..2d3cd858 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -263,6 +263,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
             'services',
             'domains',
             'timeout',
+            'force_timeout',
             'sbus_timeout',
             're_expression',
             'full_name_format',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 155b8efe..7b238ffd 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -16,6 +16,7 @@ fd_limit = int, None, false
 services = list, str, true, nss, pam
 domains = list, str, true
 timeout = int, None, false
+force_timeout = int, None, false
 sbus_timeout = int, None, false
 re_expression = str, None, false
 full_name_format = str, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index c164d121..efc7dfa9 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -206,6 +206,22 @@
                             </para>
                         </listitem>
                     </varlistentry>
+                    <varlistentry>
+                        <term>force_timeout (integer)</term>
+                        <listitem>
+                            <para>
+                                If a service is not responding to ping checks (see
+                                the <quote>timeout</quote> option), it is first sent
+                                the SIGTERM signal that instructs it to quit gracefully.
+                                If the service does not terminate after <quote>force_timeout</quote>
+                                seconds, the monitor will forcibly shut it down by
+                                sending a SIGKILL signal.
+                            </para>
+                            <para>
+                                Default: 60
+                            </para>
+                        </listitem>
+                    </varlistentry>
                 </variablelist>
             </para>
         </refsect2>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index a93b2346..cadc27fe 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -59,6 +59,9 @@
 /* ping time cannot be less then once every few seconds or the
  * monitor will get crazy hammering children with messages */
 #define MONITOR_DEF_PING_TIME 10
+/* terminate the child after this interval by default if it
+ * doesn't shutdown on receiving SIGTERM */
+#define MONITOR_DEF_FORCE_TIME 60
 
 /* Special value to leave the Kerberos Replay Cache set to use
  * the libkrb5 defaults
@@ -93,6 +96,7 @@ struct mt_svc {
     pid_t pid;
 
     int ping_time;
+    int kill_time;
 
     bool svc_started;
 
@@ -568,7 +572,7 @@ static int monitor_kill_service (struct mt_svc *svc)
     /* Set up a timer to send SIGKILL if this process
      * doesn't exit within sixty seconds
      */
-    tv = tevent_timeval_current_ofs(60, 0);
+    tv = tevent_timeval_current_ofs(svc->kill_time, 0);
     svc->sigkill_ev = tevent_add_timer(svc->mt_ctx->ev, svc, tv,
                                        mt_svc_sigkill, svc);
 
@@ -936,7 +940,8 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
                          CONFDB_SERVICE_TIMEOUT,
                          MONITOR_DEF_PING_TIME, &svc->ping_time);
     if (ret != EOK) {
-        DEBUG(0,("Failed to start service '%s'\n", svc->name));
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              ("Failed to get ping timeout for %s\n", svc->name));
         talloc_free(svc);
         return ret;
     }
@@ -946,6 +951,21 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
         svc->ping_time = MONITOR_DEF_PING_TIME;
     }
 
+    ret = confdb_get_int(ctx->cdb, path,
+                         CONFDB_SERVICE_FORCE_TIMEOUT,
+                         MONITOR_DEF_FORCE_TIME, &svc->kill_time);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              ("Failed to get kill timeout for %s\n", svc->name));
+        talloc_free(svc);
+        return ret;
+    }
+
+    /* 'force_timeout = 0' should be translated to the default */
+    if (svc->kill_time == 0) {
+        svc->kill_time = MONITOR_DEF_FORCE_TIME;
+    }
+
     svc->last_restart = now;
 
     *svc_cfg = svc;
@@ -2072,7 +2092,7 @@ static int monitor_service_init(struct sbus_connection *conn, void *data)
     mini->ctx = ctx;
     mini->conn = conn;
 
-    /* 5 seconds should be plenty */
+    /* 10 seconds should be plenty */
     tv = tevent_timeval_current_ofs(10, 0);
 
     mini->timeout = tevent_add_timer(ctx->ev, mini, tv, init_timeout, mini);