Description
By change chance I discovered that lightningd's shutdown sequence has been changed again in #5577, which seems to partly revert the effects of #4897 and #4959.
#4897 and #4959 where carefully crafted to guarantee that no database write can occur after plugins are shutdown, so that a backup plugin could never miss db_write hook calls.
Most notably e7fe59b moves closing of the database back to the bottom again, breaking that guarantee.
lightning/lightningd/lightningd.c
Lines 1238 to 1251 in 09a9673
In my opinion this makes use of backup.py plugin unsafe (again).
@rustyrussell Why the change?
#5577 mentions an issue, but has no further reference, about:
bookkeeper gets upset that its commands are rejected during shutdown
Seriously?
edit Above issue with the db_write hook also applies in general to other hooks. When plugins are freed during shutdown their hooks are unregistered and one expects that these hooks cannot be called after that (i.e. that lightningd is sufficiently dead), this was the case before e7fe59b. Now some subdaemons are kept alive longer, for example connectd happily accepts incoming connections during the 30s shutdown window. But any plugin that registered the peer_connected hook and maybe would reject the peer, is gone!
This was already discussed in #4883 and so the answer to the title seems (sadly) 'Yes'.
How unsafe is it? I don't know, missing a peer_connected hook doesn't seem very harmful, just ugly and inconsistent. What about other hooks? And why is hsmd still running, will it sign anything?
So far no response from the author of e7fe59b, perhaps @niftynei can help me out what the issues where with bookkeeper before that commit?