Documentation · Operations
Signals
How Klamm responds to SIGHUP, SIGTERM, and SIGINT — configuration reload, graceful drain, and immediate shutdown.
Klamm runs as a single process. Standard POSIX signals control its lifecycle and its configuration reload semantics.
| Signal | Behaviour |
|---|---|
SIGHUP | Reload tenants and credentials from config without restart |
SIGINT / SIGTERM (first) | Drain: stop accepting new connections, wait for in-flight requests |
SIGINT / SIGTERM (second) | Immediate shutdown |
What reloads, and what does not
SIGHUP reloads the tenant section of the configuration. It applies:
- New or removed tenants
- Added or removed credentials on existing tenants
- Per-tenant limits and allow-list changes
- Topic deletion flag changes
SIGHUP does not reload topology. Changes to listener sets, admin settings,
ACL Admin mode, control-plane tuning, upstream bootstrap, upstream TLS, or
upstream connection limits require a full restart. Authorization changes
happen often and reload in place; topology changes are rare and take a
restart.
Drain semantics
The first SIGTERM or SIGINT:
- Stops accepting new downstream connections.
- Leaves existing authenticated sessions running.
- Continues to service in-flight requests to completion.
- Does not force-close idle sessions.
Operators typically follow the first signal with a timeout, then send a second signal to force shutdown. Deployment platforms (Kubernetes, systemd) use this two-signal pattern natively.
Operational notes
- Credential reloads propagate atomically. A downstream session that has already authenticated stays bound to its tenant; a credential change affects future connections.
- A tenant removed via
SIGHUPloses authentication immediately for new connections. Existing authenticated sessions continue until they disconnect. - Watch the admin
/readyzendpoint during and after a reload — it reflects listener lifecycle, discovered broker health, and broker route allocation.