When using Sentinel's notification script feature to kick off other process, they inherit the open file descriptors of the sentinel execve-ing it. To prevent port bind issues in the parent (i.e. sentinel) one must manually close open file descriptors, of which its difficult to determine which. A hacky solution I've been using is to make the notification script a bash script which closes fds 3-255 in the fork before running the process.
Solution is to set FD_CLOEXEC on the file descriptors you open (except the usual 1,2 for stdout/err of course) so that they don't get inherited after execve (see man fcntl 2). As far as I can see, execve only appears in sentinel notification-script execution code in sentinel.c.
Cons: Maybe people might want to have their notification scripts operate on the sentinel's open fds? can't think of a good reason for this beyond stdin/out/err, though.
Pros: More robust notification-script execution. Still possible to allow stdout fd for output to sentinel log. Less time wasted in scripts brute-force closing inherited fds, as sentinel itself knows what fds should be shared.
Comment From: yossigo
This has been fixed by #8242.