configd.c revision 3fb330b78c0911247d5eee86f7997a64a9a743e5
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Copyright (c) 2012, Joyent, Inc. All rights reserved.
*/
#include <assert.h>
#include <door.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <priv.h>
#include <procfs.h>
#include <pthread.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdio_ext.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <sys/resource.h>
#include <ucontext.h>
#include <unistd.h>
#include "configd.h"
/*
* This file manages the overall startup and shutdown of configd, as well
* as managing its door thread pool and per-thread datastructures.
*
* 1. Per-thread Datastructures
* -----------------------------
* Each configd thread has an associated thread_info_t which contains its
* current state. A pointer is kept to this in TSD, keyed by thread_info_key.
* The thread_info_ts for all threads in configd are kept on a single global
* list, thread_list. After creation, the state in the thread_info structure
* is only modified by the associated thread, so no locking is needed. A TSD
* destructor removes the thread_info from the global list and frees it at
* pthread_exit() time.
*
* Threads access their per-thread data using thread_self()
*
* The thread_list is protected by thread_lock, a leaf lock.
*
* 2. Door Thread Pool Management
* ------------------------------
* Whenever door_return(3door) returns from the kernel and there are no
* other configd threads waiting for requests, libdoor automatically
* invokes a function registered with door_server_create(), to request a new
* door server thread. The default function just creates a thread that calls
* door_return(3door). Unfortunately, since it can take a while for the new
* thread to *get* to door_return(3door), a stream of requests can cause a
* large number of threads to be created, even though they aren't all needed.
*
* In our callback, new_server_needed(), we limit ourself to two new threads
* at a time -- this logic is handled in reserve_new_thread(). This keeps
* us from creating an absurd number of threads in response to peaking load.
*/
static pthread_key_t thread_info_key;
static pthread_attr_t thread_attr;
int num_started; /* number actually running */
int num_servers; /* number in-progress or running */
static uu_list_pool_t *thread_pool;
static thread_info_t main_thread_info;
static int finished;
static pid_t privileged_pid = 0;
static int privileged_psinfo_fd = -1;
static int privileged_user = 0;
static priv_set_t *privileged_privs;
static int log_to_syslog = 0;
int is_main_repository = 1;
int max_repository_backups = 4;
#define CONFIGD_MAX_FDS 262144
const char *
_umem_options_init(void)
{
/*
* Like svc.startd, we set our UMEM_OPTIONS to indicate that we do not
* wish to have per-CPU magazines to reduce our memory footprint. And
* scalability problem, there are deeper issues...
*/
return ("nomagazines"); /* UMEM_OPTIONS setting */
}
/*
* Thanks, Mike
*/
void
{
(void) printstack(2);
(void) setcontext(ucp);
}
/*
* Don't want to have more than a couple thread creates outstanding
*/
static int
reserve_new_thread(void)
{
(void) pthread_mutex_lock(&thread_lock);
assert(num_started >= 0);
(void) pthread_mutex_unlock(&thread_lock);
return (0);
}
++num_servers;
(void) pthread_mutex_unlock(&thread_lock);
return (1);
}
static void
{
}
static void
thread_exiting(void *arg)
{
(void) pthread_mutex_lock(&thread_lock);
num_started--;
}
assert(num_servers > 0);
--num_servers;
if (num_servers == 0) {
configd_critical("no door server threads\n");
abort();
}
(void) pthread_mutex_unlock(&thread_lock);
}
void
{
}
}
thread_self(void)
{
return (pthread_getspecific(thread_info_key));
}
/*
* get_ucred() returns NULL if it was unable to get the credential
* information.
*/
ucred_t *
get_ucred(void)
{
if (ti->ti_ucred_read)
return (*ret); /* cached value */
if (door_ucred(ret) != 0)
return (NULL);
return (*ret);
}
int
{
const priv_set_t *ps;
if (priv_isfullset(ps))
return (1); /* process has all privs */
if (privileged_privs != NULL &&
return (1); /* process has zone privs */
}
return (0);
}
/*
* The purpose of this function is to get the audit session data for use in
* generating SMF audit events. We use a single audit session per client.
*
* get_audit_session() may return NULL. It is legal to use a NULL pointer
* in subsequent calls to adt_* functions.
*/
get_audit_session(void)
{
}
static void *
thread_start(void *arg)
{
(void) pthread_mutex_lock(&thread_lock);
num_started++;
ti);
(void) pthread_mutex_unlock(&thread_lock);
/*
* Start handling door calls
*/
return (arg);
}
static void
{
if (!reserve_new_thread())
return;
goto fail;
goto fail;
(void) sigfillset(&new);
ti)) != 0) {
goto fail;
}
return;
fail:
/*
* Since the thread_info structure was never linked onto the
* thread list, thread_exiting() can't handle the cleanup.
*/
}
int
{
int flags;
int privileged = 0;
uint32_t debugflags = 0;
if (privileged_pid != 0) {
/*
* in privileged pid mode, we only allow connections from
* our original parent -- the psinfo read verifies that
* it is the same process which we started with.
*/
sizeof (info))
return (REPOSITORY_DOOR_FAIL_PERMISSION_DENIED);
} else if (privileged_user != 0) {
/*
* in privileged user mode, only one particular user is
* allowed to connect to us, and he can do anything.
*/
return (REPOSITORY_DOOR_FAIL_PERMISSION_DENIED);
privileged = 1;
}
/*
* Check that rp, of size rp_size, is large enough to
* contain field 'f'. If so, write the value into *out, and return 1.
* Otherwise, return 0.
*/
return (REPOSITORY_DOOR_FAIL_BAD_REQUEST);
#endif
if (flags & ~REPOSITORY_DOOR_FLAG_ALL)
return (REPOSITORY_DOOR_FAIL_BAD_FLAG);
if (flags & REPOSITORY_DOOR_FLAG_DEBUG)
return (REPOSITORY_DOOR_FAIL_BAD_REQUEST);
out_fd));
}
void
{
if (log_to_syslog)
else {
}
}
void
{
}
void
configd_critical(const char *message, ...)
{
}
void
configd_info(const char *message, ...)
{
}
static void
{
"usage: %s [-np] [-d door_path] [-r repository_path]\n"
" [-t nonpersist_repository]\n", prog);
}
/*ARGSUSED*/
static void
{
finished = 1;
}
static int pipe_fd = -1;
static int
daemonize_start(void)
{
char data;
int status;
int filedes[2];
(void) close(0);
return (-1);
return (-1);
if (pid != 0) {
/*
* parent
*/
/* presume success */
}
status = -1;
else
_exit(-1);
}
/*
* child
*/
/*
* generic Unix setup
*/
(void) setsid();
(void) umask(0077);
return (0);
}
static void
daemonize_ready(void)
{
char data = '\0';
/*
* wake the parent
*/
}
const char *
{
return (NULL);
if (base[0] == '/')
return (base);
}
return (tmpbuf);
}
int
{
const char *endptr;
int c;
int ret;
int fd;
const char *doorpath = REPOSITORY_DOOR_NAME;
int have_npdb = 1;
"%s: unable to get current directory: %s\n",
}
switch (c) {
case 'n':
daemonize = 0;
break;
case 'd':
have_npdb = 0; /* default to no non-persist */
break;
case 'p':
log_to_syslog = 0; /* don't use syslog */
/*
* If our parent exits while we're opening its /proc
* psinfo, we're vulnerable to a pid wrapping. To
* protect against that, re-check our ppid after
* opening it.
*/
privileged_pid = getppid();
"/proc/%d/psinfo", privileged_pid);
getppid() != privileged_pid) {
"%s: unable to get parent info\n", argv[0]);
}
break;
case 'r':
is_main_repository = 0;
break;
case 't':
is_main_repository = 0;
break;
default:
break;
}
}
/*
* If we're not running as root, allow our euid full access, and
* everyone else no access.
*/
if (privileged_pid == 0 && geteuid() != 0) {
privileged_user = geteuid();
}
}
/*
* if a non-persist db is specified, always enable it
*/
if (npdbpath)
have_npdb = 1;
if (daemonize) {
if (getuid() == 0)
(void) chdir("/");
if (daemonize_start() < 0) {
(void) perror("unable to daemonize");
}
}
if (getuid() == 0)
(void) core_set_process_path(CONFIGD_CORE,
/*
* this should be enabled once we can drop privileges and still get
* a core dump.
*/
#if 0
/* turn off basic privileges we do not need */
#endif
/* not that we can exec, but to be safe, shut them all off... */
/* signals to ignore */
/* signals to abort on */
/* signals to handle */
(void) sigemptyset(&myset);
(void) perror("initializing");
}
/*
* Set the hard and soft limits to CONFIGD_MAX_FDS.
*/
#ifndef NATIVE_BUILD /* Allow building on snv_38 and earlier; remove later. */
#endif
if (!client_init())
if (!rc_node_init())
(void) pthread_attr_setdetachstate(&thread_attr,
thread_exiting)) != 0) {
perror("pthread_key_create");
}
configd_critical("uu_list_pool_create: %s\n",
uu_strerror(uu_error()));
}
configd_critical("uu_list_create: %s\n",
uu_strerror(uu_error()));
}
ti);
(void) door_server_create(new_thread_needed);
if (!setup_main_door(doorpath)) {
configd_critical("Setting up main door failed.\n");
}
if (daemonize)
while (!finished) {
if (sig > 0) {
break;
}
}
backend_fini();
return (CONFIGD_EXIT_OKAY);
}