zcons.c revision c4567a616165806d1420a481659f5e10a97a1395
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
* Copyright 2012 Joyent, Inc. All rights reserved.
* Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Console support for zones requires a significant infrastructure. The
* core pieces are contained in this file, but other portions of note
* are in the zlogin(1M) command, the zcons(7D) driver, and in the
* devfsadm(1M) misc_link generator.
*
* Care is taken to make the console behave in an "intuitive" fashion for
* administrators. Essentially, we try as much as possible to mimic the
* experience of using a system via a tip line and system controller.
*
* The zone console architecture looks like this:
*
* Global Zone | Non-Global Zone
* .--------------. |
* .-----------. | zoneadmd -z | | .--------. .---------.
* | zlogin -C | | myzone | | | ttymon | | syslogd |
* `-----------' `--------------' | `--------' `---------'
* | | | | | | |
* User | | | | | V V
* Kernel V V | | |
* [AF_UNIX Socket] | `--------. .-------------'
* | | |
* | V V
* | +-----------+
* | | ldterm, |
* | | etc. |
* | +-----------+
* | +-[Anchor]--+
* | | ptem |
* V +-----------+
* +---master---+---slave---+
* | |
* | zcons driver |
* | zonename="myzone" |
* +------------------------+
*
* There are basically two major tasks which the console subsystem in
* zoneadmd accomplishes:
*
* - Setup and teardown of zcons driver instances. One zcons instance
* is maintained per zone; we take advantage of the libdevice APIs
* to online new instances of zcons as needed. Care is taken to
* prune and manage these appropriately; see init_console_dev() and
* destroy_console_dev(). The end result is the creation of the
* zcons(7D) instance and an open file descriptor to the master side.
* zcons instances are associated with zones via their zonename device
* property. This the console instance to persist across reboots,
* and while the zone is halted.
*
* - Acting as a server for 'zlogin -C' instances. When zlogin -C is
* run, zlogin connects to zoneadmd via unix domain socket. zoneadmd
* functions as a two-way proxy for console I/O, relaying user input
* to the master side of the console, and relaying output from the
* zone to the user.
*/
#include <assert.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <stropts.h>
#include <thread.h>
#include <ucred.h>
#include <unistd.h>
#include <zone.h>
#include <libdevinfo.h>
#include <libdevice.h>
#include <libzonecfg.h>
#include <syslog.h>
#include "zoneadmd.h"
#define ZCONSNEX_DEVTREEPATH "/pseudo/zconsnex@1"
#define ZCONSNEX_FILEPATH "/devices/pseudo/zconsnex@1"
char boot_args[BOOTARGS_MAX];
char bad_boot_arg[BOOTARGS_MAX];
/*
* The eventstream is a simple one-directional flow of messages from the
* door server to the console subsystem, implemented with a pipe.
* It is used to wake up the console poller when it needs to take action,
* message the user, die off, etc.
*/
static int eventstream[2];
int
{
return (-1);
return (0);
}
void
{
}
static zone_evt_t
eventstream_read(void)
{
return (evt);
}
/*
* count_console_devs() and its helper count_cb() do a walk of the
* subtree of the device tree where zone console nodes are represented.
* The goal is to count zone console instances already setup for a zone
* with the given name. More than 1 is anomolous, and our caller will
* have to deal with that if we find that's the case.
*
* Note: this algorithm is a linear search of nodes in the zconsnex subtree
* of the device tree, and could be a scalability problem, but I don't see
* how to avoid it.
*/
/*
* cb_data is shared by count_cb and destroy_cb for simplicity.
*/
struct cb_data {
int found;
int killed;
};
static int
{
char *prop_data;
&prop_data) != -1) {
return (DI_WALK_CONTINUE);
}
}
return (DI_WALK_CONTINUE);
}
static int
{
DI_NODE_NIL) {
return (-1);
}
}
/*
* destroy_console_devs() and its helper destroy_cb() tears down any console
* instances associated with this zone. If things went very wrong, we
* might have more than one console instance hanging around. This routine
* hunts down and tries to remove all of them. Of course, if the console
* is open, the instance will not detach, which is a potential issue.
*/
static int
{
char *prop_data;
char *tmp;
char devpath[MAXPATHLEN];
&prop_data) == -1)
return (DI_WALK_CONTINUE);
/* this is the console for a different zone */
return (DI_WALK_CONTINUE);
}
"but it could not be controlled.", devpath);
return (DI_WALK_CONTINUE);
}
if (devctl_device_remove(hdl) == 0) {
} else {
"but it could not be removed.", devpath);
}
return (DI_WALK_CONTINUE);
}
static int
{
char conspath[MAXPATHLEN];
int masterfd;
int slavefd;
/*
* Signal the master side to release its handle on the slave side by
* issuing a ZC_RELEASESLAVE ioctl.
*/
"releasing slave handle of zone console for"
" %s", zone_name);
} else {
"side of zone console for %s to release slave "
"handle", zone_name);
}
} else {
"zone console for %s to release slave handle", zone_name);
}
DI_NODE_NIL) {
return (-1);
}
"instances detected for zone '%s'; %d of %d "
"successfully removed.",
}
return (0);
}
/*
* init_console_dev() drives the device-tree configuration of the zone
* console device. The general strategy is to use the libdevice (devctl)
* interfaces to instantiate a new zone console node. We do a lot of
* sanity checking, and are careful to reuse a console if one exists.
*
* Once the device is in the device tree, we kick devfsadm via di_init_devs()
* to ensure that the appropriate symlinks (to the master and slave console
* devices) are placed in /dev in the global zone.
*/
static int
{
char conspath[MAXPATHLEN];
int rv = -1;
int ndevs;
int masterfd;
int slavefd;
int i;
/*
* Don't re-setup console if it is working and ready already; just
* skip ahead to making devlinks, which we do for sanity's sake.
*/
if (ndevs == 1) {
goto devlinks;
/*
* For now, this seems like a reasonable but harsh punishment.
* If needed, we could try to get clever and delete all but
* the console which is pointed at by the current symlink.
*/
goto error;
}
}
/*
* Time to make the consoles!
*/
goto error;
}
goto error;
}
/*
* Set three properties on this node; the first is the name of the
* zone; the second is a flag which lets pseudo know that it is
* OK to automatically allocate an instance # for this device;
* the third tells the device framework not to auto-detach this
* node-- we need the node to still be there when we ask devfsadmd
* to make links, and when we need to open it.
*/
goto error;
}
"property");
goto error;
}
"property");
goto error;
}
goto error;
}
(void) di_devlink_fini(&dl);
} else {
goto error;
}
/*
* Open the master side of the console and issue the ZC_HOLDSLAVE ioctl,
* which will cause the master to retain a reference to the slave.
* This prevents ttymon from blowing through the slave's STREAMS anchor.
*/
"zone console for %s to acquire slave handle", zone_name);
goto error;
}
" console for %s to acquire slave handle", zone_name);
goto error;
}
/*
* This ioctl can occasionally return ENXIO if devfs doesn't have
* everything plumbed up yet due to heavy zone startup load. Wait for
* 1 sec. and retry a few times before we fail to boot the zone.
*/
for (i = 0; i < 5; i++) {
== 0) {
rv = 0;
break;
break;
}
(void) sleep(1);
}
if (rv != 0)
"handle of zone console for %s", zone_name);
if (ddef_hdl)
if (bus_hdl)
if (dev_hdl)
return (rv);
}
static int
{
int servfd;
struct sockaddr_un servaddr;
return (-1);
}
sizeof (servaddr)) == -1) {
"console setup: could not bind to socket");
goto out;
}
"console setup: could not listen on socket");
goto out;
}
return (servfd);
out:
return (-1);
}
static void
{
char path[MAXPATHLEN];
}
/*
* Read the "ident" string from the client's descriptor; this routine also
* tolerates being called with pid=NULL, for times when you want to "eat"
* the ident string from a client without saving it.
*/
static int
int *disconnect)
{
char c = '\0';
int i = 0, r;
/* "eat up the ident string" case, for simplicity */
if (c == '\n')
return (0);
}
}
buflen--;
if (c == '\n')
break;
buf[i] = c;
i++;
}
if (r == -1)
return (-1);
/*
* We've filled the buffer, but still haven't seen \n. Keep eating
* until we find it; we don't expect this to happen, but this is
* defensive.
*/
if (c != '\n') {
if (c == '\n')
break;
}
/*
* Parse buffer for message of the form:
* IDENT <pid> <locale> <disconnect flag>
*/
return (-1);
bufp += 6;
errno = 0;
if (errno != 0)
return (-1);
bufp++;
return (0);
}
static int
int *disconnect)
{
int connfd;
struct sockaddr_un cliaddr;
if (connfd == -1)
return (-1);
disconnect) == -1) {
return (-1);
}
return (connfd);
}
static void
{
int connfd;
struct sockaddr_un cliaddr;
char nak[MAXPATHLEN];
/*
* After hear its ident string, tell client to get lost.
*/
}
}
static void
{
if (clifd == -1)
return;
switch (evt) {
case Z_EVT_ZONE_BOOTING:
if (*boot_args == '\0') {
str = "NOTICE: Zone booting up";
break;
}
/*LINTED*/
"NOTICE: Zone booting up with arguments: %s"), boot_args);
break;
case Z_EVT_ZONE_READIED:
str = "NOTICE: Zone readied";
break;
case Z_EVT_ZONE_HALTED:
if (dflag)
str = "NOTICE: Zone halted. Disconnecting...";
else
str = "NOTICE: Zone halted";
break;
case Z_EVT_ZONE_REBOOTING:
if (*boot_args == '\0') {
str = "NOTICE: Zone rebooting";
break;
}
/*LINTED*/
"NOTICE: Zone rebooting with arguments: %s"), boot_args);
break;
case Z_EVT_ZONE_UNINSTALLING:
str = "NOTICE: Zone is being uninstalled. Disconnecting...";
break;
case Z_EVT_ZONE_BOOTFAILED:
if (dflag)
str = "NOTICE: Zone boot failed. Disconnecting...";
else
str = "NOTICE: Zone boot failed";
break;
case Z_EVT_ZONE_BADARGS:
/*LINTED*/
"WARNING: Ignoring invalid boot arguments: %s"),
break;
default:
return;
}
}
/*
* Check to see if the client at the other end of the socket is still
* alive; we know it is not if it throws EPIPE at us when we try to write
* an otherwise harmless 0-length message to it.
*/
static int
test_client(int clifd)
{
return (-1);
return (0);
}
/*
* This routine drives the console I/O loop. It polls for input from the
* master side of the console (output to the console), and from the client
* (input from the console user). Additionally, it polls on the server fd,
* and disconnects any clients that might try to hook up with the zone while
* the console is in use.
*
* When the client first calls us up, it is expected to send a line giving
* its "identity"; this consists of the string 'IDENT <pid> <locale>'.
* This is so that we can report that the console is busy along with
* some diagnostics about who has it busy; the locale is used so that
* asynchronous messages about zone state (like the NOTICE: zone halted
* messages) can be output in the user's locale.
*/
static void
{
int clifd = -1;
int pollerr = 0;
char clilocale[MAXPATHLEN];
int disconnect = 0;
/* console side, watch for read events */
/* client side, watch for read events */
/* the server socket; watch for events (new connections) */
/* the eventstram; watch for events (e.g.: zone halted) */
for (;;) {
/* we are hosed, close connection */
break;
}
/* event from console side */
errno = 0;
break;
/*
* Lose I/O if no one is listening
*/
} else {
"closing connection with (console) "
"pollerr %d\n", pollerr);
break;
}
}
/* event from client side */
errno = 0;
break;
} else {
"closing connection with (client) "
"pollerr %d\n", pollerr);
break;
}
}
/* event from server socket */
if (clifd != -1) {
/*
* Test the client to see if it is really
* still alive. If it has died but we
* haven't yet detected that, we might
* deny a legitimate connect attempt. If it
* is dead, we break out; once we tear down
* the old connection, the new connection
* will happen.
*/
break;
}
/* we're already handling a client */
&disconnect)) != -1) {
} else {
break;
}
}
/*
* Watch for events on the eventstream. This is how we get
* notified of the zone halting, etc. It provides us a
* "wakeup" from poll when important things happen, which
* is good.
*/
int evt = eventstream_read();
/*
* After we drain out the event, if we aren't servicing
* a console client, we hop back out to our caller,
* which will check to see if it is time to shutdown
* the daemon, or if we should take another console
* service lap.
*/
if (clifd == -1) {
break;
}
/*
* Special handling for the message that the zone is
* uninstalling; we boot the client, then break out
* of this function. When we return to the
* serve_console loop, we will see that the zone is
* in a state < READY, and so zoneadmd will shutdown.
*/
if (evt == Z_EVT_ZONE_UNINSTALLING) {
break;
}
/*
* Diconnect if -C and -d options were specified and
* zone was halted or failed to boot.
*/
if ((evt == Z_EVT_ZONE_HALTED ||
break;
}
}
}
if (clifd != -1) {
}
}
int
{
"console setup: device initialization failed");
return (-1);
}
"console setup: socket initialization failed");
return (-1);
}
return (0);
}
/*
* serve_console() is the master loop for driving console I/O. It is also the
* routine which is ultimately responsible for "pulling the plug" on zoneadmd
* when it realizes that the daemon should shut down.
*
* The rules for shutdown are: there must be no console client, and the zone
* state must be < ready. However, we need to give things a chance to actually
* get going when the daemon starts up-- otherwise the daemon would immediately
* exit on startup if the zone was in the installed state, so we first drop
* into the do_console_io() loop in order to give *something* a chance to
* happen.
*/
void
{
int masterfd;
char conspath[MAXPATHLEN];
for (;;) {
if (masterfd == -1) {
(void) mutex_lock(&lock);
goto death;
}
/*
* Setting RPROTDIS on the stream means that the control
* portion of messages received (which we don't care about)
* will be discarded by the stream head. If we allowed such
* messages, we wouldn't be able to use read(2), as it fails
* (EBADMSG) when a message with a control element is received.
*/
"console master");
(void) mutex_lock(&lock);
goto death;
}
/*
* We would prefer not to do this, but hostile zone processes
* can cause the stream to become tainted, and reads will
* fail. So, in case something has gone seriously ill,
* we dismantle the stream and reopen the console when we
* take another lap.
*/
(void) mutex_lock(&lock);
/*
* We need to set death_throes (see below) atomically with
* respect to noticing that (a) we have no console client and
* (b) the zone is not installed. Otherwise we could get a
* request to boot during this time. Once we set death_throes,
* any incoming door stuff will be turned away.
*/
if (zstate < ZONE_STATE_READY)
goto death;
} else {
"unable to determine state of zone");
goto death;
}
/*
* Even if zone_get_state() fails, stay conservative, and
* take another lap.
*/
(void) mutex_unlock(&lock);
}
(void) mutex_unlock(&lock);
(void) destroy_console_devs(zlogp);
}