| blob | f1f99ff74d2258080be8a68cece5edcbaea72c4a |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2011 Gary Mills
23 *
24 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
25 */
27 /*
28 * NOTES: To be expanded.
29 *
30 * The SMF inetd.
31 *
32 * Below are some high level notes of the operation of the SMF inetd. The
33 * notes don't go into any real detail, and the viewer of this file is
34 * encouraged to look at the code and its associated comments to better
35 * understand inetd's operation. This saves the potential for the code
36 * and these notes diverging over time.
37 *
38 * Inetd's major work is done from the context of event_loop(). Within this
39 * loop, inetd polls for events arriving from a number of different file
40 * descriptors, representing the following event types, and initiates
41 * any necessary event processing:
42 * - incoming network connections/datagrams.
43 * - notification of terminated processes (discovered via contract events).
44 * - instance specific events originating from the SMF master restarter.
45 * - stop/refresh requests from the inetd method processes (coming in on a
46 * Unix Domain socket).
47 * There's also a timeout set for the poll, which is set to the nearest
48 * scheduled timer in a timer queue that inetd uses to perform delayed
49 * processing, such as bind retries.
50 * The SIGHUP and SIGINT signals can also interrupt the poll, and will
51 * result in inetd being refreshed or stopped respectively, as was the
52 * behavior with the old inetd.
53 *
54 * Inetd implements a state machine for each instance. The states within the
55 * machine are: offline, online, disabled, maintenance, uninitialized and
56 * specializations of the offline state for when an instance exceeds one of
57 * its DOS limits. The state of an instance can be changed as a
58 * result/side-effect of one of the above events occurring, or inetd being
59 * started up. The ongoing state of an instance is stored in the SMF
60 * repository, as required of SMF restarters. This enables an administrator
61 * to view the state of each instance, and, if inetd was to terminate
62 * unexpectedly, it could use the stored state to re-commence where it left off.
63 *
64 * Within the state machine a number of methods are run (if provided) as part
65 * of a state transition to aid/ effect a change in an instance's state. The
66 * supported methods are: offline, online, disable, refresh and start. The
67 * latter of these is the equivalent of the server program and its arguments
68 * in the old inetd.
69 *
70 * Events from the SMF master restarter come in on a number of threads
71 * created in the registration routine of librestart, the delegated restarter
72 * library. These threads call into the restart_event_proxy() function
73 * when an event arrives. To serialize the processing of instances, these events
74 * are then written down a pipe to the process's main thread, which listens
75 * for these events via a poll call, with the file descriptor of the other
76 * end of the pipe in its read set, and processes the event appropriately.
77 * When the event has been processed (which may be delayed if the instance
78 * for which the event is for is in the process of executing one of its methods
79 * as part of a state transition) it writes an acknowledgement back down the
80 * pipe the event was received on. The thread in restart_event_proxy() that
81 * wrote the event will read the acknowledgement it was blocked upon, and will
82 * then be able to return to its caller, thus implicitly acknowledging the
83 * event, and allowing another event to be written down the pipe for the main
84 * thread to process.
85 */
88 #include <netdb.h>
89 #include <stdio.h>
90 #include <stdio_ext.h>
91 #include <stdlib.h>
92 #include <strings.h>
93 #include <unistd.h>
94 #include <assert.h>
95 #include <sys/types.h>
96 #include <sys/socket.h>
97 #include <netinet/in.h>
98 #include <fcntl.h>
99 #include <signal.h>
100 #include <errno.h>
101 #include <locale.h>
102 #include <syslog.h>
103 #include <libintl.h>
104 #include <librestart.h>
105 #include <pthread.h>
106 #include <sys/stat.h>
107 #include <time.h>
108 #include <limits.h>
109 #include <libgen.h>
110 #include <tcpd.h>
111 #include <libscf.h>
112 #include <libuutil.h>
113 #include <stddef.h>
114 #include <bsm/adt_event.h>
115 #include <ucred.h>
118 /* path to inetd's binary */
121 /*
122 * inetd's default configuration file paths. /etc/inetd/inetd.conf is set
123 * be be the primary file, so it is checked before /etc/inetd.conf.
124 */
128 /* Arguments passed to this binary to request which method to execute. */
133 /* connection backlog for unix domain socket */
134 #define UDS_BACKLOG 2
136 /* number of retries to recv() a request on the UDS socket before giving up */
137 #define UDS_RECV_RETRIES 10
139 /* enumeration of the different ends of a pipe */
141 PE_CONSUMER,
142 PE_PRODUCER
143 };
146 internal_inst_state_t istate;
148 restarter_instance_state_t smf_state;
149 instance_method_t method_running;
153 /*
154 * Collection of information for each state.
155 * NOTE: This table is indexed into using the internal_inst_state_t
156 * enumeration, so the ordering needs to be kept in synch.
157 */
160 IM_NONE},
163 IM_ONLINE},
166 IM_OFFLINE},
169 IM_DISABLE},
171 IM_REFRESH},
176 IM_NONE},
179 };
181 /*
182 * Pipe used to send events from the threads created by restarter_bind_handle()
183 * to the main thread of control.
184 */
186 /*
187 * Used to protect the critical section of code in restarter_event_proxy() that
188 * involves writing an event down the event pipe and reading an acknowledgement.
189 */
192 /* handle used in communication with the master restarter */
195 /* set to indicate a refresh of inetd is requested */
198 /* set by the SIGTERM handler to flag we got a SIGTERM */
201 /*
202 * Timer queue used to store timers for delayed event processing, such as
203 * bind retries.
204 */
207 /*
208 * fd of Unix Domain socket used to communicate stop and refresh requests
209 * to the inetd start method process.
210 */
213 /*
214 * List of inetd's currently managed instances; each containing its state,
215 * and in certain states its configuration.
216 */
220 /* set to indicate we're being stopped */
223 /* TCP wrappers syslog globals. Consumed by libwrap. */
227 /* path of the configuration file being monitored by check_conf_file() */
230 /* Auditing session handle */
233 /* Number of pending connections */
243 static void
247 /*
248 * The following two functions are callbacks that libumem uses to determine
249 * inetd's desired debugging/logging levels. The interface they consume is
250 * exported by FMA and is consolidation private. The comments in the two
251 * functions give the environment variable that will effectively be set to
252 * their returned value, and thus whose behavior for this value, described in
253 * umem_debug(3MALLOC), will be followed.
254 */
258 {
260 }
264 {
266 }
268 static void
270 {
273 fmri);
274 }
276 /*
277 * Returns B_TRUE if the instance is in a suitable state for inetd to stop.
278 */
279 static boolean_t
281 {
286 }
288 /*
289 * Given the instance fmri, obtain the corresonding scf_instance.
290 * Caller is responsible for freeing the returned scf_instance and
291 * its scf_handle.
292 */
293 static int
295 {
303 }
317 }
321 }
323 out:
328 }
331 }
333 /*
334 * Updates the current and next repository states of instance 'inst'. If
335 * any errors occur an error message is output.
336 */
337 static void
340 {
344 scf_error_t sret;
348 /* update the repository/cached internal state */
364 /*
365 * If transitioning to maintenance, check auxiliary_tty set
366 * by svcadm and assign appropriate value to auxiliary_state.
367 * If the maintenance event comes from a service request,
368 * validate auxiliary_fmri and copy it to
369 * restarter/auxiliary_fmri.
370 */
374 else
376 }
390 }
391 }
394 }
396 /* update the repository SMF state */
403 }
405 void
407 restarter_error_t err)
408 {
410 }
412 /*
413 * Sends a refresh event to the inetd start method process and returns
414 * SMF_EXIT_OK if it managed to send it. If it fails to send the request for
415 * some reason it returns SMF_EXIT_ERR_OTHER.
416 */
417 static int
419 {
427 }
429 /* write the request and return success */
436 }
441 }
443 /*
444 * Sends a stop event to the inetd start method process and wait till it goes
445 * away. If inetd is determined to have stopped SMF_EXIT_OK is returned, else
446 * SMF_EXIT_ERR_OTHER is returned.
447 */
448 static int
450 {
454 ssize_t ret;
459 /*
460 * Assume connect_to_inetd() failed because inetd was already
461 * stopped, and return success.
462 */
464 }
466 /*
467 * This is safe to do since we're fired off in a separate process
468 * than inetd and in the case we get wedged, the stop method timeout
469 * will occur and we'd be killed by our restarter.
470 */
473 /* write the stop request to inetd and wait till it goes away */
478 }
480 /* wait until remote end of socket is closed */
482 ;
489 }
492 }
495 /*
496 * This function is called to handle restarter events coming in from the
497 * master restarter. It is registered with the master restarter via
498 * restarter_bind_handle() and simply passes a pointer to the event down
499 * the event pipe, which will be discovered by the poll in the event loop
500 * and processed there. It waits for an acknowledgement to be written back down
501 * the pipe before returning.
502 * Writing a pointer to the function's 'event' parameter down the pipe will
503 * be safe, as the thread in restarter_event_proxy() doesn't return until
504 * the main thread has finished its processing of the passed event, thus
505 * the referenced event will remain around until the function returns.
506 * To impose the limit of only one event being in the pipe and processed
507 * at once, a lock is taken on entry to this function and returned on exit.
508 * Always returns 0.
509 */
510 static int
512 {
513 boolean_t processed;
517 /* write the event to the main worker thread down the pipe */
522 /*
523 * Wait for an acknowledgement that the event has been processed from
524 * the same pipe. In the case that inetd is stopping, any thread in
525 * this function will simply block on this read until inetd eventually
526 * exits. This will result in this function not returning success to
527 * its caller, and the event that was being processed when the
528 * function exited will be re-sent when inetd is next started.
529 */
538 pipe_error:
539 /*
540 * Something's seriously wrong with the event pipe. Notify the
541 * worker thread by closing this end of the event pipe and pause till
542 * inetd exits.
543 */
550 /* NOTREACHED */
551 }
553 /*
554 * Let restarter_event_proxy() know we're finished with the event it's blocked
555 * upon. The 'processed' argument denotes whether we successfully processed the
556 * event.
557 */
558 static void
560 {
561 /*
562 * If safe_write returns -1 something's seriously wrong with the event
563 * pipe, so start the shutdown proceedings.
564 */
568 }
570 /*
571 * Switch the syslog identification string to 'ident'.
572 */
573 static void
575 {
578 }
580 /*
581 * Perform TCP wrappers checks on this instance. Due to the fact that the
582 * current wrappers code used in Solaris is taken untouched from the open
583 * source version, we're stuck with using the daemon name for the checks, as
584 * opposed to making use of instance FMRIs. Sigh.
585 * Returns B_TRUE if the check passed, else B_FALSE.
586 */
587 static boolean_t
589 {
595 /*
596 * Wrap the service using libwrap functions. The code below implements
597 * the functionality of tcpd. This is done only for stream,nowait
598 * services, following the convention of other vendors. udp/dgram and
599 * stream/wait can NOT be wrapped with this libwrap, so be wary of
600 * changing the test below.
601 */
609 /*
610 * Change the syslog message identity to the name of the
611 * daemon being wrapped, as opposed to "inetd".
612 */
636 }
638 /* Revert syslog identity back to "inetd". */
640 }
642 }
644 /*
645 * Handler registered with the timer queue code to remove an instance from
646 * the connection rate offline state when it has been there for its allotted
647 * time.
648 */
649 /* ARGSUSED */
650 static void
652 {
659 }
661 /*
662 * Check whether this instance in the offline state is in transition to
663 * another state and do the work to continue this transition.
664 */
665 void
667 {
674 /*
675 * If inetd is in the process of stopping, we don't want to enter
676 * any states but offline, disabled and maintenance.
677 */
684 /*
685 * Schedule a timer to bring the instance out of the
686 * connection rate offline state.
687 */
690 inst);
693 "won't be brought on line after %d "
696 }
700 }
701 }
702 }
704 /*
705 * Create a socket bound to the instance's configured address. If the
706 * bind fails, returns -1, else the fd of the bound socket.
707 */
708 static int
710 {
724 }
731 }
734 /* set the keepalive option */
742 }
743 }
745 /* restrict socket to IPv6 communications only */
753 }
754 }
762 "Failed to bind to the port of service instance %s, "
766 }
768 /*
769 * Retrieve and store the address bound to for RPC services.
770 */
780 }
785 }
793 }
796 }
798 /*
799 * Handler registered with the timer queue code to retry the creation
800 * of a bound fd.
801 */
802 /* ARGSUSED */
803 static void
805 {
816 #ifndef NDEBUG
819 #endif
821 }
825 }
827 /*
828 * For each of the fds for the given instance that are bound, if 'listen' is
829 * set add them to the poll set, else remove them from it. If proto_name is
830 * not NULL then apply the change only to this specific protocol endpoint.
831 * If any additions fail, returns -1, else 0 on success.
832 */
833 int
835 {
850 }
851 }
852 }
853 }
856 }
858 /*
859 * Handle the case were we either fail to create a bound fd or we fail
860 * to add a bound fd to the poll set for the given instance.
861 */
862 static void
864 {
867 /*
868 * We must be being called as a result of a failed poll_bound_fds()
869 * as a bind retry is already scheduled. Just return and let it do
870 * the work.
871 */
875 /*
876 * Check if the rebind retries limit is operative and if so,
877 * if it has been reached.
878 */
891 /* check if any of the fds are being poll'd upon */
897 }
900 "all protocols for instance %s, "
906 }
909 /*
910 * In the case we failed the 'bind' because set_pollfd()
911 * failed on all bound fds, use the offline handling.
912 */
913 /* FALLTHROUGH */
919 RERR_FAULT);
924 "protocols for instance %s, instance will go to "
926 /*
927 * Set the retries exceeded flag so when the method
928 * completes the instance goes to the degraded state.
929 */
933 #ifndef NDEBUG
937 #endif
939 }
941 /*
942 * bind re-scheduled, so if we're offline reflect this in the
943 * state.
944 */
946 }
947 }
950 /*
951 * Check if two transport protocols for RPC conflict.
952 */
954 boolean_t
962 }
972 }
980 }
988 }
999 }
1008 }
1010 /*
1011 * If the protocol isn't TCP/IP or UDP/IP assume that it has its own
1012 * port namepsace and that conflicts can be detected by literal string
1013 * comparison.
1014 */
1020 }
1023 /*
1024 * Check if inetd thinks this RPC program number is already registered.
1025 *
1026 * An RPC protocol conflict occurs if
1027 * a) the program numbers are the same and,
1028 * b) the version numbers overlap,
1029 * c) the protocols (TCP vs UDP vs tic*) are the same.
1030 */
1032 boolean_t
1060 }
1061 }
1063 }
1066 /*
1067 * Independent of the transport, for each of the entries in the instance's
1068 * proto list this function first attempts to create an associated network fd;
1069 * for RPC services these are then bound to a kernel chosen port and the
1070 * fd is registered with rpcbind; for non-RPC services the fds are bound
1071 * to the port associated with the instance's service name. On any successful
1072 * binds the instance is taken online. Failed binds are handled by
1073 * handle_bind_failure().
1074 */
1075 void
1077 {
1083 /*
1084 * Loop through and try and bind any unbound protos.
1085 */
1094 /*
1095 * We cast pi to a void so we can then go on to cast
1096 * it to a socket_info_t without lint complaining
1097 * about alignment. This is done because the x86
1098 * version of lint thinks a lint suppression directive
1099 * is unnecessary and flags it as such, yet the sparc
1100 * version complains if it's absent.
1101 */
1105 }
1109 }
1113 /*
1114 * Don't register the same RPC program number twice.
1115 * Doing so silently discards the old service
1116 * without causing an error.
1117 */
1124 }
1133 }
1134 }
1137 }
1142 /*
1143 * If we've managed to bind at least one proto lets run the
1144 * online method, so we can start listening for it.
1145 */
1151 /*
1152 * We're 'online', so start polling on any bound fds we're
1153 * currently not.
1154 */
1158 /*
1159 * We've successfully bound and poll'd upon all protos,
1160 * so reset the failure count.
1161 */
1163 }
1166 /*
1167 * Nothing to do here as the method completion code will start
1168 * listening for any successfully bound fds.
1169 */
1172 #ifndef NDEBUG
1175 #endif
1177 }
1181 }
1183 /*
1184 * Counter to create_bound_fds(), for each of the bound network fds this
1185 * function unregisters the instance from rpcbind if it's an RPC service,
1186 * stops listening for new connections for it and then closes the listening fd.
1187 */
1188 static void
1190 {
1202 }
1203 }
1205 /* cancel any bind retries */
1210 }
1212 /*
1213 * Perform %A address expansion and return a pointer to a static string
1214 * array containing crafted arguments. This expansion is provided for
1215 * compatibility with 4.2BSD daemons, and as such we've copied the logic of
1216 * the legacy inetd to maintain this compatibility as much as possible. This
1217 * logic is a bit scatty, but it dates back at least as far as SunOS 4.x.
1218 */
1221 {
1225 /*
1226 * We cast pi to a void so we can then go on to cast it to a
1227 * socket_info_t without lint complaining about alignment. This
1228 * is done because the x86 version of lint thinks a lint suppression
1229 * directive is unnecessary and flags it as such, yet the sparc
1230 * version complains if it's absent.
1231 */
1234 /* set ret[0] to the basename of exec path */
1240 }
1254 }
1257 }
1260 }
1262 /*
1263 * Returns the state associated with the supplied method being run for an
1264 * instance.
1265 */
1266 static internal_inst_state_t
1268 {
1274 }
1278 }
1280 /*
1281 * Store the method's PID and CID in the repository. If the store fails
1282 * we ignore it and just drive on.
1283 */
1284 static void
1286 {
1293 PR_NAME_START_PIDS);
1294 }
1298 PR_NAME_NON_START_PID);
1299 }
1300 }
1301 }
1303 /*
1304 * Remove the method's PID and CID from the repository. If the removal
1305 * fails we ignore it and drive on.
1306 */
1307 void
1309 instance_method_t mthd)
1310 {
1317 PR_NAME_START_PIDS);
1321 PR_NAME_NON_START_PID);
1322 }
1323 }
1327 {
1369 alloc_fail:
1373 }
1375 static void
1377 {
1394 }
1396 /*
1397 * Retrieves the current and next states internal states. Returns 0 on success,
1398 * else returns one of the following on error:
1399 * SCF_ERROR_NO_MEMORY if memory allocation failed.
1400 * SCF_ERROR_CONNECTION_BROKEN if the connection to the repository was broken.
1401 * SCF_ERROR_TYPE_MISMATCH if the property was of an unexpected type.
1402 * SCF_ERROR_NO_RESOURCES if the server doesn't have adequate resources.
1403 * SCF_ERROR_NO_SERVER if the server isn't running.
1404 */
1405 static scf_error_t
1407 {
1408 scf_error_t ret;
1410 /* retrieve internal states */
1420 }
1430 }
1431 }
1433 /* update convenience states */
1437 }
1439 /*
1440 * Retrieve stored process ids and register each of them so we process their
1441 * termination.
1442 */
1443 static int
1445 {
1449 PR_NAME_START_PIDS)) {
1459 }
1470 /*
1471 * The process must have already terminated. Remove
1472 * it from the list.
1473 */
1481 }
1482 }
1484 /* synch the repository pid list to remove any terminated pids */
1488 }
1490 /*
1491 * Remove the passed instance from inetd control.
1492 */
1493 static void
1495 {
1499 /* stop listening for network connections */
1508 }
1510 /* stop listening for terminated methods */
1515 }
1517 /*
1518 * Refresh the configuration of instance 'inst'. This method gets called as
1519 * a result of a refresh event for the instance from the master restarter, so
1520 * we can rely upon the instance's running snapshot having been updated from
1521 * its configuration snapshot.
1522 */
1523 void
1525 {
1532 /*
1533 * Ignore any possible changes, we'll re-read the configuration
1534 * automatically when we exit these states.
1535 */
1549 }
1555 /* Cancel scheduled bind retries. */
1558 /*
1559 * Take the instance to the copies
1560 * offline state, via the offline
1561 * state.
1562 */
1564 RERR_RESTART);
1566 }
1574 /*
1575 * Since we're already in a DOS state,
1576 * don't bother evaluating the copies
1577 * limit. This will be evaluated when
1578 * we leave this state in
1579 * process_offline_inst().
1580 */
1584 /*
1585 * Check if the copies limit has been increased
1586 * above the current count.
1587 */
1590 RERR_RESTART);
1592 }
1597 }
1598 }
1606 /*
1607 * Try to avoid the overhead of taking an instance
1608 * offline and back on again. We do this by limiting
1609 * this behavior to two eventualities:
1610 * - there needs to be a re-bind to listen on behalf
1611 * of the instance with its new configuration. This
1612 * could be because for example its service has been
1613 * associated with a different port, or because the
1614 * v6only protocol option has been newly applied to
1615 * the instance.
1616 * - one or both of the start or online methods of the
1617 * instance have changed in the new configuration.
1618 * Without taking the instance offline when the
1619 * start method changed the instance may be running
1620 * with unwanted parameters (or event an unwanted
1621 * binary); and without taking the instance offline
1622 * if its online method was to change, some part of
1623 * its running environment may have changed and would
1624 * not be picked up until the instance next goes
1625 * offline for another reason.
1626 */
1640 /*
1641 * swap the proto list over from the old
1642 * configuration to the new, so we retain
1643 * our set of network fds.
1644 */
1652 /* re-evaluate copies limits based on new cfg */
1656 NULL);
1658 /*
1659 * Since the instance isn't being
1660 * taken offline, where we assume it
1661 * would pick-up any configuration
1662 * changes automatically when it goes
1663 * back online, run its refresh method
1664 * to allow it to pick-up any changes
1665 * whilst still online.
1666 */
1668 NULL);
1669 }
1670 }
1678 }
1685 }
1686 }
1688 /*
1689 * Called by process_restarter_event() to handle a restarter event for an
1690 * instance.
1691 */
1692 static void
1694 boolean_t send_ack)
1695 {
1698 /*
1699 * When startd restarts, it sends _ADD_INSTANCE to delegated
1700 * restarters for all those services managed by them. We should
1701 * acknowledge this event, as startd's graph needs to be updated
1702 * about the current state of the service, when startd is
1703 * restarting.
1704 * update_state() is ok to be called here, as commands for
1705 * instances in transition are deferred by
1706 * process_restarter_event().
1707 */
1714 /*
1715 * We've got a restart event, so if the instance is online
1716 * in any way initiate taking it offline, and rely upon
1717 * our restarter to send us an online event to bring
1718 * it back online.
1719 */
1725 }
1736 /*
1737 * inetd must be closing down as we wouldn't get this
1738 * event in one of these states from the master
1739 * restarter. Take the instance to the offline resting
1740 * state.
1741 */
1745 IIS_OFFLINE_CONRATE) {
1747 }
1750 }
1752 }
1758 /*
1759 * Dependencies are met, let's take the service online.
1760 * Only try and bind for a wait type service if
1761 * no process is running on its behalf. Otherwise, just
1762 * mark the service online and binding will be attempted
1763 * when the process exits.
1764 */
1770 }
1774 /*
1775 * The instance should be disabled, so run the
1776 * instance's disabled method that will do the work
1777 * to take it there.
1778 */
1784 /*
1785 * The master restarter has requested the instance
1786 * go to maintenance; since we're already offline
1787 * just update the state to the maintenance state.
1788 */
1791 }
1798 /*
1799 * The instance should be disabled. Firstly, as for
1800 * the above dependencies unmet comment, cancel
1801 * the bind retry timer and update the state to
1802 * offline. Then, run the disable method to do the
1803 * work to take the instance from offline to
1804 * disabled.
1805 */
1813 /*
1814 * The master restarter has requested the instance
1815 * be placed in the maintenance state. Cancel the
1816 * outstanding retry timer, and since we're already
1817 * offline, update the state to maintenance.
1818 */
1822 }
1830 /*
1831 * The instance needs to be disabled. Do the same work
1832 * as for the dependencies unmet event below to
1833 * take the instance offline.
1834 */
1836 /*
1837 * Indicate that the offline method is being run
1838 * as part of going to the disabled state, and to
1839 * carry on this transition.
1840 */
1847 /*
1848 * The master restarter has requested the instance be
1849 * placed in the maintenance state. This involves
1850 * firstly taking the service offline, so do the
1851 * same work as for the dependencies unmet event
1852 * below. We set the maintenance_req flag to
1853 * indicate that when we get to the offline state
1854 * we should be placed directly into the maintenance
1855 * state.
1856 */
1858 /* FALLTHROUGH */
1861 /*
1862 * Dependencies have become unmet. Close and
1863 * stop listening on the instance's network file
1864 * descriptor, and run the offline method to do
1865 * any work required to take us to the offline state.
1866 */
1869 }
1878 /*
1879 * Ignore other events until we know whether we're
1880 * enabled or not.
1881 */
1883 }
1885 /*
1886 * We've got an enabled event; make use of the handling in the
1887 * disable case.
1888 */
1889 /* FALLTHROUGH */
1894 /*
1895 * The instance needs enabling. Commence reading its
1896 * configuration and if successful place the instance
1897 * in the offline state and let process_offline_inst()
1898 * take it from there.
1899 */
1904 RERR_RESTART);
1909 RERR_RESTART);
1910 }
1916 /*
1917 * The master restarter has requested the instance be
1918 * placed in the maintenance state, so just update its
1919 * state to maintenance.
1920 */
1923 }
1930 /*
1931 * The master restarter has requested that the instance
1932 * be taken out of maintenance. Read its configuration,
1933 * and if successful place the instance in the offline
1934 * state and call process_offline_inst() to take it
1935 * from there.
1936 */
1941 RERR_RESTART);
1944 boolean_t enabled;
1946 /*
1947 * The configuration was invalid. If the
1948 * service has disabled requested, let's
1949 * just place the instance in disabled even
1950 * though we haven't been able to run its
1951 * disable method, as the slightly incorrect
1952 * state is likely to be less of an issue to
1953 * an administrator than refusing to move an
1954 * instance to disabled. If disable isn't
1955 * requested, re-mark the service's state
1956 * as maintenance, so the administrator can
1957 * see the request was processed.
1958 */
1962 RERR_RESTART);
1966 RERR_FAULT);
1967 }
1968 }
1970 }
1976 /*
1977 * The instance wants disabling. Take the instance
1978 * offline as for the dependencies unmet event above,
1979 * and then from there run the disable method to do
1980 * the work to take the instance to the disabled state.
1981 */
1989 /*
1990 * The master restarter has requested the instance
1991 * be taken to maintenance. Cancel the timer setup
1992 * when we entered this state, and go directly to
1993 * maintenance.
1994 */
1998 }
2004 /*
2005 * The instance wants disabling. Update the state
2006 * to offline, and run the disable method to do the
2007 * work to take it to the disabled state.
2008 */
2015 /*
2016 * The master restarter has requested the instance be
2017 * placed in maintenance. Since it's already offline
2018 * simply update the state.
2019 */
2022 }
2029 }
2031 done:
2034 }
2036 /*
2037 * Tries to read and process an event from the event pipe. If there isn't one
2038 * or an error occurred processing the event it returns -1. Else, if the event
2039 * is for an instance we're not already managing we read its state, add it to
2040 * our list to manage, and if appropriate read its configuration. Whether it's
2041 * new to us or not, we then handle the specific event.
2042 * Returns 0 if an event was read and processed successfully, else -1.
2043 */
2044 static int
2046 {
2049 restarter_event_type_t event_type;
2052 ssize_t sz;
2054 /*
2055 * Try to read an event pointer from the event pipe.
2056 */
2066 /* other end of pipe closed */
2068 /* FALLTHROUGH */
2070 /*
2071 * There's something wrong with the event pipe. Let's
2072 * shutdown and be restarted.
2073 */
2076 }
2078 /*
2079 * Check if we're currently managing the instance which the event
2080 * pertains to. If not, read its complete state and add it to our
2081 * list to manage.
2082 */
2088 }
2097 }
2110 }
2120 }
2125 /*
2126 * Only read configuration for instances that aren't in any of
2127 * the disabled, maintenance or uninitialized states, since
2128 * they'll read it on state exit.
2129 */
2137 RERR_FAULT);
2138 }
2139 }
2140 }
2148 /*
2149 * If the instance is currently running a method, don't process the
2150 * event now, but attach it to the instance for processing when
2151 * the instance finishes its transition.
2152 */
2159 }
2163 fail:
2166 }
2168 /*
2169 * Do the state machine processing associated with the termination of instance
2170 * 'inst''s start method for the 'proto_name' protocol if this parameter is not
2171 * NULL.
2172 */
2173 void
2175 {
2182 /* do any further processing/checks when we exit these states */
2184 }
2190 boolean_t listen;
2196 /*
2197 * A wait type service's start method has exited.
2198 * Check if the method was fired off in this inetd's
2199 * lifetime, or a previous one; if the former,
2200 * re-commence listening on the service's behalf; if
2201 * the latter, mark the service offline and let bind
2202 * attempts commence.
2203 */
2207 /*
2208 * If a bound fd exists, the method was fired
2209 * off during this inetd's lifetime.
2210 */
2216 }
2217 }
2225 }
2226 }
2228 /*
2229 * Check if a nowait service should be brought back online
2230 * after exceeding its copies limit.
2231 */
2236 }
2237 }
2238 }
2240 /*
2241 * If the instance has a pending event process it and initiate the
2242 * acknowledgement.
2243 */
2244 static void
2246 {
2248 restarter_event_type_t re;
2255 }
2256 }
2258 /*
2259 * Do the state machine processing associated with the termination
2260 * of the specified instance's non-start method with the specified status.
2261 * Once the processing of the termination is done, the function also picks up
2262 * any processing that was blocked on the method running.
2263 */
2264 void
2266 {
2287 }
2293 }
2295 /* non-failure method return */
2298 /*
2299 * An instance method never returned a supported return code.
2300 * We'll assume this means the method succeeded for now whilst
2301 * non-GL-cognizant methods are used - eg. pkill.
2302 */
2307 }
2309 /*
2310 * Update the state from the in-transition state.
2311 */
2315 /* FALLTHROUGH */
2317 /*
2318 * If we've exhausted the bind retries, flag that by setting
2319 * the instance's state to degraded.
2320 */
2324 }
2325 /* FALLTHROUGH */
2329 RERR_NONE);
2330 }
2334 /*
2335 * This instance was found during refresh to need
2336 * taking offline because its newly read configuration
2337 * was sufficiently different. Now we're offline,
2338 * activate this new configuration.
2339 */
2343 }
2345 /* continue/complete any transitions that are in progress */
2349 /*
2350 * We've just successfully executed the online method. We have
2351 * a set of bound network fds that were created before running
2352 * this method, so now we're online start listening for
2353 * connections on them.
2354 */
2357 }
2359 /*
2360 * If we're now out of transition (process_offline_inst() could have
2361 * fired off another method), carry out any jobs that were blocked by
2362 * us being in transition.
2363 */
2367 /*
2368 * inetd is stopping, and this instance hasn't
2369 * been stopped. Inject a stop event.
2370 */
2373 }
2376 }
2377 }
2378 }
2380 /*
2381 * Check if configuration file specified is readable. If not return B_FALSE,
2382 * else return B_TRUE.
2383 */
2384 static boolean_t
2386 {
2400 }
2402 }
2404 }
2406 /*
2407 * Check whether the configuration file has changed contents since inetd
2408 * was last started/refreshed, and if so, log a message indicating that
2409 * inetconv needs to be run.
2410 */
2411 static void
2413 {
2416 scf_error_t ret;
2420 /*
2421 * No explicit config file specified, so see if one of the
2422 * default two are readable, checking the primary one first
2423 * followed by the secondary.
2424 */
2432 }
2437 }
2443 /* modified config file */
2445 "Configuration file %s has been modified since "
2450 /* No message if hash not yet computed */
2454 }
2460 }
2461 }
2463 /*
2464 * Refresh all inetd's managed instances and check the configuration file
2465 * for any updates since inetconv was last run, logging a message if there
2466 * are. We call the SMF refresh function to refresh each instance so that
2467 * the refresh request goes through the framework, and thus results in the
2468 * running snapshot of each instance being updated from the configuration
2469 * snapshot.
2470 */
2471 static void
2473 {
2478 /* call libscf to send refresh requests for all managed instances */
2484 }
2485 }
2487 /*
2488 * Log a message if the configuration file has changed since inetconv
2489 * was last run.
2490 */
2492 }
2494 /*
2495 * Initiate inetd's shutdown.
2496 */
2497 static void
2499 {
2502 /* Block handling signals for stop and refresh */
2506 /* Indicate inetd is coming down */
2509 /* Stop polling on restarter events. */
2512 /* Stop polling for any more stop/refresh requests. */
2515 /*
2516 * Send a stop event to all currently unstopped instances that
2517 * aren't in transition. For those that are in transition, the
2518 * event will get sent when the transition completes.
2519 */
2525 }
2526 }
2528 /*
2529 * Sets up the intra-inetd-process Unix Domain Socket.
2530 * Returns -1 on error, else 0.
2531 */
2532 static int
2534 {
2540 }
2548 /* CONSTCOND */
2557 }
2565 }
2568 }
2570 static void
2572 {
2576 }
2578 /*
2579 * Handle an incoming request on the Unix Domain Socket. Returns -1 if there
2580 * was an error handling the event, else 0.
2581 */
2582 static int
2584 {
2585 uds_request_t req;
2592 uid_t euid;
2601 }
2607 }
2609 /* Check peer credentials before acting on the request */
2617 }
2625 }
2631 }
2635 /* flag the request for event_loop() to process */
2646 }
2649 }
2651 /*
2652 * Perform checks for common exec string errors. We limit the checks to
2653 * whether the file exists, is a regular file, and has at least one execute
2654 * bit set. We leave the core security checks to exec() so as not to duplicate
2655 * and thus incur the associated drawbacks, but hope to catch the common
2656 * errors here.
2657 */
2658 static boolean_t
2661 {
2664 /* check the file exists */
2671 }
2672 }
2674 /*
2675 * Check if the file is a regular file and has at least one execute
2676 * bit set.
2677 */
2687 }
2690 }
2692 static void
2695 {
2700 sigset_t mtset;
2704 /*
2705 * If wrappers checks fail, pretend the method was exec'd and
2706 * failed.
2707 */
2710 }
2712 /*
2713 * Revert the disposition of handled signals and ignored signals to
2714 * their defaults, unblocking any blocked ones as a side effect.
2715 */
2720 /*
2721 * Ensure that other signals are unblocked
2722 */
2726 /*
2727 * Setup exec arguments. Do this before the fd setup below, so our
2728 * logging related file fd doesn't get taken over before we call
2729 * expand_address().
2730 */
2736 }
2738 /* Generate audit trail for start operations */
2751 }
2753 /*
2754 * The inetd_connect audit record consists of:
2755 * Service name
2756 * Execution path
2757 * Remote address and port
2758 * Local port
2759 * Process privileges
2760 */
2776 }
2793 }
2794 }
2803 }
2805 /*
2806 * Set method context before the fd setup below so we can output an
2807 * error message if it fails.
2808 */
2821 "instance %s to a pool due to a system "
2826 }
2831 }
2842 "instance %s to a pool due to invalid "
2848 "instance %s to a pool due to invalid "
2855 }
2858 }
2866 }
2876 "method of instance %s (no passwd or shadow "
2883 }
2887 }
2889 /* let exec() free mthd_ctxt */
2891 /* setup standard fds */
2897 }
2911 }
2914 /* start up logging again to report the error */
2923 /*
2924 * We couldn't exec the start method for a wait type service.
2925 * Eat up data from the endpoint, so that hopefully the
2926 * service's fd won't wake poll up on the next time round
2927 * event_loop(). This behavior is carried over from the old
2928 * inetd, and it seems somewhat arbitrary that it isn't
2929 * also done in the case of fork failures; but I guess
2930 * it assumes an exec failure is less likely to be the result
2931 * of a resource shortage, and is thus not worth retrying.
2932 */
2934 }
2937 }
2939 static restarter_error_t
2941 {
2953 }
2957 /* NOTREACHED */
2958 }
2960 static int
2962 {
2966 /* Carry out process assassination */
2976 }
2977 }
2979 }
2981 /*
2982 * Runs the specified method of the specified service instance.
2983 * If the method was never specified, we handle it the same as if the
2984 * method was called and returned success, carrying on any transition the
2985 * instance may be in the midst of.
2986 * If the method isn't executable in its specified profile or an error occurs
2987 * forking a process to run the method in the function returns -1.
2988 * If a method binary is successfully executed, the function switches the
2989 * instance's cur state to the method's associated 'run' state and the next
2990 * state to the methods associated next state.
2991 * Returns -1 if there's an error before forking, else 0.
2992 */
2993 int
2996 {
2997 pid_t child_pid;
3003 ctid_t cid;
3007 /*
3008 * Don't bother updating the instance's state for the start method
3009 * as there isn't a separate start method state.
3010 */
3017 /*
3018 * If the absent method is IM_OFFLINE, default action needs
3019 * to be taken to avoid lingering processes which can prevent
3020 * the upcoming rebinding from happening.
3021 */
3033 }
3034 }
3036 /* Handle special method tokens, not allowed on start */
3039 /* :true means nothing should be done */
3042 }
3045 /* Carry out contract assassination */
3047 /* ENOENT means we didn't find any contracts */
3056 }
3057 }
3063 }
3064 }
3066 /*
3067 * Get the associated method context before the fork so we can
3068 * modify the instances state if things go wrong.
3069 */
3074 /*
3075 * Perform some basic checks before we fork to limit the possibility
3076 * of exec failures, so we can modify the instance state if necessary.
3077 */
3082 }
3100 /* NOTREACHED */
3108 /*
3109 * Register this method so its termination is noticed and
3110 * the state transition this method participates in is
3111 * continued.
3112 */
3115 /*
3116 * Since we will never find out about the termination
3117 * of this method, if it's a non-start method treat
3118 * is as a failure so we don't block restarter event
3119 * processing on it whilst it languishes in a method
3120 * running state.
3121 */
3127 }
3131 /* do tcp tracing for those nowait instances that request it */
3142 }
3143 }
3147 prefork_failure:
3151 }
3154 /*
3155 * Only place a start method in maintenance if we're sure
3156 * that the failure was non-transient.
3157 */
3161 }
3163 /* treat the failure as if the method ran and failed */
3165 }
3168 }
3170 static int
3172 {
3179 }
3180 }
3182 static int
3184 {
3186 socklen_t size;
3190 tlx_pending_counter = \
3196 tlx_pending_counter = \
3204 }
3207 }
3209 /*
3210 * Handle an incoming connection request for a nowait service.
3211 * This involves accepting the incoming connection on a new fd. Connection
3212 * rate checks are then performed, transitioning the service to the
3213 * conrate offline state if these fail. Otherwise, the service's start method
3214 * is run (performing TCP wrappers checks if applicable as we do), and on
3215 * success concurrent copies checking is done, transitioning the service to the
3216 * copies offline state if this fails.
3217 */
3218 static void
3220 {
3226 /* accept nowait service connections on a new fd */
3228 /*
3229 * Failed accept. Return and allow the event loop to initiate
3230 * another attempt later if the request is still present.
3231 */
3233 }
3235 /*
3236 * Limit connection rate of nowait services. If either conn_rate_max
3237 * or conn_rate_offline are <= 0, no connection rate limit checking
3238 * is done. If the configured rate is exceeded, the instance is taken
3239 * to the connrate_offline state and a timer scheduled to try and
3240 * bring the instance back online after the configured offline time.
3241 */
3253 /* Generate audit record */
3261 /*
3262 * The inetd_ratelimit audit
3263 * record consists of:
3264 * Service name
3265 * Connection rate limit
3266 */
3272 ADT_SUCCESS);
3274 }
3277 "Instance %s has exceeded its configured "
3278 "connection rate, additional connections "
3293 }
3294 }
3295 }
3307 /*
3308 * Limit concurrent connections of nowait services.
3309 */
3311 /* Generate audit record */
3317 /*
3318 * The inetd_copylimit audit record consists of:
3319 * Service name
3320 * Copy limit
3321 */
3328 }
3335 }
3336 }
3338 /*
3339 * Handle an incoming request for a wait type service.
3340 * Failure rate checking is done first, taking the service to the maintenance
3341 * state if the checks fail. Following this, the service's start method is run,
3342 * and on success, we stop listening for new requests for this service.
3343 */
3344 static void
3346 {
3354 /*
3355 * Detect broken servers and transition them to maintenance. If a
3356 * wait type service exits without accepting the connection or
3357 * consuming (reading) the datagram, that service's descriptor will
3358 * select readable again, and inetd will fork another instance of
3359 * the server. If either wait_fail_cnt or wait_fail_interval are <= 0,
3360 * no failure rate detection is done.
3361 */
3373 /* Generate audit record */
3381 /*
3382 * The inetd_failrate audit record
3383 * consists of:
3384 * Service name
3385 * Failure rate
3386 * Interval
3387 * Last two are expressed as k=v pairs
3388 * in the values field.
3389 */
3397 ADT_SUCCESS);
3399 }
3402 "Instance %s has exceeded its configured "
3403 "failure rate, transitioning to "
3412 }
3413 }
3414 }
3421 /*
3422 * Stop listening for connections now we've fired off the
3423 * server for a wait type instance.
3424 */
3426 }
3427 }
3429 /*
3430 * Process any networks requests for each proto for each instance.
3431 */
3432 void
3434 {
3442 /*
3443 * Ignore instances in states that definitely don't have any
3444 * listening fds.
3445 */
3453 }
3466 }
3467 }
3468 }
3469 }
3470 }
3472 /* ARGSUSED0 */
3473 static void
3475 {
3477 }
3479 /* ARGSUSED0 */
3480 static void
3482 {
3484 }
3486 /*
3487 * inetd's major work loop. This function sits in poll waiting for events
3488 * to occur, processing them when they do. The possible events are
3489 * master restarter requests, expired timer queue timers, stop/refresh signal
3490 * requests, contract events indicating process termination, stop/refresh
3491 * requests originating from one of the stop/refresh inetd processes and
3492 * network events.
3493 * The loop is exited when a stop request is received and processed, and
3494 * all the instances have reached a suitable 'stopping' state.
3495 */
3496 static void
3498 {
3507 else
3516 }
3517 }
3524 }
3526 /*
3527 * Process any stop/refresh requests from the Unix Domain
3528 * Socket.
3529 */
3532 ;
3533 }
3535 /*
3536 * Process refresh request. We do this check after the UDS
3537 * event check above, as it would be wasted processing if we
3538 * started refreshing inetd based on a SIGHUP, and then were
3539 * told to shut-down via a UDS event.
3540 */
3545 }
3547 /*
3548 * We were interrupted by a signal. Don't waste any more
3549 * time processing a potentially inaccurate poll return.
3550 */
3554 /*
3555 * Process any instance restarter events.
3556 */
3559 ;
3560 }
3562 /*
3563 * Process any expired timers (bind retry, con-rate offline,
3564 * method timeouts).
3565 */
3570 /*
3571 * If inetd is stopping, check whether all our managed
3572 * instances have been stopped and we can return.
3573 */
3575 check_if_stopped:
3583 }
3584 }
3585 /* if all instances are stopped, return */
3588 }
3591 }
3592 }
3594 static void
3596 {
3603 /*
3604 * We don't bother to undo the restarter interface at all.
3605 * Because of quirks in the interface, there is no way to
3606 * disconnect from the channel and cause any new events to be
3607 * queued. However, any events which are received and not
3608 * acknowledged will be re-sent when inetd restarts as long as inetd
3609 * uses the same subscriber ID, which it does.
3610 *
3611 * By keeping the event pipe open but ignoring it, any events which
3612 * occur will cause restarter_event_proxy to hang without breaking
3613 * anything.
3614 */
3621 NULL)
3624 }
3632 /* Close audit session */
3634 }
3636 static int
3638 {
3652 /* Setup instance list. */
3660 }
3666 }
3668 /*
3669 * Create event pipe to communicate events with the main event
3670 * loop and add it to the event loop's fdset.
3671 */
3675 }
3676 /*
3677 * We only leave the producer end to block on reads/writes as we
3678 * can't afford to block in the main thread, yet need to in
3679 * the restarter event thread, so it can sit and wait for an
3680 * acknowledgement to be written to the pipe.
3681 */
3686 /*
3687 * Register with master restarter for managed service events. This
3688 * will fail, amongst other reasons, if inetd is already running.
3689 */
3697 }
3705 }
3713 /* Initialize auditing session */
3716 }
3718 /*
3719 * Initialize signal dispositions/masks
3720 */
3727 failed:
3730 }
3732 static int
3734 {
3739 /* Create pipe for child to notify parent of initialization success. */
3743 }
3752 /* Wait on child to return success of initialization. */
3759 /*
3760 * Batch all initialization errors as 'other' errors,
3761 * resulting in retries being attempted.
3762 */
3767 }
3769 /*
3770 * Perform initialization and return success code down
3771 * the pipe.
3772 */
3780 }
3785 /*
3786 * Log a message if the configuration file has changed since
3787 * inetconv was last run.
3788 */
3797 }
3798 /* NOTREACHED */
3799 }
3801 /*
3802 * When inetd is run from outside the SMF, this message is output to provide
3803 * the person invoking inetd with further information that will help them
3804 * understand how to start and stop inetd, and to achieve the other
3805 * behaviors achievable with the legacy inetd command line interface, if
3806 * it is possible.
3807 */
3808 static void
3810 {
3812 "inetd is now an smf(5) managed service and can no longer be run "
3830 INETD_PATH);
3831 }
3833 /*
3834 * Usage message printed out for usage errors when running under the SMF.
3835 */
3836 static void
3838 {
3841 }
3843 /*
3844 * Returns B_TRUE if we're being run from within the SMF, else B_FALSE.
3845 */
3846 static boolean_t
3848 {
3851 /*
3852 * check if the instance fmri environment variable has been set by
3853 * our restarter.
3854 */
3857 }
3859 int
3861 {
3865 #if !defined(TEXT_DOMAIN)
3867 #endif
3874 }
3880 /* inetd invocation syntax is inetd [alt_conf_file] method_name */
3894 }
3905 }
3908 }