2 * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2015 Nicira, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
19 #include "daemon-private.h"
27 #include <sys/resource.h>
34 #include "command-line.h"
35 #include "fatal-signal.h"
38 #include "ovs-thread.h"
40 #include "socket-util.h"
43 #include "openvswitch/vlog.h"
45 VLOG_DEFINE_THIS_MODULE(daemon_unix);
59 /* --detach: Should we run in the background? */
60 bool detach; /* Was --detach specified? */
61 static bool detached; /* Have we already detached? */
63 /* --pidfile: Name of pidfile (null if none). */
66 /* Device and inode of pidfile, so we can avoid reopening it. */
67 static dev_t pidfile_dev;
68 static ino_t pidfile_ino;
70 /* --overwrite-pidfile: Create pidfile even if one already exists and is
72 static bool overwrite_pidfile;
74 /* --no-chdir: Should we chdir to "/"? */
75 static bool chdir_ = true;
77 /* File descriptor used by daemonize_start() and daemonize_complete(). */
78 static int daemonize_fd = -1;
80 /* --monitor: Should a supervisory process monitor the daemon and restart it if
81 * it dies due to an error signal? */
84 /* --user: Only root can use this option. Switch to new uid:gid after
85 * initially running as root. */
86 static bool switch_user = false;
89 static char *user = NULL;
90 static void daemon_become_new_user__(bool access_datapath);
92 static void check_already_running(void);
93 static int lock_pidfile(FILE *, int command);
94 static pid_t fork_and_clean_up(void);
95 static void daemonize_post_detach(void);
97 /* Returns the file name that would be used for a pidfile if 'name' were
98 * provided to set_pidfile(). The caller must free the returned string. */
100 make_pidfile_name(const char *name)
103 ? xasprintf("%s/%s.pid", ovs_rundir(), program_name)
104 : abs_file_name(ovs_rundir(), name));
107 /* Sets that we do not chdir to "/". */
114 /* Normally, daemonize() or damonize_start() will terminate the program with a
115 * message if a locked pidfile already exists. If this function is called, an
116 * existing pidfile will be replaced, with a warning. */
118 ignore_existing_pidfile(void)
120 overwrite_pidfile = true;
123 /* Sets up a following call to daemonize() to detach from the foreground
124 * session, running this process in the background. */
131 /* Sets up a following call to daemonize() to fork a supervisory process to
132 * monitor the daemon and restart it if it dies due to an error signal. */
134 daemon_set_monitor(void)
139 /* If a pidfile has been configured, creates it and stores the running
140 * process's pid in it. Ensures that the pidfile will be deleted when the
145 long int pid = getpid();
151 /* Create a temporary pidfile. */
152 if (overwrite_pidfile) {
153 tmpfile = xasprintf("%s.tmp%ld", pidfile, pid);
154 fatal_signal_add_file_to_unlink(tmpfile);
156 /* Everyone shares the same file which will be treated as a lock. To
157 * avoid some uncomfortable race conditions, we can't set up the fatal
158 * signal unlink until we've acquired it. */
159 tmpfile = xasprintf("%s.tmp", pidfile);
162 file = fopen(tmpfile, "a+");
164 VLOG_FATAL("%s: create failed (%s)", tmpfile, ovs_strerror(errno));
167 error = lock_pidfile(file, F_SETLK);
169 /* Looks like we failed to acquire the lock. Note that, if we failed
170 * for some other reason (and '!overwrite_pidfile'), we will have
171 * left 'tmpfile' as garbage in the file system. */
172 VLOG_FATAL("%s: fcntl(F_SETLK) failed (%s)", tmpfile,
173 ovs_strerror(error));
176 if (!overwrite_pidfile) {
177 /* We acquired the lock. Make sure to clean up on exit, and verify
178 * that we're allowed to create the actual pidfile. */
179 fatal_signal_add_file_to_unlink(tmpfile);
180 check_already_running();
183 if (fstat(fileno(file), &s) == -1) {
184 VLOG_FATAL("%s: fstat failed (%s)", tmpfile, ovs_strerror(errno));
187 if (ftruncate(fileno(file), 0) == -1) {
188 VLOG_FATAL("%s: truncate failed (%s)", tmpfile, ovs_strerror(errno));
191 fprintf(file, "%ld\n", pid);
192 if (fflush(file) == EOF) {
193 VLOG_FATAL("%s: write failed (%s)", tmpfile, ovs_strerror(errno));
196 error = rename(tmpfile, pidfile);
198 /* Due to a race, 'tmpfile' may be owned by a different process, so we
199 * shouldn't delete it on exit. */
200 fatal_signal_remove_file_to_unlink(tmpfile);
203 VLOG_FATAL("failed to rename \"%s\" to \"%s\" (%s)",
204 tmpfile, pidfile, ovs_strerror(errno));
207 /* Ensure that the pidfile will get deleted on exit. */
208 fatal_signal_add_file_to_unlink(pidfile);
212 * We don't close 'file' because its file descriptor must remain open to
214 pidfile_dev = s.st_dev;
215 pidfile_ino = s.st_ino;
219 /* Calls fork() and on success returns its return value. On failure, logs an
220 * error and exits unsuccessfully.
222 * Post-fork, but before returning, this function calls a few other functions
223 * that are generally useful if the child isn't planning to exec a new
226 fork_and_clean_up(void)
230 /* Running in parent process. */
233 /* Running in child process. */
241 * - In the parent, waits for the child to signal that it has completed its
242 * startup sequence. Then stores -1 in '*fdp' and returns the child's
243 * pid in '*child_pid' argument.
245 * - In the child, stores a fd in '*fdp' and returns 0 through '*child_pid'
246 * argument. The caller should pass the fd to fork_notify_startup() after
247 * it finishes its startup sequence.
249 * Returns 0 on success. If something goes wrong and child process was not
250 * able to signal its readiness by calling fork_notify_startup(), then this
251 * function returns -1. However, even in case of failure it still sets child
252 * process id in '*child_pid'. */
254 fork_and_wait_for_startup(int *fdp, pid_t *child_pid)
262 pid = fork_and_clean_up();
264 /* Running in parent process. */
269 if (read_fully(fds[0], &c, 1, &bytes_read) != 0) {
274 retval = waitpid(pid, &status, 0);
275 } while (retval == -1 && errno == EINTR);
278 if (WIFEXITED(status) && WEXITSTATUS(status)) {
279 /* Child exited with an error. Convey the same error
280 * to our parent process as a courtesy. */
281 exit(WEXITSTATUS(status));
283 char *status_msg = process_status_msg(status);
284 VLOG_ERR("fork child died before signaling startup (%s)",
288 } else if (retval < 0) {
289 VLOG_FATAL("waitpid failed (%s)", ovs_strerror(errno));
297 /* Running in child process. */
306 fork_notify_startup(int fd)
309 size_t bytes_written;
312 error = write_fully(fd, "", 1, &bytes_written);
314 VLOG_FATAL("pipe write failed (%s)", ovs_strerror(error));
322 should_restart(int status)
324 if (WIFSIGNALED(status)) {
325 static const int error_signals[] = {
326 /* This list of signals is documented in daemon.man. If you
327 * change the list, update the documentation too. */
328 SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV,
334 for (i = 0; i < ARRAY_SIZE(error_signals); i++) {
335 if (error_signals[i] == WTERMSIG(status)) {
344 monitor_daemon(pid_t daemon_pid)
346 /* XXX Should log daemon's stderr output at startup time. */
350 bool child_ready = true;
352 set_subprogram_name("monitor");
353 status_msg = xstrdup("healthy");
354 last_restart = TIME_MIN;
360 ovs_cmdl_proctitle_set("monitoring pid %lu (%s)",
361 (unsigned long int) daemon_pid, status_msg);
365 retval = waitpid(daemon_pid, &status, 0);
366 } while (retval == -1 && errno == EINTR);
368 VLOG_FATAL("waitpid failed (%s)", ovs_strerror(errno));
372 if (!child_ready || retval == daemon_pid) {
373 char *s = process_status_msg(status);
374 if (should_restart(status)) {
376 status_msg = xasprintf("%d crashes: pid %lu died, %s",
378 (unsigned long int) daemon_pid, s);
381 if (WCOREDUMP(status)) {
382 /* Disable further core dumps to save disk space. */
387 if (setrlimit(RLIMIT_CORE, &r) == -1) {
388 VLOG_WARN("failed to disable core dumps: %s",
389 ovs_strerror(errno));
393 /* Throttle restarts to no more than once every 10 seconds. */
394 if (time(NULL) < last_restart + 10) {
395 VLOG_WARN("%s, waiting until 10 seconds since last "
396 "restart", status_msg);
398 time_t now = time(NULL);
399 time_t wakeup = last_restart + 10;
403 xsleep(wakeup - now);
406 last_restart = time(NULL);
408 VLOG_ERR("%s, restarting", status_msg);
409 child_ready = !fork_and_wait_for_startup(&daemonize_fd,
411 if (child_ready && !daemon_pid) {
412 /* Child process needs to break out of monitoring
417 VLOG_INFO("pid %lu died, %s, exiting",
418 (unsigned long int) daemon_pid, s);
426 /* Running in new daemon process. */
427 ovs_cmdl_proctitle_restore();
428 set_subprogram_name("");
431 /* If daemonization is configured, then starts daemonization, by forking and
432 * returning in the child process. The parent process hangs around until the
433 * child lets it know either that it completed startup successfully (by calling
434 * daemon_complete()) or that it failed to start up (by exiting with a nonzero
437 daemonize_start(bool access_datapath)
439 assert_single_threaded();
443 daemon_become_new_user__(access_datapath);
450 if (fork_and_wait_for_startup(&daemonize_fd, &pid)) {
451 VLOG_FATAL("could not detach from foreground session");
454 /* Running in parent process. */
458 /* Running in daemon or monitor process. */
463 int saved_daemonize_fd = daemonize_fd;
466 if (fork_and_wait_for_startup(&daemonize_fd, &daemon_pid)) {
467 VLOG_FATAL("could not initiate process monitoring");
469 if (daemon_pid > 0) {
470 /* Running in monitor process. */
471 fork_notify_startup(saved_daemonize_fd);
472 close_standard_fds();
473 monitor_daemon(daemon_pid);
475 /* Running in daemon process. */
478 forbid_forking("running in daemon process");
484 /* Make sure that the unixctl commands for vlog get registered in a
485 * daemon, even before the first log message. */
489 /* If daemonization is configured, then this function notifies the parent
490 * process that the child process has completed startup successfully. It also
491 * call daemonize_post_detach().
493 * Calling this function more than once has no additional effect. */
495 daemonize_complete(void)
505 fork_notify_startup(daemonize_fd);
507 daemonize_post_detach();
511 /* If daemonization is configured, then this function does traditional Unix
512 * daemonization behavior: join a new session, chdir to the root (if not
513 * disabled), and close the standard file descriptors.
515 * It only makes sense to call this function as part of an implementation of a
516 * special daemon subprocess. A normal daemon should just call
517 * daemonize_complete(). */
519 daemonize_post_detach(void)
525 close_standard_fds();
533 "\nDaemon options:\n"
534 " --detach run in background as daemon\n"
535 " --no-chdir do not chdir to '/'\n"
536 " --pidfile[=FILE] create pidfile (default: %s/%s.pid)\n"
537 " --overwrite-pidfile with --pidfile, start even if already "
539 ovs_rundir(), program_name);
543 lock_pidfile__(FILE *file, int command, struct flock *lck)
547 lck->l_type = F_WRLCK;
548 lck->l_whence = SEEK_SET;
554 error = fcntl(fileno(file), command, lck) == -1 ? errno : 0;
555 } while (error == EINTR);
560 lock_pidfile(FILE *file, int command)
564 return lock_pidfile__(file, command, &lck);
568 read_pidfile__(const char *pidfile, bool delete_if_stale)
576 if ((pidfile_ino || pidfile_dev)
577 && !stat(pidfile, &s)
578 && s.st_ino == pidfile_ino && s.st_dev == pidfile_dev) {
579 /* It's our own pidfile. We can't afford to open it, because closing
580 * *any* fd for a file that a process has locked also releases all the
581 * locks on that file.
583 * Fortunately, we know the associated pid anyhow: */
587 file = fopen(pidfile, "r+");
589 if (errno == ENOENT && delete_if_stale) {
593 VLOG_WARN("%s: open: %s", pidfile, ovs_strerror(error));
597 error = lock_pidfile__(file, F_GETLK, &lck);
599 VLOG_WARN("%s: fcntl: %s", pidfile, ovs_strerror(error));
602 if (lck.l_type == F_UNLCK) {
603 /* pidfile exists but it isn't locked by anyone. We need to delete it
604 * so that a new pidfile can go in its place. But just calling
605 * unlink(pidfile) makes a nasty race: what if someone else unlinks it
606 * before we do and then replaces it by a valid pidfile? We'd unlink
607 * their valid pidfile. We do a little dance to avoid the race, by
608 * locking the invalid pidfile. Only one process can have the invalid
609 * pidfile locked, and only that process has the right to unlink it. */
610 if (!delete_if_stale) {
612 VLOG_DBG("%s: pid file is stale", pidfile);
617 error = lock_pidfile(file, F_SETLK);
619 /* We lost a race with someone else doing the same thing. */
620 VLOG_WARN("%s: lost race to lock pidfile", pidfile);
624 /* Is the file we have locked still named 'pidfile'? */
625 if (stat(pidfile, &s) || fstat(fileno(file), &s2)
626 || s.st_ino != s2.st_ino || s.st_dev != s2.st_dev) {
627 /* No. We lost a race with someone else who got the lock before
628 * us, deleted the pidfile, and closed it (releasing the lock). */
630 VLOG_WARN("%s: lost race to delete pidfile", pidfile);
634 /* We won the right to delete the stale pidfile. */
635 if (unlink(pidfile)) {
637 VLOG_WARN("%s: failed to delete stale pidfile (%s)",
638 pidfile, ovs_strerror(error));
641 VLOG_DBG("%s: deleted stale pidfile", pidfile);
646 if (!fgets(line, sizeof line, file)) {
649 VLOG_WARN("%s: read: %s", pidfile, ovs_strerror(error));
652 VLOG_WARN("%s: read: unexpected end of file", pidfile);
657 if (lck.l_pid != strtoul(line, NULL, 10)) {
658 /* The process that has the pidfile locked is not the process that
659 * created it. It must be stale, with the process that has it locked
660 * preparing to delete it. */
662 VLOG_WARN("%s: stale pidfile for pid %s being deleted by pid %ld",
663 pidfile, line, (long int) lck.l_pid);
677 /* Opens and reads a PID from 'pidfile'. Returns the positive PID if
678 * successful, otherwise a negative errno value. */
680 read_pidfile(const char *pidfile)
682 return read_pidfile__(pidfile, false);
685 /* Checks whether a process with the given 'pidfile' is already running and,
686 * if so, aborts. If 'pidfile' is stale, deletes it. */
688 check_already_running(void)
690 long int pid = read_pidfile__(pidfile, true);
692 VLOG_FATAL("%s: already running as pid %ld, aborting", pidfile, pid);
693 } else if (pid < 0) {
694 VLOG_FATAL("%s: pidfile check failed (%s), aborting",
695 pidfile, ovs_strerror(-pid));
700 /* stub functions for non-windows platform. */
703 service_start(int *argc OVS_UNUSED, char **argv[] OVS_UNUSED)
713 should_service_stop(void)
720 gid_matches(gid_t expected, gid_t value)
722 return expected == -1 || expected == value;
726 gid_verify(gid_t gid)
732 return (gid_matches(gid, r) &&
733 gid_matches(gid, e));
737 daemon_switch_group(gid_t gid)
739 if ((setgid(gid) == -1) || !gid_verify(gid)) {
740 VLOG_FATAL("%s: fail to switch group to gid as %d, aborting",
746 uid_matches(uid_t expected, uid_t value)
748 return expected == -1 || expected == value;
752 uid_verify(const uid_t uid)
758 return (uid_matches(uid, r) &&
759 uid_matches(uid, e));
763 daemon_switch_user(const uid_t uid, const char *user)
765 if ((setuid(uid) == -1) || !uid_verify(uid)) {
766 VLOG_FATAL("%s: fail to switch user to %s, aborting",
771 /* Use portable Unix APIs to switch uid:gid, when datapath
772 * access is not required. On Linux systems, all capabilities
773 * will be dropped. */
775 daemon_become_new_user_unix(void)
777 /* "Setuid Demystified" by Hao Chen, etc outlines some caveats of
778 * around unix system call setuid() and friends. This implementation
779 * mostly follow the advice given by the paper. The paper is
780 * published in 2002, so things could have changed. */
782 /* Change both real and effective uid and gid will permanently
783 * drop the process' privilege. "Setuid Demystified" suggested
784 * that calling getuid() after each setuid() call to verify they
785 * are actually set, because checking return code alone is not
787 daemon_switch_group(gid);
788 if (user && initgroups(user, gid) == -1) {
789 VLOG_FATAL("%s: fail to add supplementary group gid %d, "
790 "aborting", pidfile, gid);
792 daemon_switch_user(uid, user);
795 /* Linux specific implementation of daemon_become_new_user()
796 * using libcap-ng. */
798 daemon_become_new_user_linux(bool access_datapath OVS_UNUSED)
800 #if defined __linux__ && HAVE_LIBCAPNG
803 ret = capng_get_caps_process();
806 if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE) {
807 const capng_type_t cap_sets = CAPNG_EFFECTIVE|CAPNG_PERMITTED;
809 capng_clear(CAPNG_SELECT_BOTH);
811 ret = capng_update(CAPNG_ADD, cap_sets, CAP_IPC_LOCK)
812 || capng_update(CAPNG_ADD, cap_sets, CAP_NET_BIND_SERVICE);
814 if (access_datapath && !ret) {
815 ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN)
816 || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW);
824 /* CAPNG_INIT_SUPP_GRP will be a better choice than
825 * CAPNG_DROP_SUPP_GRP. However this enum value is only defined
826 * with libcap-ng higher than version 0.7.4, which is not wildly
827 * available on many Linux distributions yet. Taking a more
828 * conservative approach to make sure OVS behaves consistently.
830 * XXX We may change this for future OVS releases.
832 ret = capng_change_id(uid, gid, CAPNG_DROP_SUPP_GRP
833 | CAPNG_CLEAR_BOUNDING);
837 VLOG_FATAL("%s: libcap-ng fail to switch to user and group "
838 "%d:%d, aborting", pidfile, uid, gid);
844 daemon_become_new_user__(bool access_datapath)
846 /* If vlog file has been created, change its owner to the non-root user
847 * as specifed by the --user option. */
848 vlog_change_owner_unix(uid, gid);
852 daemon_become_new_user_linux(access_datapath);
854 VLOG_FATAL("%s: fail to downgrade user using libcap-ng. "
855 "(libcap-ng is not configured at compile time), "
856 "aborting.", pidfile);
859 daemon_become_new_user_unix();
863 /* Noramlly, user switch is embedded within daemonize_start().
864 * However, there in case the user switch needs to be done
865 * before daemonize_start(), the following API can be used. */
867 daemon_become_new_user(bool access_datapath)
869 assert_single_threaded();
871 daemon_become_new_user__(access_datapath);
872 /* daemonize_start() should not switch user again. */
877 /* Return the maximun suggested buffer size for both getpwname_r()
880 * This size may still not be big enough. in case getpwname_r()
881 * and friends return ERANGE, a larger buffer should be supplied to
882 * retry. (The man page did not specify the max size to stop at, we
883 * will keep trying with doubling the buffer size for each round until
884 * the size wrapps around size_t. */
886 get_sysconf_buffer_size(void)
888 size_t bufsize, pwd_bs = 0, grp_bs = 0;
889 const size_t default_bufsize = 1024;
892 if ((pwd_bs = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
894 VLOG_FATAL("%s: Read initial passwordd struct size "
895 "failed (%s), aborting. ", pidfile,
896 ovs_strerror(errno));
900 if ((grp_bs = sysconf(_SC_GETGR_R_SIZE_MAX)) == -1) {
902 VLOG_FATAL("%s: Read initial group struct size "
903 "failed (%s), aborting. ", pidfile,
904 ovs_strerror(errno));
908 bufsize = MAX(pwd_bs, grp_bs);
909 return bufsize ? bufsize : default_bufsize;
912 /* Try to double the size of '*buf', return true
913 * if successful, and '*sizep' will be updated with
914 * the new size. Otherwise, return false. */
916 enlarge_buffer(char **buf, size_t *sizep)
918 size_t newsize = *sizep * 2;
920 if (newsize > *sizep) {
921 *buf = xrealloc(*buf, newsize);
929 /* Parse and sanity check user_spec.
931 * If successful, set global variables 'uid' and 'gid'
932 * with the parsed results. Global variable 'user'
933 * will be pointing to a string that stores the name
934 * of the user to be switched into.
936 * Also set 'switch_to_new_user' to true, The actual
937 * user switching is done as soon as daemonize_start()
938 * is called. I/O access before calling daemonize_start()
939 * will still be with root's credential. */
941 daemon_set_new_user(const char *user_spec)
943 char *pos = strchr(user_spec, ':');
944 size_t init_bufsize, bufsize;
946 init_bufsize = get_sysconf_buffer_size();
950 if (geteuid() || uid) {
951 VLOG_FATAL("%s: only root can use --user option", pidfile);
954 user_spec += strspn(user_spec, " \t\r\n");
955 size_t len = pos ? pos - user_spec : strlen(user_spec);
957 struct passwd pwd, *res;
960 bufsize = init_bufsize;
961 buf = xmalloc(bufsize);
963 user = xmemdup0(user_spec, len);
965 while ((e = getpwnam_r(user, &pwd, buf, bufsize, &res)) == ERANGE) {
966 if (!enlarge_buffer(&buf, &bufsize)) {
972 VLOG_FATAL("%s: Failed to retrive user %s's uid (%s), aborting.",
973 pidfile, user, ovs_strerror(e));
976 /* User name is not specified, use current user. */
977 while ((e = getpwuid_r(uid, &pwd, buf, bufsize, &res)) == ERANGE) {
978 if (!enlarge_buffer(&buf, &bufsize)) {
984 VLOG_FATAL("%s: Failed to retrive current user's name "
985 "(%s), aborting.", pidfile, ovs_strerror(e));
987 user = xstrdup(pwd.pw_name);
995 char *grpstr = pos + 1;
996 grpstr += strspn(grpstr, " \t\r\n");
999 struct group grp, *res;
1001 bufsize = init_bufsize;
1002 buf = xmalloc(bufsize);
1003 while ((e = getgrnam_r(grpstr, &grp, buf, bufsize, &res))
1005 if (!enlarge_buffer(&buf, &bufsize)) {
1011 VLOG_FATAL("%s: Failed to get group entry for %s, "
1012 "(%s), aborting.", pidfile, grpstr,
1016 if (gid != grp.gr_gid) {
1019 for (mem = grp.gr_mem; *mem; ++mem) {
1020 if (!strcmp(*mem, user)) {
1026 VLOG_FATAL("%s: Invalid --user option %s (user %s is "
1027 "not in group %s), aborting.", pidfile,
1028 user_spec, user, grpstr);