1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 * Copyright 2015 Joyent, Inc.
26 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
27 */
28
29 /*
30 * Console support for zones requires a significant infrastructure. The
31 * core pieces are contained in this file, but other portions of note
32 * are in the zlogin(1M) command, the zcons(7D) driver, and in the
33 * devfsadm(1M) misc_link generator.
34 *
35 * Care is taken to make the console behave in an "intuitive" fashion for
36 * administrators. Essentially, we try as much as possible to mimic the
37 * experience of using a system via a tip line and system controller.
38 *
39 * The zone console architecture looks like this:
40 *
41 * Global Zone | Non-Global Zone
42 * .--------------. |
43 * .-----------. | zoneadmd -z | | .--------. .---------.
44 * | zlogin -C | | myzone | | | ttymon | | syslogd |
45 * `-----------' `--------------' | `--------' `---------'
46 * | | | | | | |
47 * User | | | | | V V
48 * - - - - - - - - -|- - - -|- - - -|-|- - - - - - -|- - /dev/zconsole - - -
49 * Kernel V V | | |
50 * [AF_UNIX Socket] | `--------. .-------------'
51 * | | |
52 * | V V
53 * | +-----------+
54 * | | ldterm, |
55 * | | etc. |
56 * | +-----------+
57 * | +-[Anchor]--+
58 * | | ptem |
59 * V +-----------+
60 * +---master---+---slave---+
61 * | |
62 * | zcons driver |
63 * | zonename="myzone" |
64 * +------------------------+
65 *
66 * There are basically two major tasks which the console subsystem in
67 * zoneadmd accomplishes:
68 *
69 * - Setup and teardown of zcons driver instances. One zcons instance
70 * is maintained per zone; we take advantage of the libdevice APIs
71 * to online new instances of zcons as needed. Care is taken to
72 * prune and manage these appropriately; see init_console_dev() and
73 * destroy_console_dev(). The end result is the creation of the
74 * zcons(7D) instance and an open file descriptor to the master side.
75 * zcons instances are associated with zones via their zonename device
76 * property. This the console instance to persist across reboots,
77 * and while the zone is halted.
78 *
79 * - Acting as a server for 'zlogin -C' instances. When zlogin -C is
80 * run, zlogin connects to zoneadmd via unix domain socket. zoneadmd
81 * functions as a two-way proxy for console I/O, relaying user input
82 * to the master side of the console, and relaying output from the
83 * zone to the user.
84 */
85
86 #include <sys/types.h>
87 #include <sys/socket.h>
88 #include <sys/stat.h>
89 #include <sys/termios.h>
90 #include <sys/zcons.h>
91 #include <sys/mkdev.h>
92
93 #include <assert.h>
94 #include <ctype.h>
95 #include <errno.h>
96 #include <fcntl.h>
97 #include <stdarg.h>
98 #include <stdio.h>
99 #include <stdlib.h>
100 #include <strings.h>
101 #include <stropts.h>
102 #include <thread.h>
103 #include <ucred.h>
104 #include <unistd.h>
105 #include <zone.h>
106
107 #include <libdevinfo.h>
108 #include <libdevice.h>
109 #include <libzonecfg.h>
110
111 #include <syslog.h>
112 #include <sys/modctl.h>
113
114 #include "zoneadmd.h"
115
116 #define ZCONSNEX_DEVTREEPATH "/pseudo/zconsnex@1"
117 #define ZCONSNEX_FILEPATH "/devices/pseudo/zconsnex@1"
118
119 #define CONSOLE_SOCKPATH ZONES_TMPDIR "/%s.console_sock"
120
121 #define ZCONS_RETRY 10
122
123 static int serverfd = -1; /* console server unix domain socket fd */
124 char boot_args[BOOTARGS_MAX];
125
126 /*
127 * The eventstream is a simple one-directional flow of messages from the
128 * door server to the console subsystem, implemented with a pipe.
129 * It is used to wake up the console poller when it needs to take action,
130 * message the user, die off, etc.
131 */
132 static int eventstream[2];
133
134 /* flag used to cope with race creating master zcons devlink */
135 static boolean_t master_zcons_failed = B_FALSE;
136 /* flag to track if we've seen a state change when there is no master zcons */
137 static boolean_t state_changed = B_FALSE;
138
139 int
140 eventstream_init()
141 {
142 if (pipe(eventstream) == -1)
143 return (-1);
144 return (0);
145 }
146
147 void
148 eventstream_write(zone_evt_t evt)
149 {
150 (void) write(eventstream[0], &evt, sizeof (evt));
151 }
152
153 static zone_evt_t
154 eventstream_read(void)
155 {
156 zone_evt_t evt = Z_EVT_NULL;
157
158 (void) read(eventstream[1], &evt, sizeof (evt));
159 return (evt);
160 }
161
162 /*
163 * count_console_devs() and its helper count_cb() do a walk of the
164 * subtree of the device tree where zone console nodes are represented.
165 * The goal is to count zone console instances already setup for a zone
166 * with the given name. More than 1 is anomolous, and our caller will
167 * have to deal with that if we find that's the case.
168 *
169 * Note: this algorithm is a linear search of nodes in the zconsnex subtree
170 * of the device tree, and could be a scalability problem, but I don't see
171 * how to avoid it.
172 */
173
174 /*
175 * cb_data is shared by count_cb and destroy_cb for simplicity.
176 */
177 struct cb_data {
178 zlog_t *zlogp;
179 int found;
180 int killed;
181 };
182
183 static int
184 count_cb(di_node_t node, void *arg)
185 {
186 struct cb_data *cb = (struct cb_data *)arg;
187 char *prop_data;
188
189 if (di_prop_lookup_strings(DDI_DEV_T_ANY, node, "zonename",
190 &prop_data) != -1) {
191 assert(prop_data != NULL);
192 if (strcmp(prop_data, zone_name) == 0) {
193 cb->found++;
194 return (DI_WALK_CONTINUE);
195 }
196 }
197 return (DI_WALK_CONTINUE);
198 }
199
200 static int
201 count_console_devs(zlog_t *zlogp)
202 {
203 di_node_t root;
204 struct cb_data cb;
205
206 bzero(&cb, sizeof (cb));
207 cb.zlogp = zlogp;
208
209 if ((root = di_init(ZCONSNEX_DEVTREEPATH, DINFOCPYALL)) ==
210 DI_NODE_NIL) {
211 zerror(zlogp, B_TRUE, "%s failed", "di_init");
212 return (-1);
213 }
214
215 (void) di_walk_node(root, DI_WALK_CLDFIRST, (void *)&cb, count_cb);
216 di_fini(root);
217 return (cb.found);
218 }
219
220 /*
221 * destroy_console_devs() and its helper destroy_cb() tears down any console
222 * instances associated with this zone. If things went very wrong, we
223 * might have more than one console instance hanging around. This routine
224 * hunts down and tries to remove all of them. Of course, if the console
225 * is open, the instance will not detach, which is a potential issue.
226 */
227 static int
228 destroy_cb(di_node_t node, void *arg)
229 {
230 struct cb_data *cb = (struct cb_data *)arg;
231 char *prop_data;
232 char *tmp;
233 char devpath[MAXPATHLEN];
234 devctl_hdl_t hdl;
235
236 if (di_prop_lookup_strings(DDI_DEV_T_ANY, node, "zonename",
237 &prop_data) == -1)
238 return (DI_WALK_CONTINUE);
239
240 assert(prop_data != NULL);
241 if (strcmp(prop_data, zone_name) != 0) {
242 /* this is the console for a different zone */
243 return (DI_WALK_CONTINUE);
244 }
245
246 cb->found++;
247 tmp = di_devfs_path(node);
248 (void) snprintf(devpath, sizeof (devpath), "/devices/%s", tmp);
249 di_devfs_path_free(tmp);
250
251 if ((hdl = devctl_device_acquire(devpath, 0)) == NULL) {
252 zerror(cb->zlogp, B_TRUE, "WARNING: console %s found, "
253 "but it could not be controlled.", devpath);
254 return (DI_WALK_CONTINUE);
255 }
256 if (devctl_device_remove(hdl) == 0) {
257 cb->killed++;
258 } else {
259 zerror(cb->zlogp, B_TRUE, "WARNING: console %s found, "
260 "but it could not be removed.", devpath);
261 }
262 devctl_release(hdl);
263 return (DI_WALK_CONTINUE);
264 }
265
266 static int
267 destroy_console_devs(zlog_t *zlogp)
268 {
269 char conspath[MAXPATHLEN];
270 di_node_t root;
271 struct cb_data cb;
272 int masterfd;
273 int slavefd;
274
275 /*
276 * Signal the master side to release its handle on the slave side by
277 * issuing a ZC_RELEASESLAVE ioctl.
278 */
279 (void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
280 zone_name, ZCONS_MASTER_NAME);
281 if ((masterfd = open(conspath, O_RDWR | O_NOCTTY)) != -1) {
282 (void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
283 zone_name, ZCONS_SLAVE_NAME);
284 if ((slavefd = open(conspath, O_RDWR | O_NOCTTY)) != -1) {
285 if (ioctl(masterfd, ZC_RELEASESLAVE,
286 (caddr_t)(intptr_t)slavefd) != 0)
287 zerror(zlogp, B_TRUE, "WARNING: error while "
288 "releasing slave handle of zone console for"
289 " %s", zone_name);
290 (void) close(slavefd);
291 } else {
292 zerror(zlogp, B_TRUE, "WARNING: could not open slave "
293 "side of zone console for %s to release slave "
294 "handle", zone_name);
295 }
296 (void) close(masterfd);
297 } else {
298 zerror(zlogp, B_TRUE, "WARNING: could not open master side of "
299 "zone console for %s to release slave handle", zone_name);
300 }
301
302 bzero(&cb, sizeof (cb));
303 cb.zlogp = zlogp;
304
305 if ((root = di_init(ZCONSNEX_DEVTREEPATH, DINFOCPYALL)) ==
306 DI_NODE_NIL) {
307 zerror(zlogp, B_TRUE, "%s failed", "di_init");
308 return (-1);
309 }
310
311 (void) di_walk_node(root, DI_WALK_CLDFIRST, (void *)&cb, destroy_cb);
312 if (cb.found > 1) {
313 zerror(zlogp, B_FALSE, "WARNING: multiple zone console "
314 "instances detected for zone '%s'; %d of %d "
315 "successfully removed.",
316 zone_name, cb.killed, cb.found);
317 }
318
319 di_fini(root);
320 return (0);
321 }
322
323 /*
324 * init_console_dev() drives the device-tree configuration of the zone
325 * console device. The general strategy is to use the libdevice (devctl)
326 * interfaces to instantiate a new zone console node. We do a lot of
327 * sanity checking, and are careful to reuse a console if one exists.
328 *
329 * Once the device is in the device tree, we kick devfsadm via di_devlink_init()
330 * to ensure that the appropriate symlinks (to the master and slave console
331 * devices) are placed in /dev in the global zone.
332 */
333 static int
334 init_console_dev(zlog_t *zlogp)
335 {
336 char conspath[MAXPATHLEN];
337 devctl_hdl_t bus_hdl = NULL;
338 devctl_hdl_t dev_hdl = NULL;
339 devctl_ddef_t ddef_hdl = NULL;
340 di_devlink_handle_t dl = NULL;
341 int rv = -1;
342 int ndevs;
343 int masterfd;
344 int slavefd;
345 int i;
346
347 /*
348 * Don't re-setup console if it is working and ready already; just
349 * skip ahead to making devlinks, which we do for sanity's sake.
350 */
351 ndevs = count_console_devs(zlogp);
352 if (ndevs == 1) {
353 goto devlinks;
354 } else if (ndevs > 1 || ndevs == -1) {
355 /*
356 * For now, this seems like a reasonable but harsh punishment.
357 * If needed, we could try to get clever and delete all but
358 * the console which is pointed at by the current symlink.
359 */
360 if (destroy_console_devs(zlogp) == -1) {
361 goto error;
362 }
363 }
364
365 /*
366 * Time to make the consoles!
367 */
368 if ((bus_hdl = devctl_bus_acquire(ZCONSNEX_FILEPATH, 0)) == NULL) {
369 zerror(zlogp, B_TRUE, "%s failed", "devctl_bus_acquire");
370 goto error;
371 }
372 if ((ddef_hdl = devctl_ddef_alloc("zcons", 0)) == NULL) {
373 zerror(zlogp, B_TRUE, "failed to allocate ddef handle");
374 goto error;
375 }
376 /*
377 * Set three properties on this node; the first is the name of the
378 * zone; the second is a flag which lets pseudo know that it is
379 * OK to automatically allocate an instance # for this device;
380 * the third tells the device framework not to auto-detach this
381 * node-- we need the node to still be there when we ask devfsadmd
382 * to make links, and when we need to open it.
383 */
384 if (devctl_ddef_string(ddef_hdl, "zonename", zone_name) == -1) {
385 zerror(zlogp, B_TRUE, "failed to create zonename property");
386 goto error;
387 }
388 if (devctl_ddef_int(ddef_hdl, "auto-assign-instance", 1) == -1) {
389 zerror(zlogp, B_TRUE, "failed to create auto-assign-instance "
390 "property");
391 goto error;
392 }
393 if (devctl_ddef_int(ddef_hdl, "ddi-no-autodetach", 1) == -1) {
394 zerror(zlogp, B_TRUE, "failed to create ddi-no-auto-detach "
395 "property");
396 goto error;
397 }
398 if (devctl_bus_dev_create(bus_hdl, ddef_hdl, 0, &dev_hdl) == -1) {
399 zerror(zlogp, B_TRUE, "failed to create console node");
400 goto error;
401 }
402
403 devlinks:
404 if ((dl = di_devlink_init("zcons", DI_MAKE_LINK)) != NULL) {
405 (void) di_devlink_fini(&dl);
406 } else {
407 zerror(zlogp, B_TRUE, "failed to create devlinks");
408 goto error;
409 }
410
411 /*
412 * Open the master side of the console and issue the ZC_HOLDSLAVE ioctl,
413 * which will cause the master to retain a reference to the slave.
414 * This prevents ttymon from blowing through the slave's STREAMS anchor.
415 *
416 * In very rare cases the open returns ENOENT if devfs doesn't have
417 * everything setup yet due to heavy zone startup load. Wait for
418 * 1 sec. and retry a few times. Even if we can't setup the zone's
419 * console, we still go ahead and boot the zone.
420 */
421 (void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
422 zone_name, ZCONS_MASTER_NAME);
423 for (i = 0; i < ZCONS_RETRY; i++) {
424 masterfd = open(conspath, O_RDWR | O_NOCTTY);
425 if (masterfd >= 0 || errno != ENOENT)
426 break;
427 (void) sleep(1);
428 }
429 if (masterfd == -1) {
430 zerror(zlogp, B_TRUE, "ERROR: could not open master side of "
431 "zone console for %s to acquire slave handle", zone_name);
432 master_zcons_failed = B_TRUE;
433 }
434
435 (void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
436 zone_name, ZCONS_SLAVE_NAME);
437 for (i = 0; i < ZCONS_RETRY; i++) {
438 slavefd = open(conspath, O_RDWR | O_NOCTTY);
439 if (slavefd >= 0 || errno != ENOENT)
440 break;
441 (void) sleep(1);
442 }
443 if (slavefd == -1)
444 zerror(zlogp, B_TRUE, "ERROR: could not open slave side of zone"
445 " console for %s to acquire slave handle", zone_name);
446
447 /*
448 * This ioctl can occasionally return ENXIO if devfs doesn't have
449 * everything plumbed up yet due to heavy zone startup load. Wait for
450 * 1 sec. and retry a few times before we fail to boot the zone.
451 */
452 if (masterfd != -1 && slavefd != -1) {
453 for (i = 0; i < ZCONS_RETRY; i++) {
454 if (ioctl(masterfd, ZC_HOLDSLAVE,
455 (caddr_t)(intptr_t)slavefd) == 0) {
456 rv = 0;
457 break;
458 } else if (errno != ENXIO) {
459 break;
460 }
461 (void) sleep(1);
462 }
463 if (rv != 0)
464 zerror(zlogp, B_TRUE, "ERROR: error while acquiring "
465 "slave handle of zone console for %s", zone_name);
466 }
467
468 if (slavefd != -1)
469 (void) close(slavefd);
470 if (masterfd != -1)
471 (void) close(masterfd);
472
473 error:
474 if (ddef_hdl)
475 devctl_ddef_free(ddef_hdl);
476 if (bus_hdl)
477 devctl_release(bus_hdl);
478 if (dev_hdl)
479 devctl_release(dev_hdl);
480 return (rv);
481 }
482
483 static int
484 init_console_sock(zlog_t *zlogp)
485 {
486 int servfd;
487 struct sockaddr_un servaddr;
488
489 bzero(&servaddr, sizeof (servaddr));
490 servaddr.sun_family = AF_UNIX;
491 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
492 CONSOLE_SOCKPATH, zone_name);
493
494 if ((servfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
495 zerror(zlogp, B_TRUE, "console setup: could not create socket");
496 return (-1);
497 }
498 (void) unlink(servaddr.sun_path);
499
500 if (bind(servfd, (struct sockaddr *)&servaddr,
501 sizeof (servaddr)) == -1) {
502 zerror(zlogp, B_TRUE,
503 "console setup: could not bind to socket");
504 goto out;
505 }
506
507 if (listen(servfd, 4) == -1) {
508 zerror(zlogp, B_TRUE,
509 "console setup: could not listen on socket");
510 goto out;
511 }
512 return (servfd);
513
514 out:
515 (void) unlink(servaddr.sun_path);
516 (void) close(servfd);
517 return (-1);
518 }
519
520 static void
521 destroy_console_sock(int servfd)
522 {
523 char path[MAXPATHLEN];
524
525 (void) snprintf(path, sizeof (path), CONSOLE_SOCKPATH, zone_name);
526 (void) unlink(path);
527 (void) shutdown(servfd, SHUT_RDWR);
528 (void) close(servfd);
529 }
530
531 /*
532 * Read the "ident" string from the client's descriptor; this routine also
533 * tolerates being called with pid=NULL, for times when you want to "eat"
534 * the ident string from a client without saving it.
535 */
536 static int
537 get_client_ident(int clifd, pid_t *pid, char *locale, size_t locale_len,
538 int *disconnect)
539 {
540 char buf[BUFSIZ], *bufp;
541 size_t buflen = sizeof (buf);
542 char c = '\0';
543 int i = 0, r;
544 ucred_t *cred = NULL;
545
546 /* "eat up the ident string" case, for simplicity */
547 if (pid == NULL) {
548 assert(locale == NULL && locale_len == 0);
549 while (read(clifd, &c, 1) == 1) {
550 if (c == '\n')
551 return (0);
552 }
553 }
554
555 bzero(buf, sizeof (buf));
556 while ((buflen > 1) && (r = read(clifd, &c, 1)) == 1) {
557 buflen--;
558 if (c == '\n')
559 break;
560
561 buf[i] = c;
562 i++;
563 }
564 if (r == -1)
565 return (-1);
566
567 /*
568 * We've filled the buffer, but still haven't seen \n. Keep eating
569 * until we find it; we don't expect this to happen, but this is
570 * defensive.
571 */
572 if (c != '\n') {
573 while ((r = read(clifd, &c, sizeof (c))) > 0)
574 if (c == '\n')
575 break;
576 }
577
578 if (getpeerucred(clifd, &cred) == 0) {
579 *pid = ucred_getpid((const ucred_t *)cred);
580 ucred_free(cred);
581 } else {
582 return (-1);
583 }
584
585 /*
586 * Parse buffer for message of the form:
587 * IDENT <locale> <disconnect flag>
588 */
589 bufp = buf;
590 if (strncmp(bufp, "IDENT ", 6) != 0)
591 return (-1);
592 bufp += 6;
593 errno = 0;
594
595 while (*bufp != '\0' && isspace(*bufp))
596 bufp++;
597 buflen = strlen(bufp) - 1;
598 *disconnect = atoi(&bufp[buflen]);
599 bufp[buflen - 1] = '\0';
600 (void) strlcpy(locale, bufp, locale_len);
601
602 return (0);
603 }
604
605 static int
606 accept_client(int servfd, pid_t *pid, char *locale, size_t locale_len,
607 int *disconnect)
608 {
609 int connfd;
610 struct sockaddr_un cliaddr;
611 socklen_t clilen;
612
613 clilen = sizeof (cliaddr);
614 connfd = accept(servfd, (struct sockaddr *)&cliaddr, &clilen);
615 if (connfd == -1)
616 return (-1);
617 if (get_client_ident(connfd, pid, locale, locale_len,
618 disconnect) == -1) {
619 (void) shutdown(connfd, SHUT_RDWR);
620 (void) close(connfd);
621 return (-1);
622 }
623 (void) write(connfd, "OK\n", 3);
624 return (connfd);
625 }
626
627 static void
628 reject_client(int servfd, pid_t clientpid)
629 {
630 int connfd;
631 struct sockaddr_un cliaddr;
632 socklen_t clilen;
633 char nak[MAXPATHLEN];
634
635 clilen = sizeof (cliaddr);
636 connfd = accept(servfd, (struct sockaddr *)&cliaddr, &clilen);
637
638 /*
639 * After hear its ident string, tell client to get lost.
640 */
641 if (get_client_ident(connfd, NULL, NULL, 0, NULL) == 0) {
642 (void) snprintf(nak, sizeof (nak), "%lu\n",
643 clientpid);
644 (void) write(connfd, nak, strlen(nak));
645 }
646 (void) shutdown(connfd, SHUT_RDWR);
647 (void) close(connfd);
648 }
649
650 static void
651 event_message(int clifd, char *clilocale, zone_evt_t evt, int dflag)
652 {
653 char *str, *lstr = NULL;
654 char lmsg[BUFSIZ];
655 char outbuf[BUFSIZ];
656
657 if (clifd == -1)
658 return;
659
660 switch (evt) {
661 case Z_EVT_ZONE_BOOTING:
662 if (*boot_args == '\0') {
663 str = "NOTICE: Zone booting up";
664 break;
665 }
666 /*LINTED*/
667 (void) snprintf(lmsg, sizeof (lmsg), localize_msg(clilocale,
668 "NOTICE: Zone booting up with arguments: %s"), boot_args);
669 lstr = lmsg;
670 break;
671 case Z_EVT_ZONE_READIED:
672 str = "NOTICE: Zone readied";
673 break;
674 case Z_EVT_ZONE_HALTED:
675 if (dflag)
676 str = "NOTICE: Zone halted. Disconnecting...";
677 else
678 str = "NOTICE: Zone halted";
679 break;
680 case Z_EVT_ZONE_REBOOTING:
681 if (*boot_args == '\0') {
682 str = "NOTICE: Zone rebooting";
683 break;
684 }
685 /*LINTED*/
686 (void) snprintf(lmsg, sizeof (lmsg), localize_msg(clilocale,
687 "NOTICE: Zone rebooting with arguments: %s"), boot_args);
688 lstr = lmsg;
689 break;
690 case Z_EVT_ZONE_UNINSTALLING:
691 str = "NOTICE: Zone is being uninstalled. Disconnecting...";
692 break;
693 case Z_EVT_ZONE_BOOTFAILED:
694 if (dflag)
695 str = "NOTICE: Zone boot failed. Disconnecting...";
696 else
697 str = "NOTICE: Zone boot failed";
698 break;
699 default:
700 return;
701 }
702
703 if (lstr == NULL)
704 lstr = localize_msg(clilocale, str);
705 (void) snprintf(outbuf, sizeof (outbuf), "\r\n[%s]\r\n", lstr);
706 (void) write(clifd, outbuf, strlen(outbuf));
707 }
708
709 /*
710 * Check to see if the client at the other end of the socket is still
711 * alive; we know it is not if it throws EPIPE at us when we try to write
712 * an otherwise harmless 0-length message to it.
713 */
714 static int
715 test_client(int clifd)
716 {
717 if ((write(clifd, "", 0) == -1) && errno == EPIPE)
718 return (-1);
719 return (0);
720 }
721
722 /*
723 * This routine drives the console I/O loop. It polls for input from the
724 * master side of the console (output to the console), and from the client
725 * (input from the console user). Additionally, it polls on the server fd,
726 * and disconnects any clients that might try to hook up with the zone while
727 * the console is in use.
728 *
729 * When the client first calls us up, it is expected to send a line giving
730 * its "identity"; this consists of the string 'IDENT <pid> <locale>'.
731 * This is so that we can report that the console is busy along with
732 * some diagnostics about who has it busy; the locale is used so that
733 * asynchronous messages about zone state (like the NOTICE: zone halted
734 * messages) can be output in the user's locale.
735 */
736 static void
737 do_console_io(zlog_t *zlogp, int consfd, int servfd)
738 {
739 struct pollfd pollfds[4];
740 char ibuf[BUFSIZ];
741 int cc, ret;
742 int clifd = -1;
743 int pollerr = 0;
744 char clilocale[MAXPATHLEN];
745 pid_t clipid = 0;
746 int disconnect = 0;
747
748 /* console side, watch for read events */
749 pollfds[0].fd = consfd;
750 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND |
751 POLLPRI | POLLERR | POLLHUP | POLLNVAL;
752
753 /* client side, watch for read events */
754 pollfds[1].fd = clifd;
755 pollfds[1].events = pollfds[0].events;
756
757 /* the server socket; watch for events (new connections) */
758 pollfds[2].fd = servfd;
759 pollfds[2].events = pollfds[0].events;
760
761 /* the eventstram; watch for events (e.g.: zone halted) */
762 pollfds[3].fd = eventstream[1];
763 pollfds[3].events = pollfds[0].events;
764
765 for (;;) {
766 pollfds[0].revents = pollfds[1].revents = 0;
767 pollfds[2].revents = pollfds[3].revents = 0;
768
769 ret = poll(pollfds,
770 sizeof (pollfds) / sizeof (struct pollfd), -1);
771 if (ret == -1 && errno != EINTR) {
772 zerror(zlogp, B_TRUE, "poll failed");
773 /* we are hosed, close connection */
774 break;
775 }
776
777 /* event from console side */
778 if (pollfds[0].revents) {
779 if (pollfds[0].revents &
780 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
781 errno = 0;
782 cc = read(consfd, ibuf, BUFSIZ);
783 if (cc <= 0 && (errno != EINTR) &&
784 (errno != EAGAIN))
785 break;
786 /*
787 * Lose I/O if no one is listening
788 */
789 if (clifd != -1 && cc > 0)
790 (void) write(clifd, ibuf, cc);
791 } else {
792 pollerr = pollfds[0].revents;
793 zerror(zlogp, B_FALSE,
794 "closing connection with (console) "
795 "pollerr %d\n", pollerr);
796 break;
797 }
798 }
799
800 /* event from client side */
801 if (pollfds[1].revents) {
802 if (pollfds[1].revents &
803 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
804 errno = 0;
805 cc = read(clifd, ibuf, BUFSIZ);
806 if (cc <= 0 && (errno != EINTR) &&
807 (errno != EAGAIN))
808 break;
809 (void) write(consfd, ibuf, cc);
810 } else {
811 pollerr = pollfds[1].revents;
812 zerror(zlogp, B_FALSE,
813 "closing connection with (client) "
814 "pollerr %d\n", pollerr);
815 break;
816 }
817 }
818
819 /* event from server socket */
820 if (pollfds[2].revents &&
821 (pollfds[2].revents & (POLLIN | POLLRDNORM))) {
822 if (clifd != -1) {
823 /*
824 * Test the client to see if it is really
825 * still alive. If it has died but we
826 * haven't yet detected that, we might
827 * deny a legitimate connect attempt. If it
828 * is dead, we break out; once we tear down
829 * the old connection, the new connection
830 * will happen.
831 */
832 if (test_client(clifd) == -1) {
833 break;
834 }
835 /* we're already handling a client */
836 reject_client(servfd, clipid);
837
838
839 } else if ((clifd = accept_client(servfd, &clipid,
840 clilocale, sizeof (clilocale),
841 &disconnect)) != -1) {
842 pollfds[1].fd = clifd;
843
844 } else {
845 break;
846 }
847 }
848
849 /*
850 * Watch for events on the eventstream. This is how we get
851 * notified of the zone halting, etc. It provides us a
852 * "wakeup" from poll when important things happen, which
853 * is good.
854 */
855 if (pollfds[3].revents) {
856 int evt = eventstream_read();
857 /*
858 * After we drain out the event, if we aren't servicing
859 * a console client, we hop back out to our caller,
860 * which will check to see if it is time to shutdown
861 * the daemon, or if we should take another console
862 * service lap.
863 */
864 if (clifd == -1) {
865 break;
866 }
867 event_message(clifd, clilocale, evt, disconnect);
868 /*
869 * Special handling for the message that the zone is
870 * uninstalling; we boot the client, then break out
871 * of this function. When we return to the
872 * serve_console loop, we will see that the zone is
873 * in a state < READY, and so zoneadmd will shutdown.
874 */
875 if (evt == Z_EVT_ZONE_UNINSTALLING) {
876 break;
877 }
878 /*
879 * Diconnect if -C and -d options were specified and
880 * zone was halted or failed to boot.
881 */
882 if ((evt == Z_EVT_ZONE_HALTED ||
883 evt == Z_EVT_ZONE_BOOTFAILED) && disconnect) {
884 break;
885 }
886 }
887
888 }
889
890 if (clifd != -1) {
891 (void) shutdown(clifd, SHUT_RDWR);
892 (void) close(clifd);
893 }
894 }
895
896 int
897 init_console(zlog_t *zlogp)
898 {
899 if (init_console_dev(zlogp) == -1) {
900 zerror(zlogp, B_FALSE,
901 "console setup: device initialization failed");
902 }
903
904 if ((serverfd = init_console_sock(zlogp)) == -1) {
905 zerror(zlogp, B_FALSE,
906 "console setup: socket initialization failed");
907 return (-1);
908 }
909 return (0);
910 }
911
912 /*
913 * Maintain a simple flag that tracks if we have seen at least one state
914 * change. This is currently only used to handle the special case where we are
915 * running without a console device, which is what normally drives shutdown.
916 */
917 void
918 zcons_statechanged()
919 {
920 state_changed = B_TRUE;
921 }
922
923 /*
924 * serve_console() is the master loop for driving console I/O. It is also the
925 * routine which is ultimately responsible for "pulling the plug" on zoneadmd
926 * when it realizes that the daemon should shut down.
927 *
928 * The rules for shutdown are: there must be no console client, and the zone
929 * state must be < ready. However, we need to give things a chance to actually
930 * get going when the daemon starts up-- otherwise the daemon would immediately
931 * exit on startup if the zone was in the installed state, so we first drop
932 * into the do_console_io() loop in order to give *something* a chance to
933 * happen.
934 */
935 void
936 serve_console(zlog_t *zlogp)
937 {
938 int masterfd;
939 zone_state_t zstate;
940 char conspath[MAXPATHLEN];
941 static boolean_t cons_warned = B_FALSE;
942
943 (void) snprintf(conspath, sizeof (conspath),
944 "/dev/zcons/%s/%s", zone_name, ZCONS_MASTER_NAME);
945
946 for (;;) {
947 masterfd = open(conspath, O_RDWR|O_NONBLOCK|O_NOCTTY);
948 if (masterfd == -1) {
949 if (master_zcons_failed) {
950 /*
951 * If we don't have a console and the zone is
952 * not shutting down, there may have been a
953 * race/failure with devfs while creating the
954 * console. In this case we want to leave the
955 * zone up, even without a console, so
956 * periodically recheck.
957 */
958 int i;
959
960 /*
961 * In the normal flow of this loop, we use
962 * do_console_io to give things a chance to get
963 * going first. However, in this case we can't
964 * use that, so we have to wait for at least
965 * one state change before checking the state.
966 */
967 for (i = 0; i < 60; i++) {
968 if (state_changed)
969 break;
970 (void) sleep(1);
971 }
972
973 if (i < 60 && zone_get_state(zone_name,
974 &zstate) == Z_OK &&
975 (zstate == ZONE_STATE_READY ||
976 zstate == ZONE_STATE_RUNNING)) {
977 if (!cons_warned) {
978 zerror(zlogp, B_FALSE,
979 "WARNING: missing zone "
980 "console for %s",
981 zone_name);
982 cons_warned = B_TRUE;
983 }
984 (void) sleep(ZCONS_RETRY);
985 continue;
986 }
987 }
988
989 zerror(zlogp, B_TRUE, "failed to open console master");
990 (void) mutex_lock(&lock);
991 goto death;
992 }
993
994 /*
995 * Setting RPROTDIS on the stream means that the control
996 * portion of messages received (which we don't care about)
997 * will be discarded by the stream head. If we allowed such
998 * messages, we wouldn't be able to use read(2), as it fails
999 * (EBADMSG) when a message with a control element is received.
1000 */
1001 if (ioctl(masterfd, I_SRDOPT, RNORM|RPROTDIS) == -1) {
1002 zerror(zlogp, B_TRUE, "failed to set options on "
1003 "console master");
1004 (void) mutex_lock(&lock);
1005 goto death;
1006 }
1007
1008 do_console_io(zlogp, masterfd, serverfd);
1009
1010 /*
1011 * We would prefer not to do this, but hostile zone processes
1012 * can cause the stream to become tainted, and reads will
1013 * fail. So, in case something has gone seriously ill,
1014 * we dismantle the stream and reopen the console when we
1015 * take another lap.
1016 */
1017 (void) close(masterfd);
1018
1019 (void) mutex_lock(&lock);
1020 /*
1021 * We need to set death_throes (see below) atomically with
1022 * respect to noticing that (a) we have no console client and
1023 * (b) the zone is not installed. Otherwise we could get a
1024 * request to boot during this time. Once we set death_throes,
1025 * any incoming door stuff will be turned away.
1026 */
1027 if (zone_get_state(zone_name, &zstate) == Z_OK) {
1028 if (zstate < ZONE_STATE_READY)
1029 goto death;
1030 } else {
1031 zerror(zlogp, B_FALSE,
1032 "unable to determine state of zone");
1033 goto death;
1034 }
1035 /*
1036 * Even if zone_get_state() fails, stay conservative, and
1037 * take another lap.
1038 */
1039 (void) mutex_unlock(&lock);
1040 }
1041
1042 death:
1043 assert(MUTEX_HELD(&lock));
1044 in_death_throes = B_TRUE;
1045 (void) mutex_unlock(&lock);
1046
1047 destroy_console_sock(serverfd);
1048 (void) destroy_console_devs(zlogp);
1049 }