5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 /*
28 * zoneadmd manages zones; one zoneadmd process is launched for each
29 * non-global zone on the system. This daemon juggles four jobs:
30 *
31 * - Implement setup and teardown of the zone "virtual platform": mount and
32 * unmount filesystems; create and destroy network interfaces; communicate
33 * with devfsadmd to lay out devices for the zone; instantiate the zone
34 * console device; configure process runtime attributes such as resource
35 * controls, pool bindings, fine-grained privileges.
36 *
37 * - Launch the zone's init(1M) process.
38 *
39 * - Implement a door server; clients (like zoneadm) connect to the door
40 * server and request zone state changes. The kernel is also a client of
41 * this door server. A request to halt or reboot the zone which originates
42 * *inside* the zone results in a door upcall from the kernel into zoneadmd.
43 *
44 * One minor problem is that messages emitted by zoneadmd need to be passed
51 * strings, and an exclusion file (zoneadmd.xcl) is used to exclude those
52 * strings which do not need to be translated.
53 *
54 * - Act as a console server for zlogin -C processes; see comments in zcons.c
55 * for more information about the zone console architecture.
56 *
57 * DESIGN NOTES
58 *
59 * Restart:
60 * A chief design constraint of zoneadmd is that it should be restartable in
61 * the case that the administrator kills it off, or it suffers a fatal error,
62 * without the running zone being impacted; this is akin to being able to
63 * reboot the service processor of a server without affecting the OS instance.
64 */
65
66 #include <sys/param.h>
67 #include <sys/mman.h>
68 #include <sys/types.h>
69 #include <sys/stat.h>
70 #include <sys/sysmacros.h>
71
72 #include <bsm/adt.h>
73 #include <bsm/adt_event.h>
74
75 #include <alloca.h>
76 #include <assert.h>
77 #include <errno.h>
78 #include <door.h>
79 #include <fcntl.h>
80 #include <locale.h>
81 #include <signal.h>
82 #include <stdarg.h>
83 #include <stdio.h>
84 #include <stdlib.h>
85 #include <string.h>
86 #include <strings.h>
87 #include <synch.h>
88 #include <syslog.h>
89 #include <thread.h>
90 #include <unistd.h>
91 #include <wait.h>
92 #include <limits.h>
93 #include <zone.h>
94 #include <libbrand.h>
95 #include <sys/brand.h>
96 #include <libcontract.h>
97 #include <libcontract_priv.h>
98 #include <sys/brand.h>
99 #include <sys/contract/process.h>
100 #include <sys/ctfs.h>
101 #include <libdladm.h>
102 #include <sys/dls_mgmt.h>
103 #include <libscf.h>
104
105 #include <libzonecfg.h>
106 #include <zonestat_impl.h>
107 #include "zoneadmd.h"
108
109 static char *progname;
110 char *zone_name; /* zone which we are managing */
111 char pool_name[MAXNAMELEN];
112 char default_brand[MAXNAMELEN];
113 char brand_name[MAXNAMELEN];
114 boolean_t zone_isnative;
115 boolean_t zone_iscluster;
116 boolean_t zone_islabeled;
117 boolean_t shutdown_in_progress;
118 static zoneid_t zone_id;
119 dladm_handle_t dld_handle = NULL;
120
121 static char pre_statechg_hook[2 * MAXPATHLEN];
122 static char post_statechg_hook[2 * MAXPATHLEN];
123 char query_hook[2 * MAXPATHLEN];
124
125 zlog_t logsys;
126
127 mutex_t lock = DEFAULTMUTEX; /* to serialize stuff */
128 mutex_t msglock = DEFAULTMUTEX; /* for calling setlocale() */
129
130 static sema_t scratch_sem; /* for scratch zones */
131
132 static char zone_door_path[MAXPATHLEN];
133 static int zone_door = -1;
134
135 boolean_t in_death_throes = B_FALSE; /* daemon is dying */
136 boolean_t bringup_failure_recovery = B_FALSE; /* ignore certain failures */
137
138 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
139 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
140 #endif
141
142 #define DEFAULT_LOCALE "C"
143
144 static const char *
145 z_cmd_name(zone_cmd_t zcmd)
146 {
147 /* This list needs to match the enum in sys/zone.h */
148 static const char *zcmdstr[] = {
149 "ready", "boot", "forceboot", "reboot", "halt",
150 "note_uninstalling", "mount", "forcemount", "unmount",
151 "shutdown"
152 };
153
154 if (zcmd >= sizeof (zcmdstr) / sizeof (*zcmdstr))
155 return ("unknown");
156 else
157 return (zcmdstr[(int)zcmd]);
158 }
159
160 static char *
161 get_execbasename(char *execfullname)
162 {
163 char *last_slash, *execbasename;
240 bp = &(buf[strlen(buf)]);
241 if (use_strerror)
242 (void) snprintf(bp, sizeof (buf) - (bp - buf), ": %s",
243 strerror(saved_errno));
244 if (zlogp == &logsys) {
245 (void) syslog(LOG_ERR, "%s", buf);
246 } else if (zlogp->logfile != NULL) {
247 (void) fprintf(zlogp->logfile, "%s\n", buf);
248 } else {
249 size_t buflen;
250 size_t copylen;
251
252 buflen = snprintf(zlogp->log, zlogp->loglen, "%s\n", buf);
253 copylen = MIN(buflen, zlogp->loglen);
254 zlogp->log += copylen;
255 zlogp->loglen -= copylen;
256 }
257 }
258
259 /*
260 * Emit a warning for any boot arguments which are unrecognized. Since
261 * Solaris boot arguments are getopt(3c) compatible (see kernel(1m)), we
262 * put the arguments into an argv style array, use getopt to process them,
263 * and put the resultant argument string back into outargs.
264 *
265 * During the filtering, we pull out any arguments which are truly "boot"
266 * arguments, leaving only those which are to be passed intact to the
267 * progenitor process. The one we support at the moment is -i, which
268 * indicates to the kernel which program should be launched as 'init'.
269 *
270 * A return of Z_INVAL indicates specifically that the arguments are
271 * not valid; this is a non-fatal error. Except for Z_OK, all other return
272 * values are treated as fatal.
273 */
274 static int
275 filter_bootargs(zlog_t *zlogp, const char *inargs, char *outargs,
276 char *init_file, char *badarg)
277 {
278 int argc = 0, argc_save;
279 int i;
280 int err;
281 char *arg, *lasts, **argv = NULL, **argv_save;
282 char zonecfg_args[BOOTARGS_MAX];
283 char scratchargs[BOOTARGS_MAX], *sargs;
284 char c;
285
286 bzero(outargs, BOOTARGS_MAX);
287 bzero(badarg, BOOTARGS_MAX);
288
289 /*
290 * If the user didn't specify transient boot arguments, check
291 * to see if there were any specified in the zone configuration,
292 * and use them if applicable.
293 */
294 if (inargs == NULL || inargs[0] == '\0') {
295 zone_dochandle_t handle;
296 if ((handle = zonecfg_init_handle()) == NULL) {
297 zerror(zlogp, B_TRUE,
298 "getting zone configuration handle");
299 return (Z_BAD_HANDLE);
300 }
301 err = zonecfg_get_snapshot_handle(zone_name, handle);
302 if (err != Z_OK) {
303 zerror(zlogp, B_FALSE,
304 "invalid configuration snapshot");
305 zonecfg_fini_handle(handle);
306 return (Z_BAD_HANDLE);
307 }
330 return (Z_NOMEM);
331 }
332
333 argv_save = argv;
334 argc_save = argc;
335
336 (void) strlcpy(scratchargs, inargs, sizeof (scratchargs));
337 sargs = scratchargs;
338 i = 0;
339 while ((arg = strtok_r(sargs, " \t", &lasts)) != NULL) {
340 sargs = NULL;
341 if ((argv[i] = strdup(arg)) == NULL) {
342 err = Z_NOMEM;
343 zerror(zlogp, B_FALSE, "memory allocation failed");
344 goto done;
345 }
346 i++;
347 }
348
349 /*
350 * We preserve compatibility with the Solaris system boot behavior,
351 * which allows:
352 *
353 * # reboot kernel/unix -s -m verbose
354 *
355 * In this example, kernel/unix tells the booter what file to
356 * boot. We don't want reboot in a zone to be gratuitously different,
357 * so we silently ignore the boot file, if necessary.
358 */
359 if (argv[0] == NULL)
360 goto done;
361
362 assert(argv[0][0] != ' ');
363 assert(argv[0][0] != '\t');
364
365 if (argv[0][0] != '-' && argv[0][0] != '\0') {
366 argv = &argv[1];
367 argc--;
368 }
369
370 optind = 0;
371 opterr = 0;
372 err = Z_OK;
373 while ((c = getopt(argc, argv, "fi:m:s")) != -1) {
374 switch (c) {
375 case 'i':
376 /*
377 * -i is handled by the runtime and is not passed
378 * along to userland
379 */
380 (void) strlcpy(init_file, optarg, MAXPATHLEN);
381 break;
382 case 'f':
383 /* This has already been processed by zoneadm */
384 break;
385 case 'm':
386 case 's':
387 /* These pass through unmolested */
388 (void) snprintf(outargs, BOOTARGS_MAX,
389 "%s -%c %s ", outargs, c, optarg ? optarg : "");
390 break;
391 case '?':
392 /*
393 * We warn about unknown arguments but pass them
394 * along anyway-- if someone wants to develop their
395 * own init replacement, they can pass it whatever
396 * args they want.
397 */
398 err = Z_INVAL;
399 (void) snprintf(outargs, BOOTARGS_MAX,
400 "%s -%c", outargs, optopt);
401 (void) snprintf(badarg, BOOTARGS_MAX,
402 "%s -%c", badarg, optopt);
403 break;
404 }
405 }
406
407 /*
408 * For Solaris Zones we warn about and discard non-option arguments.
409 * Hence 'boot foo bar baz gub' --> 'boot'. However, to be similar
410 * to the kernel, we concat up all the other remaining boot args.
411 * and warn on them as a group.
412 */
413 if (optind < argc) {
414 err = Z_INVAL;
415 while (optind < argc) {
416 (void) snprintf(badarg, BOOTARGS_MAX, "%s%s%s",
417 badarg, strlen(badarg) > 0 ? " " : "",
418 argv[optind]);
419 optind++;
420 }
421 zerror(zlogp, B_FALSE, "WARNING: Unused or invalid boot "
422 "arguments `%s'.", badarg);
423 }
424
425 done:
426 for (i = 0; i < argc_save; i++) {
427 if (argv_save[i] != NULL)
428 free(argv_save[i]);
429 }
430 free(argv_save);
431 return (err);
432 }
433
434
435 static int
436 mkzonedir(zlog_t *zlogp)
437 {
438 struct stat st;
439 /*
440 * We must create and lock everyone but root out of ZONES_TMPDIR
441 * since anyone can open any UNIX domain socket, regardless of
442 * its file system permissions. Sigh...
443 */
520 params.data_ptr = (char *)&cmd;
521 params.data_size = sizeof (cmd);
522 params.desc_ptr = NULL;
523 params.desc_num = 0;
524 params.rbuf = NULL;
525 params.rsize = NULL;
526 (void) door_call(fd, ¶ms);
527 (void) close(fd);
528 }
529
530 /*
531 * Bring a zone up to the pre-boot "ready" stage. The mount_cmd argument is
532 * 'true' if this is being invoked as part of the processing for the "mount"
533 * subcommand.
534 */
535 static int
536 zone_ready(zlog_t *zlogp, zone_mnt_t mount_cmd, int zstate)
537 {
538 int err;
539
540 if (brand_prestatechg(zlogp, zstate, Z_READY) != 0)
541 return (-1);
542
543 if ((err = zonecfg_create_snapshot(zone_name)) != Z_OK) {
544 zerror(zlogp, B_FALSE, "unable to create snapshot: %s",
545 zonecfg_strerror(err));
546 goto bad;
547 }
548
549 if ((zone_id = vplat_create(zlogp, mount_cmd)) == -1) {
550 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK)
551 zerror(zlogp, B_FALSE, "destroying snapshot: %s",
552 zonecfg_strerror(err));
553 goto bad;
554 }
555 if (vplat_bringup(zlogp, mount_cmd, zone_id) != 0) {
556 bringup_failure_recovery = B_TRUE;
557 (void) vplat_teardown(NULL, (mount_cmd != Z_MNT_BOOT), B_FALSE);
558 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK)
559 zerror(zlogp, B_FALSE, "destroying snapshot: %s",
560 zonecfg_strerror(err));
561 goto bad;
562 }
563
564 if (brand_poststatechg(zlogp, zstate, Z_READY) != 0)
565 goto bad;
566
567 return (0);
568
569 bad:
570 /*
571 * If something goes wrong, we up the zones's state to the target
572 * state, READY, and then invoke the hook as if we're halting.
573 */
574 (void) brand_poststatechg(zlogp, ZONE_STATE_READY, Z_HALT);
575 return (-1);
576 }
577
578 int
579 init_template(void)
580 {
581 int fd;
582 int err = 0;
583
584 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
585 if (fd == -1)
586 return (-1);
587
588 /*
589 * For now, zoneadmd doesn't do anything with the contract.
590 * Deliver no events, don't inherit, and allow it to be orphaned.
591 */
592 err |= ct_tmpl_set_critical(fd, 0);
593 err |= ct_tmpl_set_informative(fd, 0);
606 zoneid_t zoneid;
607 boolean_t mount_cmd;
608 } fs_callback_t;
609
610 static int
611 mount_early_fs(void *data, const char *spec, const char *dir,
612 const char *fstype, const char *opt)
613 {
614 zlog_t *zlogp = ((fs_callback_t *)data)->zlogp;
615 zoneid_t zoneid = ((fs_callback_t *)data)->zoneid;
616 boolean_t mount_cmd = ((fs_callback_t *)data)->mount_cmd;
617 char rootpath[MAXPATHLEN];
618 pid_t child;
619 int child_status;
620 int tmpl_fd;
621 int rv;
622 ctid_t ct;
623
624 /* determine the zone rootpath */
625 if (mount_cmd) {
626 char zonepath[MAXPATHLEN];
627 char luroot[MAXPATHLEN];
628
629 if (zone_get_zonepath(zone_name,
630 zonepath, sizeof (zonepath)) != Z_OK) {
631 zerror(zlogp, B_FALSE, "unable to determine zone path");
632 return (-1);
633 }
634
635 (void) snprintf(luroot, sizeof (luroot), "%s/lu", zonepath);
636 resolve_lofs(zlogp, luroot, sizeof (luroot));
637 (void) strlcpy(rootpath, luroot, sizeof (rootpath));
638 } else {
639 if (zone_get_rootpath(zone_name,
640 rootpath, sizeof (rootpath)) != Z_OK) {
641 zerror(zlogp, B_FALSE, "unable to determine zone root");
642 return (-1);
643 }
644 }
645
646 if ((rv = valid_mount_path(zlogp, rootpath, spec, dir, fstype)) < 0) {
647 zerror(zlogp, B_FALSE, "%s%s is not a valid mount point",
648 rootpath, dir);
649 return (-1);
650 } else if (rv > 0) {
651 /* The mount point path doesn't exist, create it now. */
652 if (make_one_dir(zlogp, rootpath, dir,
653 DEFAULT_DIR_MODE, DEFAULT_DIR_USER,
654 DEFAULT_DIR_GROUP) != 0) {
669 "%s%s is not a valid mount point", rootpath, dir);
670 return (-1);
671 }
672 }
673
674 if ((tmpl_fd = init_template()) == -1) {
675 zerror(zlogp, B_TRUE, "failed to create contract");
676 return (-1);
677 }
678
679 if ((child = fork()) == -1) {
680 (void) ct_tmpl_clear(tmpl_fd);
681 (void) close(tmpl_fd);
682 zerror(zlogp, B_TRUE, "failed to fork");
683 return (-1);
684
685 } else if (child == 0) { /* child */
686 char opt_buf[MAX_MNTOPT_STR];
687 int optlen = 0;
688 int mflag = MS_DATA;
689
690 (void) ct_tmpl_clear(tmpl_fd);
691 /*
692 * Even though there are no procs running in the zone, we
693 * do this for paranoia's sake.
694 */
695 (void) closefrom(0);
696
697 if (zone_enter(zoneid) == -1) {
698 _exit(errno);
699 }
700 if (opt != NULL) {
701 /*
702 * The mount() system call is incredibly annoying.
703 * If options are specified, we need to copy them
704 * into a temporary buffer since the mount() system
705 * call will overwrite the options string. It will
706 * also fail if the new option string it wants to
707 * write is bigger than the one we passed in, so
708 * you must pass in a buffer of the maximum possible
709 * option string length. sigh.
710 */
711 (void) strlcpy(opt_buf, opt, sizeof (opt_buf));
712 opt = opt_buf;
713 optlen = MAX_MNTOPT_STR;
714 mflag = MS_OPTIONSTR;
715 }
716 if (mount(spec, dir, mflag, fstype, NULL, 0, opt, optlen) != 0)
717 _exit(errno);
718 _exit(0);
719 }
720
721 /* parent */
722 if (contract_latest(&ct) == -1)
723 ct = -1;
724 (void) ct_tmpl_clear(tmpl_fd);
725 (void) close(tmpl_fd);
726 if (waitpid(child, &child_status, 0) != child) {
727 /* unexpected: we must have been signalled */
728 (void) contract_abandon_id(ct);
729 return (-1);
730 }
731 (void) contract_abandon_id(ct);
732 if (WEXITSTATUS(child_status) != 0) {
733 errno = WEXITSTATUS(child_status);
734 zerror(zlogp, B_TRUE, "mount of %s failed", dir);
735 return (-1);
736 }
737
738 return (0);
739 }
740
741 /*
742 * If retstr is not NULL, the output of the subproc is returned in the str,
743 * otherwise it is output using zerror(). Any memory allocated for retstr
744 * should be freed by the caller.
745 */
746 int
747 do_subproc(zlog_t *zlogp, char *cmdbuf, char **retstr)
748 {
749 char buf[1024]; /* arbitrary large amount */
750 char *inbuf;
751 FILE *file;
752 int status;
753 int rd_cnt;
754
755 if (retstr != NULL) {
756 if ((*retstr = malloc(1024)) == NULL) {
757 zerror(zlogp, B_FALSE, "out of memory");
758 return (-1);
759 }
760 inbuf = *retstr;
761 rd_cnt = 0;
762 } else {
763 inbuf = buf;
764 }
765
766 file = popen(cmdbuf, "r");
767 if (file == NULL) {
768 zerror(zlogp, B_TRUE, "could not launch: %s", cmdbuf);
769 return (-1);
770 }
771
772 while (fgets(inbuf, 1024, file) != NULL) {
773 if (retstr == NULL) {
774 if (zlogp != &logsys)
775 zerror(zlogp, B_FALSE, "%s", inbuf);
776 } else {
777 char *p;
778
779 rd_cnt += 1024 - 1;
780 if ((p = realloc(*retstr, rd_cnt + 1024)) == NULL) {
781 zerror(zlogp, B_FALSE, "out of memory");
782 (void) pclose(file);
783 return (-1);
784 }
785
786 *retstr = p;
787 inbuf = *retstr + rd_cnt;
788 }
789 }
790 status = pclose(file);
791
792 if (WIFSIGNALED(status)) {
793 zerror(zlogp, B_FALSE, "%s unexpectedly terminated due to "
794 "signal %d", cmdbuf, WTERMSIG(status));
795 return (-1);
796 }
797 assert(WIFEXITED(status));
798 if (WEXITSTATUS(status) == ZEXIT_EXEC) {
799 zerror(zlogp, B_FALSE, "failed to exec %s", cmdbuf);
800 return (-1);
801 }
802 return (WEXITSTATUS(status));
803 }
804
805 static int
806 zone_bootup(zlog_t *zlogp, const char *bootargs, int zstate)
807 {
808 zoneid_t zoneid;
809 struct stat st;
810 char zpath[MAXPATHLEN], initpath[MAXPATHLEN], init_file[MAXPATHLEN];
811 char nbootargs[BOOTARGS_MAX];
812 char cmdbuf[MAXPATHLEN];
813 fs_callback_t cb;
814 brand_handle_t bh;
815 zone_iptype_t iptype;
816 boolean_t links_loaded = B_FALSE;
817 dladm_status_t status;
818 char errmsg[DLADM_STRSIZE];
819 int err;
820 boolean_t restart_init;
821
822 if (brand_prestatechg(zlogp, zstate, Z_BOOT) != 0)
823 return (-1);
824
825 if ((zoneid = getzoneidbyname(zone_name)) == -1) {
826 zerror(zlogp, B_TRUE, "unable to get zoneid");
827 goto bad;
828 }
829
830 cb.zlogp = zlogp;
831 cb.zoneid = zoneid;
832 cb.mount_cmd = B_FALSE;
833
834 /* Get a handle to the brand info for this zone */
835 if ((bh = brand_open(brand_name)) == NULL) {
836 zerror(zlogp, B_FALSE, "unable to determine zone brand");
837 goto bad;
838 }
839
840 /*
841 * Get the list of filesystems to mount from the brand
842 * configuration. These mounts are done via a thread that will
843 * enter the zone, so they are done from within the context of the
844 * zone.
845 */
846 if (brand_platform_iter_mounts(bh, mount_early_fs, &cb) != 0) {
847 zerror(zlogp, B_FALSE, "unable to mount filesystems");
848 brand_close(bh);
849 goto bad;
850 }
851
852 /*
853 * Get the brand's boot callback if it exists.
854 */
855 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK) {
856 zerror(zlogp, B_FALSE, "unable to determine zone path");
857 brand_close(bh);
858 goto bad;
859 }
860 (void) strcpy(cmdbuf, EXEC_PREFIX);
861 if (brand_get_boot(bh, zone_name, zpath, cmdbuf + EXEC_LEN,
862 sizeof (cmdbuf) - EXEC_LEN) != 0) {
863 zerror(zlogp, B_FALSE,
864 "unable to determine branded zone's boot callback");
865 brand_close(bh);
866 goto bad;
867 }
868
869 /* Get the path for this zone's init(1M) (or equivalent) process. */
870 if (brand_get_initname(bh, init_file, MAXPATHLEN) != 0) {
871 zerror(zlogp, B_FALSE,
872 "unable to determine zone's init(1M) location");
873 brand_close(bh);
874 goto bad;
875 }
876
877 /* See if this zone's brand should restart init if it dies. */
878 restart_init = brand_restartinit(bh);
879
880 brand_close(bh);
881
882 err = filter_bootargs(zlogp, bootargs, nbootargs, init_file,
883 bad_boot_arg);
884 if (err == Z_INVAL)
885 eventstream_write(Z_EVT_ZONE_BADARGS);
886 else if (err != Z_OK)
887 goto bad;
888
889 assert(init_file[0] != '\0');
890
891 /* Try to anticipate possible problems: Make sure init is executable. */
892 if (zone_get_rootpath(zone_name, zpath, sizeof (zpath)) != Z_OK) {
893 zerror(zlogp, B_FALSE, "unable to determine zone root");
894 goto bad;
895 }
896
897 (void) snprintf(initpath, sizeof (initpath), "%s%s", zpath, init_file);
898
899 if (stat(initpath, &st) == -1) {
900 zerror(zlogp, B_TRUE, "could not stat %s", initpath);
901 goto bad;
902 }
903
904 if ((st.st_mode & S_IXUSR) == 0) {
905 zerror(zlogp, B_FALSE, "%s is not executable", initpath);
906 goto bad;
907 }
908
909 /*
910 * Exclusive stack zones interact with the dlmgmtd running in the
911 * global zone. dladm_zone_boot() tells dlmgmtd that this zone is
912 * booting, and loads its datalinks from the zone's datalink
913 * configuration file.
914 */
915 if (vplat_get_iptype(zlogp, &iptype) == 0 && iptype == ZS_EXCLUSIVE) {
916 status = dladm_zone_boot(dld_handle, zoneid);
917 if (status != DLADM_STATUS_OK) {
918 zerror(zlogp, B_FALSE, "unable to load zone datalinks: "
919 " %s", dladm_status2str(status, errmsg));
920 goto bad;
921 }
922 links_loaded = B_TRUE;
923 }
924
925 /*
926 * If there is a brand 'boot' callback, execute it now to give the
927 * brand one last chance to do any additional setup before the zone
928 * is booted.
929 */
930 if ((strlen(cmdbuf) > EXEC_LEN) &&
931 (do_subproc(zlogp, cmdbuf, NULL) != Z_OK)) {
932 zerror(zlogp, B_FALSE, "%s failed", cmdbuf);
933 goto bad;
934 }
935
936 if (zone_setattr(zoneid, ZONE_ATTR_INITNAME, init_file, 0) == -1) {
937 zerror(zlogp, B_TRUE, "could not set zone boot file");
938 goto bad;
939 }
940
941 if (zone_setattr(zoneid, ZONE_ATTR_BOOTARGS, nbootargs, 0) == -1) {
942 zerror(zlogp, B_TRUE, "could not set zone boot arguments");
943 goto bad;
944 }
945
946 if (!restart_init && zone_setattr(zoneid, ZONE_ATTR_INITNORESTART,
947 NULL, 0) == -1) {
948 zerror(zlogp, B_TRUE, "could not set zone init-no-restart");
949 goto bad;
950 }
951
952 /*
953 * Inform zonestatd of a new zone so that it can install a door for
954 * the zone to contact it.
955 */
956 notify_zonestatd(zone_id);
957
958 if (zone_boot(zoneid) == -1) {
959 zerror(zlogp, B_TRUE, "unable to boot zone");
960 goto bad;
961 }
962
963 if (brand_poststatechg(zlogp, zstate, Z_BOOT) != 0)
964 goto bad;
965
966 return (0);
967
968 bad:
969 /*
970 * If something goes wrong, we up the zones's state to the target
971 * state, RUNNING, and then invoke the hook as if we're halting.
972 */
973 (void) brand_poststatechg(zlogp, ZONE_STATE_RUNNING, Z_HALT);
974 if (links_loaded)
975 (void) dladm_zone_halt(dld_handle, zoneid);
976 return (-1);
977 }
978
979 static int
980 zone_halt(zlog_t *zlogp, boolean_t unmount_cmd, boolean_t rebooting, int zstate)
981 {
982 int err;
983
984 if (brand_prestatechg(zlogp, zstate, Z_HALT) != 0)
985 return (-1);
986
987 if (vplat_teardown(zlogp, unmount_cmd, rebooting) != 0) {
988 if (!bringup_failure_recovery)
989 zerror(zlogp, B_FALSE, "unable to destroy zone");
990 return (-1);
991 }
992
993 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK)
994 zerror(zlogp, B_FALSE, "destroying snapshot: %s",
995 zonecfg_strerror(err));
996
997 if (brand_poststatechg(zlogp, zstate, Z_HALT) != 0)
998 return (-1);
999
1000 return (0);
1001 }
1002
1003 static int
1004 zone_graceful_shutdown(zlog_t *zlogp)
1005 {
1006 zoneid_t zoneid;
1007 pid_t child;
1008 char cmdbuf[MAXPATHLEN];
1009 brand_handle_t bh = NULL;
1010 char zpath[MAXPATHLEN];
1011 ctid_t ct;
1012 int tmpl_fd;
1013 int child_status;
1014
1015 if (shutdown_in_progress) {
1016 zerror(zlogp, B_FALSE, "shutdown already in progress");
1017 return (-1);
1018 }
1019
1020 if ((zoneid = getzoneidbyname(zone_name)) == -1) {
1021 zerror(zlogp, B_TRUE, "unable to get zoneid");
1022 return (-1);
1023 }
1024
1025 /* Get a handle to the brand info for this zone */
1026 if ((bh = brand_open(brand_name)) == NULL) {
1027 zerror(zlogp, B_FALSE, "unable to determine zone brand");
1028 return (-1);
1029 }
1030
1031 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK) {
1032 zerror(zlogp, B_FALSE, "unable to determine zone path");
1033 brand_close(bh);
1034 return (-1);
1035 }
1036
1037 /*
1038 * If there is a brand 'shutdown' callback, execute it now to give the
1039 * brand a chance to cleanup any custom configuration.
1040 */
1041 (void) strcpy(cmdbuf, EXEC_PREFIX);
1042 if (brand_get_shutdown(bh, zone_name, zpath, cmdbuf + EXEC_LEN,
1043 sizeof (cmdbuf) - EXEC_LEN) != 0 || strlen(cmdbuf) <= EXEC_LEN) {
1044 (void) strcat(cmdbuf, SHUTDOWN_DEFAULT);
1045 }
1046 brand_close(bh);
1047
1048 if ((tmpl_fd = init_template()) == -1) {
1049 zerror(zlogp, B_TRUE, "failed to create contract");
1050 return (-1);
1051 }
1052
1053 if ((child = fork()) == -1) {
1054 (void) ct_tmpl_clear(tmpl_fd);
1055 (void) close(tmpl_fd);
1056 zerror(zlogp, B_TRUE, "failed to fork");
1057 return (-1);
1058 } else if (child == 0) {
1059 (void) ct_tmpl_clear(tmpl_fd);
1060 if (zone_enter(zoneid) == -1) {
1061 _exit(errno);
1062 }
1160 }
1161
1162 event = adt_alloc_event(ah, ADT_zone_state);
1163 if (event == NULL) {
1164 zerror(zlogp, B_TRUE, gettext("audit failure."));
1165 (void) adt_end_session(ah);
1166 return;
1167 }
1168 event->adt_zone_state.zonename = zone_name;
1169 event->adt_zone_state.new_state = new_state;
1170
1171 if (adt_put_event(event, pass_fail, fail_reason))
1172 zerror(zlogp, B_TRUE, gettext("audit failure."));
1173
1174 adt_free_event(event);
1175
1176 (void) adt_end_session(ah);
1177 }
1178
1179 /*
1180 * The main routine for the door server that deals with zone state transitions.
1181 */
1182 /* ARGSUSED */
1183 static void
1184 server(void *cookie, char *args, size_t alen, door_desc_t *dp,
1185 uint_t n_desc)
1186 {
1187 ucred_t *uc = NULL;
1188 const priv_set_t *eset;
1189
1190 zone_state_t zstate;
1191 zone_cmd_t cmd;
1192 zone_cmd_arg_t *zargp;
1193
1194 boolean_t kernelcall;
1195
1196 int rval = -1;
1197 uint64_t uniqid;
1198 zoneid_t zoneid = -1;
1199 zlog_t zlog;
1200 zlog_t *zlogp;
1201 zone_cmd_rval_t *rvalp;
1202 size_t rlen = getpagesize(); /* conservative */
1203 fs_callback_t cb;
1204 brand_handle_t bh;
1205 boolean_t wait_shut = B_FALSE;
1206
1207 /* LINTED E_BAD_PTR_CAST_ALIGN */
1208 zargp = (zone_cmd_arg_t *)args;
1209
1210 /*
1211 * When we get the door unref message, we've fdetach'd the door, and
1224
1225 rvalp = alloca(rlen);
1226 bzero(rvalp, rlen);
1227 zlog.logfile = NULL;
1228 zlog.buflen = zlog.loglen = rlen - sizeof (zone_cmd_rval_t) + 1;
1229 zlog.buf = rvalp->errbuf;
1230 zlog.log = zlog.buf;
1231 /* defer initialization of zlog.locale until after credential check */
1232 zlogp = &zlog;
1233
1234 if (alen != sizeof (zone_cmd_arg_t)) {
1235 /*
1236 * This really shouldn't be happening.
1237 */
1238 zerror(&logsys, B_FALSE, "argument size (%d bytes) "
1239 "unexpected (expected %d bytes)", alen,
1240 sizeof (zone_cmd_arg_t));
1241 goto out;
1242 }
1243 cmd = zargp->cmd;
1244
1245 if (door_ucred(&uc) != 0) {
1246 zerror(&logsys, B_TRUE, "door_ucred");
1247 goto out;
1248 }
1249 eset = ucred_getprivset(uc, PRIV_EFFECTIVE);
1250 if (ucred_getzoneid(uc) != GLOBAL_ZONEID ||
1251 (eset != NULL ? !priv_ismember(eset, PRIV_SYS_CONFIG) :
1252 ucred_geteuid(uc) != 0)) {
1253 zerror(&logsys, B_FALSE, "insufficient privileges");
1254 goto out;
1255 }
1256
1257 kernelcall = ucred_getpid(uc) == 0;
1258
1259 /*
1260 * This is safe because we only use a zlog_t throughout the
1261 * duration of a door call; i.e., by the time the pointer
1262 * might become invalid, the door call would be over.
1263 */
1333 zstate = ZONE_STATE_INSTALLED;
1334
1335 switch (zstate) {
1336 case ZONE_STATE_CONFIGURED:
1337 case ZONE_STATE_INCOMPLETE:
1338 /*
1339 * Not our area of expertise; we just print a nice message
1340 * and die off.
1341 */
1342 zerror(zlogp, B_FALSE,
1343 "%s operation is invalid for zones in state '%s'",
1344 z_cmd_name(cmd), zone_state_str(zstate));
1345 break;
1346
1347 case ZONE_STATE_INSTALLED:
1348 switch (cmd) {
1349 case Z_READY:
1350 rval = zone_ready(zlogp, Z_MNT_BOOT, zstate);
1351 if (rval == 0)
1352 eventstream_write(Z_EVT_ZONE_READIED);
1353 break;
1354 case Z_BOOT:
1355 case Z_FORCEBOOT:
1356 eventstream_write(Z_EVT_ZONE_BOOTING);
1357 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate))
1358 == 0) {
1359 rval = zone_bootup(zlogp, zargp->bootbuf,
1360 zstate);
1361 }
1362 audit_put_record(zlogp, uc, rval, "boot");
1363 if (rval != 0) {
1364 bringup_failure_recovery = B_TRUE;
1365 (void) zone_halt(zlogp, B_FALSE, B_FALSE,
1366 zstate);
1367 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1368 }
1369 break;
1370 case Z_SHUTDOWN:
1371 case Z_HALT:
1372 if (kernelcall) /* Invalid; can't happen */
1373 abort();
1374 /*
1375 * We could have two clients racing to halt this
1376 * zone; the second client loses, but his request
1377 * doesn't fail, since the zone is now in the desired
1378 * state.
1379 */
1380 zerror(zlogp, B_FALSE, "zone is already halted");
1381 rval = 0;
1382 break;
1465 break;
1466
1467 case ZONE_STATE_READY:
1468 switch (cmd) {
1469 case Z_READY:
1470 /*
1471 * We could have two clients racing to ready this
1472 * zone; the second client loses, but his request
1473 * doesn't fail, since the zone is now in the desired
1474 * state.
1475 */
1476 zerror(zlogp, B_FALSE, "zone is already ready");
1477 rval = 0;
1478 break;
1479 case Z_BOOT:
1480 (void) strlcpy(boot_args, zargp->bootbuf,
1481 sizeof (boot_args));
1482 eventstream_write(Z_EVT_ZONE_BOOTING);
1483 rval = zone_bootup(zlogp, zargp->bootbuf, zstate);
1484 audit_put_record(zlogp, uc, rval, "boot");
1485 if (rval != 0) {
1486 bringup_failure_recovery = B_TRUE;
1487 (void) zone_halt(zlogp, B_FALSE, B_TRUE,
1488 zstate);
1489 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1490 }
1491 boot_args[0] = '\0';
1492 break;
1493 case Z_HALT:
1494 if (kernelcall) /* Invalid; can't happen */
1495 abort();
1496 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate))
1497 != 0)
1498 break;
1499 eventstream_write(Z_EVT_ZONE_HALTED);
1500 break;
1501 case Z_SHUTDOWN:
1502 case Z_REBOOT:
1503 case Z_NOTE_UNINSTALLING:
1504 case Z_MOUNT:
1505 case Z_UNMOUNT:
1506 if (kernelcall) /* Invalid; can't happen */
1507 abort();
1508 zerror(zlogp, B_FALSE, "%s operation is invalid "
1509 "for zones in state '%s'", z_cmd_name(cmd),
1510 zone_state_str(zstate));
1511 rval = -1;
1512 break;
1513 }
1514 break;
1515
1516 case ZONE_STATE_MOUNTED:
1517 switch (cmd) {
1518 case Z_UNMOUNT:
1526 break;
1527 default:
1528 if (kernelcall) /* Invalid; can't happen */
1529 abort();
1530 zerror(zlogp, B_FALSE, "%s operation is invalid "
1531 "for zones in state '%s'", z_cmd_name(cmd),
1532 zone_state_str(zstate));
1533 rval = -1;
1534 break;
1535 }
1536 break;
1537
1538 case ZONE_STATE_RUNNING:
1539 case ZONE_STATE_SHUTTING_DOWN:
1540 case ZONE_STATE_DOWN:
1541 switch (cmd) {
1542 case Z_READY:
1543 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate))
1544 != 0)
1545 break;
1546 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate)) == 0)
1547 eventstream_write(Z_EVT_ZONE_READIED);
1548 else
1549 eventstream_write(Z_EVT_ZONE_HALTED);
1550 break;
1551 case Z_BOOT:
1552 /*
1553 * We could have two clients racing to boot this
1554 * zone; the second client loses, but his request
1555 * doesn't fail, since the zone is now in the desired
1556 * state.
1557 */
1558 zerror(zlogp, B_FALSE, "zone is already booted");
1559 rval = 0;
1560 break;
1561 case Z_HALT:
1562 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate))
1563 != 0)
1564 break;
1565 eventstream_write(Z_EVT_ZONE_HALTED);
1566 break;
1567 case Z_REBOOT:
1568 (void) strlcpy(boot_args, zargp->bootbuf,
1569 sizeof (boot_args));
1570 eventstream_write(Z_EVT_ZONE_REBOOTING);
1571 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate))
1572 != 0) {
1573 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1574 boot_args[0] = '\0';
1575 break;
1576 }
1577 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate))
1578 != 0) {
1579 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1580 boot_args[0] = '\0';
1581 break;
1582 }
1583 rval = zone_bootup(zlogp, zargp->bootbuf, zstate);
1584 audit_put_record(zlogp, uc, rval, "reboot");
1585 if (rval != 0) {
1586 (void) zone_halt(zlogp, B_FALSE, B_TRUE,
1587 zstate);
1588 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1589 }
1590 boot_args[0] = '\0';
1591 break;
1592 case Z_SHUTDOWN:
1593 if ((rval = zone_graceful_shutdown(zlogp)) == 0) {
1594 wait_shut = B_TRUE;
1595 }
1596 break;
1597 case Z_NOTE_UNINSTALLING:
1598 case Z_MOUNT:
1742 * which will try again (by which time zoneadmd
1743 * will hopefully have exited).
1744 */
1745 goto out;
1746 }
1747
1748 /*
1749 * If we got this far, there's a fattach(3c)'ed door
1750 * that belongs to a process that has exited, which can
1751 * happen if the previous zoneadmd died unexpectedly.
1752 *
1753 * Let user know that something is amiss, but that we can
1754 * recover; if the zone is in the installed state, then don't
1755 * message, since having a running zoneadmd isn't really
1756 * expected/needed. We want to keep occurences of this message
1757 * limited to times when zoneadmd is picking back up from a
1758 * zoneadmd that died while the zone was in some non-trivial
1759 * state.
1760 */
1761 if (zstate > ZONE_STATE_INSTALLED) {
1762 zerror(zlogp, B_FALSE,
1763 "zone '%s': WARNING: zone is in state '%s', but "
1764 "zoneadmd does not appear to be available; "
1765 "restarted zoneadmd to recover.",
1766 zone_name, zone_state_str(zstate));
1767 }
1768
1769 (void) fdetach(zone_door_path);
1770 (void) close(doorfd);
1771 goto top;
1772 }
1773 ret = 0;
1774 out:
1775 (void) close(doorfd);
1776 return (ret);
1777 }
1778
1779 /*
1780 * Setup the brand's pre and post state change callbacks, as well as the
1781 * query callback, if any of these exist.
1782 */
1783 static int
1784 brand_callback_init(brand_handle_t bh, char *zone_name)
1785 {
1786 char zpath[MAXPATHLEN];
1787
1788 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK)
1789 return (-1);
1790
1791 (void) strlcpy(pre_statechg_hook, EXEC_PREFIX,
1792 sizeof (pre_statechg_hook));
1793
1794 if (brand_get_prestatechange(bh, zone_name, zpath,
1795 pre_statechg_hook + EXEC_LEN,
1796 sizeof (pre_statechg_hook) - EXEC_LEN) != 0)
1797 return (-1);
1798
1799 if (strlen(pre_statechg_hook) <= EXEC_LEN)
1800 pre_statechg_hook[0] = '\0';
1801
1802 (void) strlcpy(post_statechg_hook, EXEC_PREFIX,
1803 sizeof (post_statechg_hook));
1804
1805 if (brand_get_poststatechange(bh, zone_name, zpath,
1806 post_statechg_hook + EXEC_LEN,
1807 sizeof (post_statechg_hook) - EXEC_LEN) != 0)
1808 return (-1);
1809
1810 if (strlen(post_statechg_hook) <= EXEC_LEN)
1811 post_statechg_hook[0] = '\0';
1812
1813 (void) strlcpy(query_hook, EXEC_PREFIX,
1814 sizeof (query_hook));
1815
1816 if (brand_get_query(bh, zone_name, zpath, query_hook + EXEC_LEN,
1817 sizeof (query_hook) - EXEC_LEN) != 0)
1818 return (-1);
1819
1820 if (strlen(query_hook) <= EXEC_LEN)
1821 query_hook[0] = '\0';
1822
1823 return (0);
1824 }
1825
1826 int
1827 main(int argc, char *argv[])
1828 {
1829 int opt;
1830 zoneid_t zid;
1831 priv_set_t *privset;
1832 zone_state_t zstate;
1833 char parents_locale[MAXPATHLEN];
1834 brand_handle_t bh;
1835 int err;
1836
1924 }
1925
1926 if (zone_get_id(zone_name, &zid) != 0) {
1927 zerror(zlogp, B_FALSE, "could not manage %s: %s", zone_name,
1928 zonecfg_strerror(Z_NO_ZONE));
1929 return (1);
1930 }
1931
1932 if ((err = zone_get_state(zone_name, &zstate)) != Z_OK) {
1933 zerror(zlogp, B_FALSE, "failed to get zone state: %s",
1934 zonecfg_strerror(err));
1935 return (1);
1936 }
1937 if (zstate < ZONE_STATE_INCOMPLETE) {
1938 zerror(zlogp, B_FALSE,
1939 "cannot manage a zone which is in state '%s'",
1940 zone_state_str(zstate));
1941 return (1);
1942 }
1943
1944 if (zonecfg_default_brand(default_brand,
1945 sizeof (default_brand)) != Z_OK) {
1946 zerror(zlogp, B_FALSE, "unable to determine default brand");
1947 return (1);
1948 }
1949
1950 /* Get a handle to the brand info for this zone */
1951 if (zone_get_brand(zone_name, brand_name, sizeof (brand_name))
1952 != Z_OK) {
1953 zerror(zlogp, B_FALSE, "unable to determine zone brand");
1954 return (1);
1955 }
1956 zone_isnative = (strcmp(brand_name, NATIVE_BRAND_NAME) == 0);
1957 zone_islabeled = (strcmp(brand_name, LABELED_BRAND_NAME) == 0);
1958
1959 /*
1960 * In the alternate root environment, the only supported
1961 * operations are mount and unmount. In this case, just treat
1962 * the zone as native if it is cluster. Cluster zones can be
1963 * native for the purpose of LU or upgrade, and the cluster
|
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
25 * Copyright 2016 Joyent, Inc.
26 */
27
28 /*
29 * zoneadmd manages zones; one zoneadmd process is launched for each
30 * non-global zone on the system. This daemon juggles four jobs:
31 *
32 * - Implement setup and teardown of the zone "virtual platform": mount and
33 * unmount filesystems; create and destroy network interfaces; communicate
34 * with devfsadmd to lay out devices for the zone; instantiate the zone
35 * console device; configure process runtime attributes such as resource
36 * controls, pool bindings, fine-grained privileges.
37 *
38 * - Launch the zone's init(1M) process.
39 *
40 * - Implement a door server; clients (like zoneadm) connect to the door
41 * server and request zone state changes. The kernel is also a client of
42 * this door server. A request to halt or reboot the zone which originates
43 * *inside* the zone results in a door upcall from the kernel into zoneadmd.
44 *
45 * One minor problem is that messages emitted by zoneadmd need to be passed
52 * strings, and an exclusion file (zoneadmd.xcl) is used to exclude those
53 * strings which do not need to be translated.
54 *
55 * - Act as a console server for zlogin -C processes; see comments in zcons.c
56 * for more information about the zone console architecture.
57 *
58 * DESIGN NOTES
59 *
60 * Restart:
61 * A chief design constraint of zoneadmd is that it should be restartable in
62 * the case that the administrator kills it off, or it suffers a fatal error,
63 * without the running zone being impacted; this is akin to being able to
64 * reboot the service processor of a server without affecting the OS instance.
65 */
66
67 #include <sys/param.h>
68 #include <sys/mman.h>
69 #include <sys/types.h>
70 #include <sys/stat.h>
71 #include <sys/sysmacros.h>
72 #include <sys/time.h>
73
74 #include <bsm/adt.h>
75 #include <bsm/adt_event.h>
76
77 #include <alloca.h>
78 #include <assert.h>
79 #include <errno.h>
80 #include <door.h>
81 #include <fcntl.h>
82 #include <locale.h>
83 #include <signal.h>
84 #include <stdarg.h>
85 #include <stdio.h>
86 #include <stdlib.h>
87 #include <string.h>
88 #include <strings.h>
89 #include <synch.h>
90 #include <syslog.h>
91 #include <thread.h>
92 #include <unistd.h>
93 #include <wait.h>
94 #include <limits.h>
95 #include <zone.h>
96 #include <libbrand.h>
97 #include <sys/brand.h>
98 #include <libcontract.h>
99 #include <libcontract_priv.h>
100 #include <sys/brand.h>
101 #include <sys/contract/process.h>
102 #include <sys/ctfs.h>
103 #include <libdladm.h>
104 #include <sys/dls_mgmt.h>
105 #include <libscf.h>
106
107 #include <libzonecfg.h>
108 #include <zonestat_impl.h>
109 #include "zoneadmd.h"
110
111 static char *progname;
112 char *zone_name; /* zone which we are managing */
113 zone_dochandle_t snap_hndl; /* handle for snapshot created when ready */
114 char zonepath[MAXNAMELEN];
115 char pool_name[MAXNAMELEN];
116 char default_brand[MAXNAMELEN];
117 char brand_name[MAXNAMELEN];
118 boolean_t zone_isnative;
119 boolean_t zone_iscluster;
120 boolean_t zone_islabeled;
121 boolean_t shutdown_in_progress;
122 static zoneid_t zone_id;
123 dladm_handle_t dld_handle = NULL;
124
125 static char pre_statechg_hook[2 * MAXPATHLEN];
126 static char post_statechg_hook[2 * MAXPATHLEN];
127 char query_hook[2 * MAXPATHLEN];
128
129 zlog_t logsys;
130
131 mutex_t lock = DEFAULTMUTEX; /* to serialize stuff */
132 mutex_t msglock = DEFAULTMUTEX; /* for calling setlocale() */
133
134 static sema_t scratch_sem; /* for scratch zones */
135
136 static char zone_door_path[MAXPATHLEN];
137 static int zone_door = -1;
138
139 boolean_t in_death_throes = B_FALSE; /* daemon is dying */
140 boolean_t bringup_failure_recovery = B_FALSE; /* ignore certain failures */
141
142 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
143 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
144 #endif
145
146 #define DEFAULT_LOCALE "C"
147
148 #define RSRC_NET "net"
149 #define RSRC_DEV "device"
150
151 static const char *
152 z_cmd_name(zone_cmd_t zcmd)
153 {
154 /* This list needs to match the enum in sys/zone.h */
155 static const char *zcmdstr[] = {
156 "ready", "boot", "forceboot", "reboot", "halt",
157 "note_uninstalling", "mount", "forcemount", "unmount",
158 "shutdown"
159 };
160
161 if (zcmd >= sizeof (zcmdstr) / sizeof (*zcmdstr))
162 return ("unknown");
163 else
164 return (zcmdstr[(int)zcmd]);
165 }
166
167 static char *
168 get_execbasename(char *execfullname)
169 {
170 char *last_slash, *execbasename;
247 bp = &(buf[strlen(buf)]);
248 if (use_strerror)
249 (void) snprintf(bp, sizeof (buf) - (bp - buf), ": %s",
250 strerror(saved_errno));
251 if (zlogp == &logsys) {
252 (void) syslog(LOG_ERR, "%s", buf);
253 } else if (zlogp->logfile != NULL) {
254 (void) fprintf(zlogp->logfile, "%s\n", buf);
255 } else {
256 size_t buflen;
257 size_t copylen;
258
259 buflen = snprintf(zlogp->log, zlogp->loglen, "%s\n", buf);
260 copylen = MIN(buflen, zlogp->loglen);
261 zlogp->log += copylen;
262 zlogp->loglen -= copylen;
263 }
264 }
265
266 /*
267 * Append src to dest, modifying dest in the process. Prefix src with
268 * a space character if dest is a non-empty string.
269 */
270 static void
271 strnappend(char *dest, size_t n, const char *src)
272 {
273 (void) snprintf(dest, n, "%s%s%s", dest,
274 dest[0] == '\0' ? "" : " ", src);
275 }
276
277 /*
278 * Since illumos boot arguments are getopt(3c) compatible (see kernel(1m)), we
279 * put the arguments into an argv style array, use getopt to process them,
280 * and put the resultant argument string back into outargs. Non-native brands
281 * may support alternate forms of boot arguments so we must handle that as well.
282 *
283 * During the filtering, we pull out any arguments which are truly "boot"
284 * arguments, leaving only those which are to be passed intact to the
285 * progenitor process. The one we support at the moment is -i, which
286 * indicates to the kernel which program should be launched as 'init'.
287 *
288 * Except for Z_OK, all other return values are treated as fatal.
289 */
290 static int
291 filter_bootargs(zlog_t *zlogp, const char *inargs, char *outargs,
292 char *init_file)
293 {
294 int argc = 0, argc_save;
295 int i;
296 int err;
297 char *arg, *lasts, **argv = NULL, **argv_save;
298 char zonecfg_args[BOOTARGS_MAX];
299 char scratchargs[BOOTARGS_MAX], *sargs;
300 char scratchopt[3];
301 char c;
302
303 bzero(outargs, BOOTARGS_MAX);
304
305 /*
306 * If the user didn't specify transient boot arguments, check
307 * to see if there were any specified in the zone configuration,
308 * and use them if applicable.
309 */
310 if (inargs == NULL || inargs[0] == '\0') {
311 zone_dochandle_t handle;
312 if ((handle = zonecfg_init_handle()) == NULL) {
313 zerror(zlogp, B_TRUE,
314 "getting zone configuration handle");
315 return (Z_BAD_HANDLE);
316 }
317 err = zonecfg_get_snapshot_handle(zone_name, handle);
318 if (err != Z_OK) {
319 zerror(zlogp, B_FALSE,
320 "invalid configuration snapshot");
321 zonecfg_fini_handle(handle);
322 return (Z_BAD_HANDLE);
323 }
346 return (Z_NOMEM);
347 }
348
349 argv_save = argv;
350 argc_save = argc;
351
352 (void) strlcpy(scratchargs, inargs, sizeof (scratchargs));
353 sargs = scratchargs;
354 i = 0;
355 while ((arg = strtok_r(sargs, " \t", &lasts)) != NULL) {
356 sargs = NULL;
357 if ((argv[i] = strdup(arg)) == NULL) {
358 err = Z_NOMEM;
359 zerror(zlogp, B_FALSE, "memory allocation failed");
360 goto done;
361 }
362 i++;
363 }
364
365 /*
366 * We preserve compatibility with the illumos system boot behavior,
367 * which allows:
368 *
369 * # reboot kernel/unix -s -m verbose
370 *
371 * In this example, kernel/unix tells the booter what file to boot. The
372 * original intent of this was that we didn't want reboot in a zone to
373 * be gratuitously different, so we would silently ignore the boot
374 * file, if necessary. However, this usage is archaic and has never
375 * been common, since it is impossible to boot a zone onto a different
376 * kernel. Ignoring the first argument breaks for non-native brands
377 * which pass boot arguments in a different style. e.g.
378 * systemd.log_level=debug
379 * Thus, for backward compatibility we only ignore the first argument
380 * if it appears to be in the illumos form and attempting to specify a
381 * kernel.
382 */
383 if (argv[0] == NULL)
384 goto done;
385
386 assert(argv[0][0] != ' ');
387 assert(argv[0][0] != '\t');
388
389 if (strncmp(argv[0], "kernel/", 7) == 0) {
390 argv = &argv[1];
391 argc--;
392 }
393
394 optind = 0;
395 opterr = 0;
396 err = Z_OK;
397 while ((c = getopt(argc, argv, "fi:m:s")) != -1) {
398 switch (c) {
399 case 'i':
400 /*
401 * -i is handled by the runtime and is not passed
402 * along to userland
403 */
404 (void) strlcpy(init_file, optarg, MAXPATHLEN);
405 break;
406 case 'f':
407 /* This has already been processed by zoneadm */
408 break;
409 case 'm':
410 case 's':
411 /* These pass through unmolested */
412 (void) snprintf(scratchopt, sizeof (scratchopt),
413 "-%c", c);
414 strnappend(outargs, BOOTARGS_MAX, scratchopt);
415 if (optarg != NULL)
416 strnappend(outargs, BOOTARGS_MAX, optarg);
417 break;
418 case '?':
419 /*
420 * If a brand has its own init, we need to pass along
421 * whatever the user provides. We use the entire
422 * unknown string here so that we correctly handle
423 * unknown long options (e.g. --debug).
424 */
425 strnappend(outargs, BOOTARGS_MAX, argv[optind - 1]);
426 break;
427 }
428 }
429
430 /*
431 * We need to pass along everything else since we don't know what
432 * the brand's init is expecting. For example, an argument list like:
433 * --confdir /foo --debug
434 * will cause the getopt parsing to stop at '/foo' but we need to pass
435 * that on, along with the '--debug'. This does mean that we require
436 * any of our known options (-ifms) to preceed the brand-specific ones.
437 */
438 while (optind < argc) {
439 strnappend(outargs, BOOTARGS_MAX, argv[optind]);
440 optind++;
441 }
442
443 done:
444 for (i = 0; i < argc_save; i++) {
445 if (argv_save[i] != NULL)
446 free(argv_save[i]);
447 }
448 free(argv_save);
449 return (err);
450 }
451
452
453 static int
454 mkzonedir(zlog_t *zlogp)
455 {
456 struct stat st;
457 /*
458 * We must create and lock everyone but root out of ZONES_TMPDIR
459 * since anyone can open any UNIX domain socket, regardless of
460 * its file system permissions. Sigh...
461 */
538 params.data_ptr = (char *)&cmd;
539 params.data_size = sizeof (cmd);
540 params.desc_ptr = NULL;
541 params.desc_num = 0;
542 params.rbuf = NULL;
543 params.rsize = NULL;
544 (void) door_call(fd, ¶ms);
545 (void) close(fd);
546 }
547
548 /*
549 * Bring a zone up to the pre-boot "ready" stage. The mount_cmd argument is
550 * 'true' if this is being invoked as part of the processing for the "mount"
551 * subcommand.
552 */
553 static int
554 zone_ready(zlog_t *zlogp, zone_mnt_t mount_cmd, int zstate)
555 {
556 int err;
557
558 if (!ALT_MOUNT(mount_cmd) &&
559 brand_prestatechg(zlogp, zstate, Z_READY) != 0)
560 return (-1);
561
562 if ((err = zonecfg_create_snapshot(zone_name)) != Z_OK) {
563 zerror(zlogp, B_FALSE, "unable to create snapshot: %s",
564 zonecfg_strerror(err));
565 goto bad;
566 }
567
568 if ((zone_id = vplat_create(zlogp, mount_cmd)) == -1) {
569 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK)
570 zerror(zlogp, B_FALSE, "destroying snapshot: %s",
571 zonecfg_strerror(err));
572 goto bad;
573 }
574 if (vplat_bringup(zlogp, mount_cmd, zone_id) != 0) {
575 bringup_failure_recovery = B_TRUE;
576 (void) vplat_teardown(NULL, (mount_cmd != Z_MNT_BOOT), B_FALSE);
577 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK)
578 zerror(zlogp, B_FALSE, "destroying snapshot: %s",
579 zonecfg_strerror(err));
580 goto bad;
581 }
582
583 if (!ALT_MOUNT(mount_cmd) &&
584 brand_poststatechg(zlogp, zstate, Z_READY) != 0)
585 goto bad;
586
587 return (0);
588
589 bad:
590 /*
591 * If something goes wrong, we up the zones's state to the target
592 * state, READY, and then invoke the hook as if we're halting.
593 */
594 if (!ALT_MOUNT(mount_cmd))
595 (void) brand_poststatechg(zlogp, ZONE_STATE_READY, Z_HALT);
596 return (-1);
597 }
598
599 int
600 init_template(void)
601 {
602 int fd;
603 int err = 0;
604
605 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
606 if (fd == -1)
607 return (-1);
608
609 /*
610 * For now, zoneadmd doesn't do anything with the contract.
611 * Deliver no events, don't inherit, and allow it to be orphaned.
612 */
613 err |= ct_tmpl_set_critical(fd, 0);
614 err |= ct_tmpl_set_informative(fd, 0);
627 zoneid_t zoneid;
628 boolean_t mount_cmd;
629 } fs_callback_t;
630
631 static int
632 mount_early_fs(void *data, const char *spec, const char *dir,
633 const char *fstype, const char *opt)
634 {
635 zlog_t *zlogp = ((fs_callback_t *)data)->zlogp;
636 zoneid_t zoneid = ((fs_callback_t *)data)->zoneid;
637 boolean_t mount_cmd = ((fs_callback_t *)data)->mount_cmd;
638 char rootpath[MAXPATHLEN];
639 pid_t child;
640 int child_status;
641 int tmpl_fd;
642 int rv;
643 ctid_t ct;
644
645 /* determine the zone rootpath */
646 if (mount_cmd) {
647 char luroot[MAXPATHLEN];
648
649 (void) snprintf(luroot, sizeof (luroot), "%s/lu", zonepath);
650 resolve_lofs(zlogp, luroot, sizeof (luroot));
651 (void) strlcpy(rootpath, luroot, sizeof (rootpath));
652 } else {
653 if (zone_get_rootpath(zone_name,
654 rootpath, sizeof (rootpath)) != Z_OK) {
655 zerror(zlogp, B_FALSE, "unable to determine zone root");
656 return (-1);
657 }
658 }
659
660 if ((rv = valid_mount_path(zlogp, rootpath, spec, dir, fstype)) < 0) {
661 zerror(zlogp, B_FALSE, "%s%s is not a valid mount point",
662 rootpath, dir);
663 return (-1);
664 } else if (rv > 0) {
665 /* The mount point path doesn't exist, create it now. */
666 if (make_one_dir(zlogp, rootpath, dir,
667 DEFAULT_DIR_MODE, DEFAULT_DIR_USER,
668 DEFAULT_DIR_GROUP) != 0) {
683 "%s%s is not a valid mount point", rootpath, dir);
684 return (-1);
685 }
686 }
687
688 if ((tmpl_fd = init_template()) == -1) {
689 zerror(zlogp, B_TRUE, "failed to create contract");
690 return (-1);
691 }
692
693 if ((child = fork()) == -1) {
694 (void) ct_tmpl_clear(tmpl_fd);
695 (void) close(tmpl_fd);
696 zerror(zlogp, B_TRUE, "failed to fork");
697 return (-1);
698
699 } else if (child == 0) { /* child */
700 char opt_buf[MAX_MNTOPT_STR];
701 int optlen = 0;
702 int mflag = MS_DATA;
703 int i;
704 int ret;
705
706 (void) ct_tmpl_clear(tmpl_fd);
707 /*
708 * Even though there are no procs running in the zone, we
709 * do this for paranoia's sake.
710 */
711 (void) closefrom(0);
712
713 if (zone_enter(zoneid) == -1) {
714 _exit(errno);
715 }
716 if (opt != NULL) {
717 /*
718 * The mount() system call is incredibly annoying.
719 * If options are specified, we need to copy them
720 * into a temporary buffer since the mount() system
721 * call will overwrite the options string. It will
722 * also fail if the new option string it wants to
723 * write is bigger than the one we passed in, so
724 * you must pass in a buffer of the maximum possible
725 * option string length. sigh.
726 */
727 (void) strlcpy(opt_buf, opt, sizeof (opt_buf));
728 opt = opt_buf;
729 optlen = MAX_MNTOPT_STR;
730 mflag = MS_OPTIONSTR;
731 }
732
733 /*
734 * There is an obscure race condition which can cause mount
735 * to return EBUSY. This happens for example on the mount
736 * of the zone's /etc/svc/volatile file system if there is
737 * a GZ process running svcs -Z, which will touch the
738 * mountpoint, just as we're trying to do the mount. To cope
739 * with this, we retry up to 3 times to let this transient
740 * process get out of the way.
741 */
742 for (i = 0; i < 3; i++) {
743 ret = 0;
744 if (mount(spec, dir, mflag, fstype, NULL, 0, opt,
745 optlen) != 0)
746 ret = errno;
747 if (ret != EBUSY)
748 break;
749 (void) sleep(1);
750 }
751 _exit(ret);
752 }
753
754 /* parent */
755 if (contract_latest(&ct) == -1)
756 ct = -1;
757 (void) ct_tmpl_clear(tmpl_fd);
758 (void) close(tmpl_fd);
759 if (waitpid(child, &child_status, 0) != child) {
760 /* unexpected: we must have been signalled */
761 (void) contract_abandon_id(ct);
762 return (-1);
763 }
764 (void) contract_abandon_id(ct);
765 if (WEXITSTATUS(child_status) != 0) {
766 errno = WEXITSTATUS(child_status);
767 zerror(zlogp, B_TRUE, "mount of %s failed", dir);
768 return (-1);
769 }
770
771 return (0);
772 }
773
774 /*
775 * env variable name format
776 * _ZONECFG;{resource name};{identifying attr. name};{property name}
777 */
778 static void
779 set_zonecfg_env(char *rsrc, char *attr, char *name, char *val)
780 {
781 char *p;
782 /* Enough for maximal name, rsrc + attr, & slop for ZONECFG & _'s */
783 char nm[2 * MAXNAMELEN + 32];
784
785 if (attr == NULL)
786 (void) snprintf(nm, sizeof (nm), "_ZONECFG_%s_%s", rsrc,
787 name);
788 else
789 (void) snprintf(nm, sizeof (nm), "_ZONECFG_%s_%s_%s", rsrc,
790 attr, name);
791
792 p = nm;
793 while ((p = strchr(p, '-')) != NULL)
794 *p++ = '_';
795
796 (void) setenv(nm, val, 1);
797 }
798
799 /*
800 * Export zonecfg network and device properties into environment for the boot
801 * and state change hooks.
802 * If debug is true, export the brand hook debug env. variable as well.
803 *
804 * We could export more of the config in the future, as necessary.
805 */
806 static int
807 setup_subproc_env()
808 {
809 int res;
810 zone_dochandle_t handle;
811 struct zone_nwiftab ntab;
812 struct zone_devtab dtab;
813 char net_resources[MAXNAMELEN * 2];
814 char dev_resources[MAXNAMELEN * 2];
815
816 if ((handle = zonecfg_init_handle()) == NULL)
817 exit(Z_NOMEM);
818
819 if ((res = zonecfg_get_handle(zone_name, handle)) != Z_OK)
820 goto done;
821
822 if ((res = zonecfg_setnwifent(handle)) != Z_OK)
823 goto done;
824
825 while (zonecfg_getnwifent(handle, &ntab) == Z_OK) {
826 struct zone_res_attrtab *rap;
827 char *phys;
828
829 phys = ntab.zone_nwif_physical;
830
831 (void) strlcat(net_resources, phys, sizeof (net_resources));
832 (void) strlcat(net_resources, " ", sizeof (net_resources));
833
834 set_zonecfg_env(RSRC_NET, phys, "physical", phys);
835
836 set_zonecfg_env(RSRC_NET, phys, "address",
837 ntab.zone_nwif_address);
838 set_zonecfg_env(RSRC_NET, phys, "allowed-address",
839 ntab.zone_nwif_allowed_address);
840 set_zonecfg_env(RSRC_NET, phys, "defrouter",
841 ntab.zone_nwif_defrouter);
842 set_zonecfg_env(RSRC_NET, phys, "global-nic",
843 ntab.zone_nwif_gnic);
844 set_zonecfg_env(RSRC_NET, phys, "mac-addr", ntab.zone_nwif_mac);
845 set_zonecfg_env(RSRC_NET, phys, "vlan-id",
846 ntab.zone_nwif_vlan_id);
847
848 for (rap = ntab.zone_nwif_attrp; rap != NULL;
849 rap = rap->zone_res_attr_next)
850 set_zonecfg_env(RSRC_NET, phys, rap->zone_res_attr_name,
851 rap->zone_res_attr_value);
852 }
853
854 (void) zonecfg_endnwifent(handle);
855
856 if ((res = zonecfg_setdevent(handle)) != Z_OK)
857 goto done;
858
859 while (zonecfg_getdevent(handle, &dtab) == Z_OK) {
860 struct zone_res_attrtab *rap;
861 char *match;
862
863 match = dtab.zone_dev_match;
864
865 (void) strlcat(dev_resources, match, sizeof (dev_resources));
866 (void) strlcat(dev_resources, " ", sizeof (dev_resources));
867
868 for (rap = dtab.zone_dev_attrp; rap != NULL;
869 rap = rap->zone_res_attr_next)
870 set_zonecfg_env(RSRC_DEV, match,
871 rap->zone_res_attr_name, rap->zone_res_attr_value);
872 }
873
874 (void) zonecfg_enddevent(handle);
875
876 res = Z_OK;
877
878 done:
879 zonecfg_fini_handle(handle);
880 return (res);
881 }
882
883 /*
884 * If retstr is not NULL, the output of the subproc is returned in the str,
885 * otherwise it is output using zerror(). Any memory allocated for retstr
886 * should be freed by the caller.
887 */
888 int
889 do_subproc(zlog_t *zlogp, char *cmdbuf, char **retstr)
890 {
891 char buf[1024]; /* arbitrary large amount */
892 char *inbuf;
893 FILE *file;
894 int status;
895 int rd_cnt;
896
897 if (retstr != NULL) {
898 if ((*retstr = malloc(1024)) == NULL) {
899 zerror(zlogp, B_FALSE, "out of memory");
900 return (-1);
901 }
902 inbuf = *retstr;
903 rd_cnt = 0;
904 } else {
905 inbuf = buf;
906 }
907
908 if (setup_subproc_env() != Z_OK) {
909 zerror(zlogp, B_FALSE, "failed to setup environment");
910 return (-1);
911 }
912
913 file = popen(cmdbuf, "r");
914 if (file == NULL) {
915 zerror(zlogp, B_TRUE, "could not launch: %s", cmdbuf);
916 return (-1);
917 }
918
919 while (fgets(inbuf, 1024, file) != NULL) {
920 if (retstr == NULL) {
921 if (zlogp != &logsys)
922 zerror(zlogp, B_FALSE, "%s", inbuf);
923 } else {
924 char *p;
925
926 rd_cnt += 1024 - 1;
927 if ((p = realloc(*retstr, rd_cnt + 1024)) == NULL) {
928 zerror(zlogp, B_FALSE, "out of memory");
929 (void) pclose(file);
930 return (-1);
931 }
932
933 *retstr = p;
934 inbuf = *retstr + rd_cnt;
935 }
936 }
937 status = pclose(file);
938
939 if (WIFSIGNALED(status)) {
940 zerror(zlogp, B_FALSE, "%s unexpectedly terminated due to "
941 "signal %d", cmdbuf, WTERMSIG(status));
942 return (-1);
943 }
944 assert(WIFEXITED(status));
945 if (WEXITSTATUS(status) == ZEXIT_EXEC) {
946 zerror(zlogp, B_FALSE, "failed to exec %s", cmdbuf);
947 return (-1);
948 }
949 return (WEXITSTATUS(status));
950 }
951
952 /*
953 * Get the app-svc-dependent flag for this zone's init process. This is a
954 * zone-specific attr which controls the type of contract we create for the
955 * zone's init. When true, the contract will include CT_PR_EV_EXIT in the fatal
956 * set, so that when any service which is in the same contract exits, the init
957 * application will be terminated.
958 *
959 * We use the global "snap_hndl", so no parameters get passed here.
960 */
961 static boolean_t
962 is_app_svc_dep(void)
963 {
964 struct zone_attrtab a;
965
966 bzero(&a, sizeof (a));
967 (void) strlcpy(a.zone_attr_name, "app-svc-dependent",
968 sizeof (a.zone_attr_name));
969
970 if (zonecfg_lookup_attr(snap_hndl, &a) == Z_OK &&
971 strcmp(a.zone_attr_value, "true") == 0) {
972 return (B_TRUE);
973 }
974
975 return (B_FALSE);
976 }
977
978 static int
979 zone_bootup(zlog_t *zlogp, const char *bootargs, int zstate)
980 {
981 zoneid_t zoneid;
982 struct stat st;
983 char rpath[MAXPATHLEN], initpath[MAXPATHLEN], init_file[MAXPATHLEN];
984 char nbootargs[BOOTARGS_MAX];
985 char cmdbuf[MAXPATHLEN];
986 fs_callback_t cb;
987 brand_handle_t bh;
988 zone_iptype_t iptype;
989 dladm_status_t status;
990 char errmsg[DLADM_STRSIZE];
991 int err;
992 boolean_t restart_init;
993 boolean_t app_svc_dep;
994
995 if (brand_prestatechg(zlogp, zstate, Z_BOOT) != 0)
996 return (-1);
997
998 if ((zoneid = getzoneidbyname(zone_name)) == -1) {
999 zerror(zlogp, B_TRUE, "unable to get zoneid");
1000 goto bad;
1001 }
1002
1003 cb.zlogp = zlogp;
1004 cb.zoneid = zoneid;
1005 cb.mount_cmd = B_FALSE;
1006
1007 /* Get a handle to the brand info for this zone */
1008 if ((bh = brand_open(brand_name)) == NULL) {
1009 zerror(zlogp, B_FALSE, "unable to determine zone brand");
1010 goto bad;
1011 }
1012
1013 /*
1014 * Get the list of filesystems to mount from the brand
1015 * configuration. These mounts are done via a thread that will
1016 * enter the zone, so they are done from within the context of the
1017 * zone.
1018 */
1019 if (brand_platform_iter_mounts(bh, mount_early_fs, &cb) != 0) {
1020 zerror(zlogp, B_FALSE, "unable to mount filesystems");
1021 brand_close(bh);
1022 goto bad;
1023 }
1024
1025 /*
1026 * Get the brand's boot callback if it exists.
1027 */
1028 (void) strcpy(cmdbuf, EXEC_PREFIX);
1029 if (brand_get_boot(bh, zone_name, zonepath, cmdbuf + EXEC_LEN,
1030 sizeof (cmdbuf) - EXEC_LEN) != 0) {
1031 zerror(zlogp, B_FALSE,
1032 "unable to determine branded zone's boot callback");
1033 brand_close(bh);
1034 goto bad;
1035 }
1036
1037 /* Get the path for this zone's init(1M) (or equivalent) process. */
1038 if (brand_get_initname(bh, init_file, MAXPATHLEN) != 0) {
1039 zerror(zlogp, B_FALSE,
1040 "unable to determine zone's init(1M) location");
1041 brand_close(bh);
1042 goto bad;
1043 }
1044
1045 /* See if this zone's brand should restart init if it dies. */
1046 restart_init = brand_restartinit(bh);
1047
1048 /*
1049 * See if we need to setup contract dependencies between the zone's
1050 * primary application and any of its services.
1051 */
1052 app_svc_dep = is_app_svc_dep();
1053
1054 brand_close(bh);
1055
1056 err = filter_bootargs(zlogp, bootargs, nbootargs, init_file);
1057 if (err != Z_OK)
1058 goto bad;
1059
1060 assert(init_file[0] != '\0');
1061
1062 /*
1063 * Try to anticipate possible problems: If possible, make sure init is
1064 * executable.
1065 */
1066 if (zone_get_rootpath(zone_name, rpath, sizeof (rpath)) != Z_OK) {
1067 zerror(zlogp, B_FALSE, "unable to determine zone root");
1068 goto bad;
1069 }
1070
1071 (void) snprintf(initpath, sizeof (initpath), "%s%s", rpath, init_file);
1072
1073 if (lstat(initpath, &st) == -1) {
1074 zerror(zlogp, B_TRUE, "could not stat %s", initpath);
1075 goto bad;
1076 }
1077
1078 /*
1079 * If a symlink, we'll have to wait and resolve when we boot,
1080 * otherwise check the executable bits now.
1081 */
1082 if ((st.st_mode & S_IFMT) != S_IFLNK && (st.st_mode & S_IXUSR) == 0) {
1083 zerror(zlogp, B_FALSE, "%s is not executable", initpath);
1084 goto bad;
1085 }
1086
1087 /*
1088 * Exclusive stack zones interact with the dlmgmtd running in the
1089 * global zone. dladm_zone_boot() tells dlmgmtd that this zone is
1090 * booting, and loads its datalinks from the zone's datalink
1091 * configuration file.
1092 */
1093 if (vplat_get_iptype(zlogp, &iptype) == 0 && iptype == ZS_EXCLUSIVE) {
1094 status = dladm_zone_boot(dld_handle, zoneid);
1095 if (status != DLADM_STATUS_OK) {
1096 zerror(zlogp, B_FALSE, "unable to load zone datalinks: "
1097 " %s", dladm_status2str(status, errmsg));
1098 goto bad;
1099 }
1100 }
1101
1102 /*
1103 * If there is a brand 'boot' callback, execute it now to give the
1104 * brand one last chance to do any additional setup before the zone
1105 * is booted.
1106 */
1107 if ((strlen(cmdbuf) > EXEC_LEN) &&
1108 (do_subproc(zlogp, cmdbuf, NULL) != Z_OK)) {
1109 zerror(zlogp, B_FALSE, "%s failed", cmdbuf);
1110 goto bad;
1111 }
1112
1113 if (zone_setattr(zoneid, ZONE_ATTR_INITNAME, init_file, 0) == -1) {
1114 zerror(zlogp, B_TRUE, "could not set zone boot file");
1115 goto bad;
1116 }
1117
1118 if (zone_setattr(zoneid, ZONE_ATTR_BOOTARGS, nbootargs, 0) == -1) {
1119 zerror(zlogp, B_TRUE, "could not set zone boot arguments");
1120 goto bad;
1121 }
1122
1123 if (!restart_init && zone_setattr(zoneid, ZONE_ATTR_INITNORESTART,
1124 NULL, 0) == -1) {
1125 zerror(zlogp, B_TRUE, "could not set zone init-no-restart");
1126 goto bad;
1127 }
1128
1129 if (app_svc_dep && zone_setattr(zoneid, ZONE_ATTR_APP_SVC_CT,
1130 (void *)B_TRUE, sizeof (boolean_t)) == -1) {
1131 zerror(zlogp, B_TRUE, "could not set zone app-die");
1132 goto bad;
1133 }
1134
1135 /*
1136 * Inform zonestatd of a new zone so that it can install a door for
1137 * the zone to contact it.
1138 */
1139 notify_zonestatd(zone_id);
1140
1141 if (zone_boot(zoneid) == -1) {
1142 zerror(zlogp, B_TRUE, "unable to boot zone");
1143 goto bad;
1144 }
1145
1146 if (brand_poststatechg(zlogp, zstate, Z_BOOT) != 0)
1147 goto bad;
1148
1149 /* Startup a thread to perform zfd logging/tty svc for the zone. */
1150 create_log_thread(zlogp, zone_id);
1151
1152 /* Startup a thread to perform memory capping for the zone. */
1153 create_mcap_thread(zlogp, zone_id);
1154
1155 return (0);
1156
1157 bad:
1158 /*
1159 * If something goes wrong, we up the zones's state to the target
1160 * state, RUNNING, and then invoke the hook as if we're halting.
1161 */
1162 (void) brand_poststatechg(zlogp, ZONE_STATE_RUNNING, Z_HALT);
1163
1164 return (-1);
1165 }
1166
1167 static int
1168 zone_halt(zlog_t *zlogp, boolean_t unmount_cmd, boolean_t rebooting, int zstate)
1169 {
1170 int err;
1171
1172 if (unmount_cmd == B_FALSE &&
1173 brand_prestatechg(zlogp, zstate, Z_HALT) != 0)
1174 return (-1);
1175
1176 /* Shutting down, stop the memcap thread */
1177 destroy_mcap_thread();
1178
1179 if (vplat_teardown(zlogp, unmount_cmd, rebooting) != 0) {
1180 if (!bringup_failure_recovery)
1181 zerror(zlogp, B_FALSE, "unable to destroy zone");
1182 destroy_log_thread();
1183 return (-1);
1184 }
1185
1186 /* Shut down is done, stop the log thread */
1187 destroy_log_thread();
1188
1189 if (unmount_cmd == B_FALSE &&
1190 brand_poststatechg(zlogp, zstate, Z_HALT) != 0)
1191 return (-1);
1192
1193 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK)
1194 zerror(zlogp, B_FALSE, "destroying snapshot: %s",
1195 zonecfg_strerror(err));
1196
1197 return (0);
1198 }
1199
1200 static int
1201 zone_graceful_shutdown(zlog_t *zlogp)
1202 {
1203 zoneid_t zoneid;
1204 pid_t child;
1205 char cmdbuf[MAXPATHLEN];
1206 brand_handle_t bh = NULL;
1207 ctid_t ct;
1208 int tmpl_fd;
1209 int child_status;
1210
1211 if (shutdown_in_progress) {
1212 zerror(zlogp, B_FALSE, "shutdown already in progress");
1213 return (-1);
1214 }
1215
1216 if ((zoneid = getzoneidbyname(zone_name)) == -1) {
1217 zerror(zlogp, B_TRUE, "unable to get zoneid");
1218 return (-1);
1219 }
1220
1221 /* Get a handle to the brand info for this zone */
1222 if ((bh = brand_open(brand_name)) == NULL) {
1223 zerror(zlogp, B_FALSE, "unable to determine zone brand");
1224 return (-1);
1225 }
1226
1227 /*
1228 * If there is a brand 'shutdown' callback, execute it now to give the
1229 * brand a chance to cleanup any custom configuration.
1230 */
1231 (void) strcpy(cmdbuf, EXEC_PREFIX);
1232 if (brand_get_shutdown(bh, zone_name, zonepath, cmdbuf + EXEC_LEN,
1233 sizeof (cmdbuf) - EXEC_LEN) != 0 || strlen(cmdbuf) <= EXEC_LEN) {
1234 (void) strcat(cmdbuf, SHUTDOWN_DEFAULT);
1235 }
1236 brand_close(bh);
1237
1238 if ((tmpl_fd = init_template()) == -1) {
1239 zerror(zlogp, B_TRUE, "failed to create contract");
1240 return (-1);
1241 }
1242
1243 if ((child = fork()) == -1) {
1244 (void) ct_tmpl_clear(tmpl_fd);
1245 (void) close(tmpl_fd);
1246 zerror(zlogp, B_TRUE, "failed to fork");
1247 return (-1);
1248 } else if (child == 0) {
1249 (void) ct_tmpl_clear(tmpl_fd);
1250 if (zone_enter(zoneid) == -1) {
1251 _exit(errno);
1252 }
1350 }
1351
1352 event = adt_alloc_event(ah, ADT_zone_state);
1353 if (event == NULL) {
1354 zerror(zlogp, B_TRUE, gettext("audit failure."));
1355 (void) adt_end_session(ah);
1356 return;
1357 }
1358 event->adt_zone_state.zonename = zone_name;
1359 event->adt_zone_state.new_state = new_state;
1360
1361 if (adt_put_event(event, pass_fail, fail_reason))
1362 zerror(zlogp, B_TRUE, gettext("audit failure."));
1363
1364 adt_free_event(event);
1365
1366 (void) adt_end_session(ah);
1367 }
1368
1369 /*
1370 * Log the exit time and status of the zone's init process into
1371 * {zonepath}/lastexited. If the zone shutdown normally, the exit status will
1372 * be -1, otherwise it will be the exit status as described in wait.3c.
1373 * If the zone is configured to restart init, then nothing will be logged if
1374 * init exits unexpectedly (the kernel will never upcall in this case).
1375 */
1376 static void
1377 log_init_exit(int status)
1378 {
1379 char p[MAXPATHLEN];
1380 char buf[128];
1381 struct timeval t;
1382 int fd;
1383
1384 if (snprintf(p, sizeof (p), "%s/lastexited", zonepath) > sizeof (p))
1385 return;
1386 if (gettimeofday(&t, NULL) != 0)
1387 return;
1388 if (snprintf(buf, sizeof (buf), "%ld.%ld %d\n", t.tv_sec, t.tv_usec,
1389 status) > sizeof (buf))
1390 return;
1391 if ((fd = open(p, O_WRONLY | O_CREAT | O_TRUNC, 0644)) < 0)
1392 return;
1393
1394 (void) write(fd, buf, strlen(buf));
1395
1396 (void) close(fd);
1397 }
1398
1399 /*
1400 * The main routine for the door server that deals with zone state transitions.
1401 */
1402 /* ARGSUSED */
1403 static void
1404 server(void *cookie, char *args, size_t alen, door_desc_t *dp,
1405 uint_t n_desc)
1406 {
1407 ucred_t *uc = NULL;
1408 const priv_set_t *eset;
1409
1410 zone_state_t zstate;
1411 zone_cmd_t cmd;
1412 int init_status;
1413 zone_cmd_arg_t *zargp;
1414
1415 boolean_t kernelcall;
1416
1417 int rval = -1;
1418 uint64_t uniqid;
1419 zoneid_t zoneid = -1;
1420 zlog_t zlog;
1421 zlog_t *zlogp;
1422 zone_cmd_rval_t *rvalp;
1423 size_t rlen = getpagesize(); /* conservative */
1424 fs_callback_t cb;
1425 brand_handle_t bh;
1426 boolean_t wait_shut = B_FALSE;
1427
1428 /* LINTED E_BAD_PTR_CAST_ALIGN */
1429 zargp = (zone_cmd_arg_t *)args;
1430
1431 /*
1432 * When we get the door unref message, we've fdetach'd the door, and
1445
1446 rvalp = alloca(rlen);
1447 bzero(rvalp, rlen);
1448 zlog.logfile = NULL;
1449 zlog.buflen = zlog.loglen = rlen - sizeof (zone_cmd_rval_t) + 1;
1450 zlog.buf = rvalp->errbuf;
1451 zlog.log = zlog.buf;
1452 /* defer initialization of zlog.locale until after credential check */
1453 zlogp = &zlog;
1454
1455 if (alen != sizeof (zone_cmd_arg_t)) {
1456 /*
1457 * This really shouldn't be happening.
1458 */
1459 zerror(&logsys, B_FALSE, "argument size (%d bytes) "
1460 "unexpected (expected %d bytes)", alen,
1461 sizeof (zone_cmd_arg_t));
1462 goto out;
1463 }
1464 cmd = zargp->cmd;
1465 init_status = zargp->status;
1466
1467 if (door_ucred(&uc) != 0) {
1468 zerror(&logsys, B_TRUE, "door_ucred");
1469 goto out;
1470 }
1471 eset = ucred_getprivset(uc, PRIV_EFFECTIVE);
1472 if (ucred_getzoneid(uc) != GLOBAL_ZONEID ||
1473 (eset != NULL ? !priv_ismember(eset, PRIV_SYS_CONFIG) :
1474 ucred_geteuid(uc) != 0)) {
1475 zerror(&logsys, B_FALSE, "insufficient privileges");
1476 goto out;
1477 }
1478
1479 kernelcall = ucred_getpid(uc) == 0;
1480
1481 /*
1482 * This is safe because we only use a zlog_t throughout the
1483 * duration of a door call; i.e., by the time the pointer
1484 * might become invalid, the door call would be over.
1485 */
1555 zstate = ZONE_STATE_INSTALLED;
1556
1557 switch (zstate) {
1558 case ZONE_STATE_CONFIGURED:
1559 case ZONE_STATE_INCOMPLETE:
1560 /*
1561 * Not our area of expertise; we just print a nice message
1562 * and die off.
1563 */
1564 zerror(zlogp, B_FALSE,
1565 "%s operation is invalid for zones in state '%s'",
1566 z_cmd_name(cmd), zone_state_str(zstate));
1567 break;
1568
1569 case ZONE_STATE_INSTALLED:
1570 switch (cmd) {
1571 case Z_READY:
1572 rval = zone_ready(zlogp, Z_MNT_BOOT, zstate);
1573 if (rval == 0)
1574 eventstream_write(Z_EVT_ZONE_READIED);
1575 zcons_statechanged();
1576 break;
1577 case Z_BOOT:
1578 case Z_FORCEBOOT:
1579 eventstream_write(Z_EVT_ZONE_BOOTING);
1580 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate))
1581 == 0) {
1582 rval = zone_bootup(zlogp, zargp->bootbuf,
1583 zstate);
1584 }
1585 audit_put_record(zlogp, uc, rval, "boot");
1586 zcons_statechanged();
1587 if (rval != 0) {
1588 bringup_failure_recovery = B_TRUE;
1589 (void) zone_halt(zlogp, B_FALSE, B_FALSE,
1590 zstate);
1591 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1592 }
1593 break;
1594 case Z_SHUTDOWN:
1595 case Z_HALT:
1596 if (kernelcall) /* Invalid; can't happen */
1597 abort();
1598 /*
1599 * We could have two clients racing to halt this
1600 * zone; the second client loses, but his request
1601 * doesn't fail, since the zone is now in the desired
1602 * state.
1603 */
1604 zerror(zlogp, B_FALSE, "zone is already halted");
1605 rval = 0;
1606 break;
1689 break;
1690
1691 case ZONE_STATE_READY:
1692 switch (cmd) {
1693 case Z_READY:
1694 /*
1695 * We could have two clients racing to ready this
1696 * zone; the second client loses, but his request
1697 * doesn't fail, since the zone is now in the desired
1698 * state.
1699 */
1700 zerror(zlogp, B_FALSE, "zone is already ready");
1701 rval = 0;
1702 break;
1703 case Z_BOOT:
1704 (void) strlcpy(boot_args, zargp->bootbuf,
1705 sizeof (boot_args));
1706 eventstream_write(Z_EVT_ZONE_BOOTING);
1707 rval = zone_bootup(zlogp, zargp->bootbuf, zstate);
1708 audit_put_record(zlogp, uc, rval, "boot");
1709 zcons_statechanged();
1710 if (rval != 0) {
1711 bringup_failure_recovery = B_TRUE;
1712 (void) zone_halt(zlogp, B_FALSE, B_TRUE,
1713 zstate);
1714 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1715 }
1716 boot_args[0] = '\0';
1717 break;
1718 case Z_HALT:
1719 if (kernelcall) /* Invalid; can't happen */
1720 abort();
1721 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate))
1722 != 0)
1723 break;
1724 zcons_statechanged();
1725 eventstream_write(Z_EVT_ZONE_HALTED);
1726 break;
1727 case Z_SHUTDOWN:
1728 case Z_REBOOT:
1729 case Z_NOTE_UNINSTALLING:
1730 case Z_MOUNT:
1731 case Z_UNMOUNT:
1732 if (kernelcall) /* Invalid; can't happen */
1733 abort();
1734 zerror(zlogp, B_FALSE, "%s operation is invalid "
1735 "for zones in state '%s'", z_cmd_name(cmd),
1736 zone_state_str(zstate));
1737 rval = -1;
1738 break;
1739 }
1740 break;
1741
1742 case ZONE_STATE_MOUNTED:
1743 switch (cmd) {
1744 case Z_UNMOUNT:
1752 break;
1753 default:
1754 if (kernelcall) /* Invalid; can't happen */
1755 abort();
1756 zerror(zlogp, B_FALSE, "%s operation is invalid "
1757 "for zones in state '%s'", z_cmd_name(cmd),
1758 zone_state_str(zstate));
1759 rval = -1;
1760 break;
1761 }
1762 break;
1763
1764 case ZONE_STATE_RUNNING:
1765 case ZONE_STATE_SHUTTING_DOWN:
1766 case ZONE_STATE_DOWN:
1767 switch (cmd) {
1768 case Z_READY:
1769 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate))
1770 != 0)
1771 break;
1772 zcons_statechanged();
1773 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate)) == 0)
1774 eventstream_write(Z_EVT_ZONE_READIED);
1775 else
1776 eventstream_write(Z_EVT_ZONE_HALTED);
1777 break;
1778 case Z_BOOT:
1779 /*
1780 * We could have two clients racing to boot this
1781 * zone; the second client loses, but his request
1782 * doesn't fail, since the zone is now in the desired
1783 * state.
1784 */
1785 zerror(zlogp, B_FALSE, "zone is already booted");
1786 rval = 0;
1787 break;
1788 case Z_HALT:
1789 if (kernelcall) {
1790 log_init_exit(init_status);
1791 } else {
1792 log_init_exit(-1);
1793 }
1794 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate))
1795 != 0)
1796 break;
1797 eventstream_write(Z_EVT_ZONE_HALTED);
1798 zcons_statechanged();
1799 break;
1800 case Z_REBOOT:
1801 (void) strlcpy(boot_args, zargp->bootbuf,
1802 sizeof (boot_args));
1803 eventstream_write(Z_EVT_ZONE_REBOOTING);
1804 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate))
1805 != 0) {
1806 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1807 boot_args[0] = '\0';
1808 break;
1809 }
1810 zcons_statechanged();
1811 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate)) !=
1812 0) {
1813 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1814 boot_args[0] = '\0';
1815 break;
1816 }
1817 rval = zone_bootup(zlogp, zargp->bootbuf, zstate);
1818 audit_put_record(zlogp, uc, rval, "reboot");
1819 if (rval != 0) {
1820 (void) zone_halt(zlogp, B_FALSE, B_TRUE,
1821 zstate);
1822 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1823 }
1824 boot_args[0] = '\0';
1825 break;
1826 case Z_SHUTDOWN:
1827 if ((rval = zone_graceful_shutdown(zlogp)) == 0) {
1828 wait_shut = B_TRUE;
1829 }
1830 break;
1831 case Z_NOTE_UNINSTALLING:
1832 case Z_MOUNT:
1976 * which will try again (by which time zoneadmd
1977 * will hopefully have exited).
1978 */
1979 goto out;
1980 }
1981
1982 /*
1983 * If we got this far, there's a fattach(3c)'ed door
1984 * that belongs to a process that has exited, which can
1985 * happen if the previous zoneadmd died unexpectedly.
1986 *
1987 * Let user know that something is amiss, but that we can
1988 * recover; if the zone is in the installed state, then don't
1989 * message, since having a running zoneadmd isn't really
1990 * expected/needed. We want to keep occurences of this message
1991 * limited to times when zoneadmd is picking back up from a
1992 * zoneadmd that died while the zone was in some non-trivial
1993 * state.
1994 */
1995 if (zstate > ZONE_STATE_INSTALLED) {
1996 static zoneid_t zid;
1997
1998 zerror(zlogp, B_FALSE,
1999 "zone '%s': WARNING: zone is in state '%s', but "
2000 "zoneadmd does not appear to be available; "
2001 "restarted zoneadmd to recover.",
2002 zone_name, zone_state_str(zstate));
2003
2004 /*
2005 * Startup a thread to perform the zfd logging/tty svc
2006 * and a thread to perform memory capping for the
2007 * zone. zlogp won't be valid for much longer so use
2008 * logsys.
2009 */
2010 if ((zid = getzoneidbyname(zone_name)) != -1) {
2011 create_log_thread(&logsys, zid);
2012 create_mcap_thread(&logsys, zid);
2013 }
2014
2015 /* recover the global configuration snapshot */
2016 if (snap_hndl == NULL) {
2017 if ((snap_hndl = zonecfg_init_handle())
2018 == NULL ||
2019 zonecfg_create_snapshot(zone_name)
2020 != Z_OK ||
2021 zonecfg_get_snapshot_handle(zone_name,
2022 snap_hndl) != Z_OK) {
2023 zerror(zlogp, B_FALSE, "recovering "
2024 "zone configuration handle");
2025 goto out;
2026 }
2027 }
2028 }
2029
2030 (void) fdetach(zone_door_path);
2031 (void) close(doorfd);
2032 goto top;
2033 }
2034 ret = 0;
2035 out:
2036 (void) close(doorfd);
2037 return (ret);
2038 }
2039
2040 /*
2041 * Setup the brand's pre and post state change callbacks, as well as the
2042 * query callback, if any of these exist.
2043 */
2044 static int
2045 brand_callback_init(brand_handle_t bh, char *zone_name)
2046 {
2047 (void) strlcpy(pre_statechg_hook, EXEC_PREFIX,
2048 sizeof (pre_statechg_hook));
2049
2050 if (brand_get_prestatechange(bh, zone_name, zonepath,
2051 pre_statechg_hook + EXEC_LEN,
2052 sizeof (pre_statechg_hook) - EXEC_LEN) != 0)
2053 return (-1);
2054
2055 if (strlen(pre_statechg_hook) <= EXEC_LEN)
2056 pre_statechg_hook[0] = '\0';
2057
2058 (void) strlcpy(post_statechg_hook, EXEC_PREFIX,
2059 sizeof (post_statechg_hook));
2060
2061 if (brand_get_poststatechange(bh, zone_name, zonepath,
2062 post_statechg_hook + EXEC_LEN,
2063 sizeof (post_statechg_hook) - EXEC_LEN) != 0)
2064 return (-1);
2065
2066 if (strlen(post_statechg_hook) <= EXEC_LEN)
2067 post_statechg_hook[0] = '\0';
2068
2069 (void) strlcpy(query_hook, EXEC_PREFIX,
2070 sizeof (query_hook));
2071
2072 if (brand_get_query(bh, zone_name, zonepath, query_hook + EXEC_LEN,
2073 sizeof (query_hook) - EXEC_LEN) != 0)
2074 return (-1);
2075
2076 if (strlen(query_hook) <= EXEC_LEN)
2077 query_hook[0] = '\0';
2078
2079 return (0);
2080 }
2081
2082 int
2083 main(int argc, char *argv[])
2084 {
2085 int opt;
2086 zoneid_t zid;
2087 priv_set_t *privset;
2088 zone_state_t zstate;
2089 char parents_locale[MAXPATHLEN];
2090 brand_handle_t bh;
2091 int err;
2092
2180 }
2181
2182 if (zone_get_id(zone_name, &zid) != 0) {
2183 zerror(zlogp, B_FALSE, "could not manage %s: %s", zone_name,
2184 zonecfg_strerror(Z_NO_ZONE));
2185 return (1);
2186 }
2187
2188 if ((err = zone_get_state(zone_name, &zstate)) != Z_OK) {
2189 zerror(zlogp, B_FALSE, "failed to get zone state: %s",
2190 zonecfg_strerror(err));
2191 return (1);
2192 }
2193 if (zstate < ZONE_STATE_INCOMPLETE) {
2194 zerror(zlogp, B_FALSE,
2195 "cannot manage a zone which is in state '%s'",
2196 zone_state_str(zstate));
2197 return (1);
2198 }
2199
2200 if (zone_get_zonepath(zone_name, zonepath, sizeof (zonepath)) != Z_OK) {
2201 zerror(zlogp, B_FALSE, "unable to determine zone path");
2202 return (-1);
2203 }
2204
2205 if (zonecfg_default_brand(default_brand,
2206 sizeof (default_brand)) != Z_OK) {
2207 zerror(zlogp, B_FALSE, "unable to determine default brand");
2208 return (1);
2209 }
2210
2211 /* Get a handle to the brand info for this zone */
2212 if (zone_get_brand(zone_name, brand_name, sizeof (brand_name))
2213 != Z_OK) {
2214 zerror(zlogp, B_FALSE, "unable to determine zone brand");
2215 return (1);
2216 }
2217 zone_isnative = (strcmp(brand_name, NATIVE_BRAND_NAME) == 0);
2218 zone_islabeled = (strcmp(brand_name, LABELED_BRAND_NAME) == 0);
2219
2220 /*
2221 * In the alternate root environment, the only supported
2222 * operations are mount and unmount. In this case, just treat
2223 * the zone as native if it is cluster. Cluster zones can be
2224 * native for the purpose of LU or upgrade, and the cluster
|