1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 * Copyright 2012 Joyent, Inc. All rights reserved.
26 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
27 */
28
29 /*
30 * Console support for zones requires a significant infrastructure. The
31 * core pieces are contained in this file, but other portions of note
32 * are in the zlogin(1M) command, the zcons(7D) driver, and in the
33 * devfsadm(1M) misc_link generator.
34 *
35 * Care is taken to make the console behave in an "intuitive" fashion for
36 * administrators. Essentially, we try as much as possible to mimic the
37 * experience of using a system via a tip line and system controller.
38 *
39 * The zone console architecture looks like this:
40 *
41 * Global Zone | Non-Global Zone
42 * .--------------. |
43 * .-----------. | zoneadmd -z | | .--------. .---------.
44 * | zlogin -C | | myzone | | | ttymon | | syslogd |
45 * `-----------' `--------------' | `--------' `---------'
46 * | | | | | | |
47 * User | | | | | V V
48 * - - - - - - - - -|- - - -|- - - -|-|- - - - - - -|- - /dev/zconsole - - -
49 * Kernel V V | | |
50 * [AF_UNIX Socket] | `--------. .-------------'
51 * | | |
52 * | V V
53 * | +-----------+
54 * | | ldterm, |
55 * | | etc. |
56 * | +-----------+
57 * | +-[Anchor]--+
58 * | | ptem |
59 * V +-----------+
60 * +---master---+---slave---+
61 * | |
62 * | zcons driver |
63 * | zonename="myzone" |
64 * +------------------------+
65 *
66 * There are basically two major tasks which the console subsystem in
67 * zoneadmd accomplishes:
68 *
69 * - Setup and teardown of zcons driver instances. One zcons instance
70 * is maintained per zone; we take advantage of the libdevice APIs
71 * to online new instances of zcons as needed. Care is taken to
72 * prune and manage these appropriately; see init_console_dev() and
73 * destroy_console_dev(). The end result is the creation of the
74 * zcons(7D) instance and an open file descriptor to the master side.
75 * zcons instances are associated with zones via their zonename device
76 * property. This the console instance to persist across reboots,
77 * and while the zone is halted.
78 *
79 * - Acting as a server for 'zlogin -C' instances. When zlogin -C is
80 * run, zlogin connects to zoneadmd via unix domain socket. zoneadmd
81 * functions as a two-way proxy for console I/O, relaying user input
82 * to the master side of the console, and relaying output from the
83 * zone to the user.
84 */
85
86 #include <sys/types.h>
87 #include <sys/socket.h>
88 #include <sys/stat.h>
89 #include <sys/termios.h>
90 #include <sys/zcons.h>
91 #include <sys/mkdev.h>
92
93 #include <assert.h>
94 #include <ctype.h>
95 #include <errno.h>
96 #include <fcntl.h>
97 #include <stdarg.h>
98 #include <stdio.h>
99 #include <stdlib.h>
100 #include <strings.h>
101 #include <stropts.h>
102 #include <thread.h>
103 #include <ucred.h>
104 #include <unistd.h>
105 #include <zone.h>
106
107 #include <libdevinfo.h>
108 #include <libdevice.h>
109 #include <libzonecfg.h>
110
111 #include <syslog.h>
112 #include <sys/modctl.h>
113
114 #include "zoneadmd.h"
115
116 #define ZCONSNEX_DEVTREEPATH "/pseudo/zconsnex@1"
117 #define ZCONSNEX_FILEPATH "/devices/pseudo/zconsnex@1"
118
119 #define CONSOLE_SOCKPATH ZONES_TMPDIR "/%s.console_sock"
120
121 static int serverfd = -1; /* console server unix domain socket fd */
122 char boot_args[BOOTARGS_MAX];
123 char bad_boot_arg[BOOTARGS_MAX];
124
125 /*
126 * The eventstream is a simple one-directional flow of messages from the
127 * door server to the console subsystem, implemented with a pipe.
128 * It is used to wake up the console poller when it needs to take action,
129 * message the user, die off, etc.
130 */
131 static int eventstream[2];
132
133
134
135 int
eventstream_init()136 eventstream_init()
137 {
138 if (pipe(eventstream) == -1)
139 return (-1);
140 return (0);
141 }
142
143 void
eventstream_write(zone_evt_t evt)144 eventstream_write(zone_evt_t evt)
145 {
146 (void) write(eventstream[0], &evt, sizeof (evt));
147 }
148
149 static zone_evt_t
eventstream_read(void)150 eventstream_read(void)
151 {
152 zone_evt_t evt = Z_EVT_NULL;
153
154 (void) read(eventstream[1], &evt, sizeof (evt));
155 return (evt);
156 }
157
158 /*
159 * count_console_devs() and its helper count_cb() do a walk of the
160 * subtree of the device tree where zone console nodes are represented.
161 * The goal is to count zone console instances already setup for a zone
162 * with the given name. More than 1 is anomolous, and our caller will
163 * have to deal with that if we find that's the case.
164 *
165 * Note: this algorithm is a linear search of nodes in the zconsnex subtree
166 * of the device tree, and could be a scalability problem, but I don't see
167 * how to avoid it.
168 */
169
170 /*
171 * cb_data is shared by count_cb and destroy_cb for simplicity.
172 */
173 struct cb_data {
174 zlog_t *zlogp;
175 int found;
176 int killed;
177 };
178
179 static int
count_cb(di_node_t node,void * arg)180 count_cb(di_node_t node, void *arg)
181 {
182 struct cb_data *cb = (struct cb_data *)arg;
183 char *prop_data;
184
185 if (di_prop_lookup_strings(DDI_DEV_T_ANY, node, "zonename",
186 &prop_data) != -1) {
187 assert(prop_data != NULL);
188 if (strcmp(prop_data, zone_name) == 0) {
189 cb->found++;
190 return (DI_WALK_CONTINUE);
191 }
192 }
193 return (DI_WALK_CONTINUE);
194 }
195
196 static int
count_console_devs(zlog_t * zlogp)197 count_console_devs(zlog_t *zlogp)
198 {
199 di_node_t root;
200 struct cb_data cb;
201
202 bzero(&cb, sizeof (cb));
203 cb.zlogp = zlogp;
204
205 if ((root = di_init(ZCONSNEX_DEVTREEPATH, DINFOCPYALL)) ==
206 DI_NODE_NIL) {
207 zerror(zlogp, B_TRUE, "%s failed", "di_init");
208 return (-1);
209 }
210
211 (void) di_walk_node(root, DI_WALK_CLDFIRST, (void *)&cb, count_cb);
212 di_fini(root);
213 return (cb.found);
214 }
215
216 /*
217 * destroy_console_devs() and its helper destroy_cb() tears down any console
218 * instances associated with this zone. If things went very wrong, we
219 * might have more than one console instance hanging around. This routine
220 * hunts down and tries to remove all of them. Of course, if the console
221 * is open, the instance will not detach, which is a potential issue.
222 */
223 static int
destroy_cb(di_node_t node,void * arg)224 destroy_cb(di_node_t node, void *arg)
225 {
226 struct cb_data *cb = (struct cb_data *)arg;
227 char *prop_data;
228 char *tmp;
229 char devpath[MAXPATHLEN];
230 devctl_hdl_t hdl;
231
232 if (di_prop_lookup_strings(DDI_DEV_T_ANY, node, "zonename",
233 &prop_data) == -1)
234 return (DI_WALK_CONTINUE);
235
236 assert(prop_data != NULL);
237 if (strcmp(prop_data, zone_name) != 0) {
238 /* this is the console for a different zone */
239 return (DI_WALK_CONTINUE);
240 }
241
242 cb->found++;
243 tmp = di_devfs_path(node);
244 (void) snprintf(devpath, sizeof (devpath), "/devices/%s", tmp);
245 di_devfs_path_free(tmp);
246
247 if ((hdl = devctl_device_acquire(devpath, 0)) == NULL) {
248 zerror(cb->zlogp, B_TRUE, "WARNING: console %s found, "
249 "but it could not be controlled.", devpath);
250 return (DI_WALK_CONTINUE);
251 }
252 if (devctl_device_remove(hdl) == 0) {
253 cb->killed++;
254 } else {
255 zerror(cb->zlogp, B_TRUE, "WARNING: console %s found, "
256 "but it could not be removed.", devpath);
257 }
258 devctl_release(hdl);
259 return (DI_WALK_CONTINUE);
260 }
261
262 static int
destroy_console_devs(zlog_t * zlogp)263 destroy_console_devs(zlog_t *zlogp)
264 {
265 char conspath[MAXPATHLEN];
266 di_node_t root;
267 struct cb_data cb;
268 int masterfd;
269 int slavefd;
270
271 /*
272 * Signal the master side to release its handle on the slave side by
273 * issuing a ZC_RELEASESLAVE ioctl.
274 */
275 (void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
276 zone_name, ZCONS_MASTER_NAME);
277 if ((masterfd = open(conspath, O_RDWR | O_NOCTTY)) != -1) {
278 (void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
279 zone_name, ZCONS_SLAVE_NAME);
280 if ((slavefd = open(conspath, O_RDWR | O_NOCTTY)) != -1) {
281 if (ioctl(masterfd, ZC_RELEASESLAVE,
282 (caddr_t)(intptr_t)slavefd) != 0)
283 zerror(zlogp, B_TRUE, "WARNING: error while "
284 "releasing slave handle of zone console for"
285 " %s", zone_name);
286 (void) close(slavefd);
287 } else {
288 zerror(zlogp, B_TRUE, "WARNING: could not open slave "
289 "side of zone console for %s to release slave "
290 "handle", zone_name);
291 }
292 (void) close(masterfd);
293 } else {
294 zerror(zlogp, B_TRUE, "WARNING: could not open master side of "
295 "zone console for %s to release slave handle", zone_name);
296 }
297
298 bzero(&cb, sizeof (cb));
299 cb.zlogp = zlogp;
300
301 if ((root = di_init(ZCONSNEX_DEVTREEPATH, DINFOCPYALL)) ==
302 DI_NODE_NIL) {
303 zerror(zlogp, B_TRUE, "%s failed", "di_init");
304 return (-1);
305 }
306
307 (void) di_walk_node(root, DI_WALK_CLDFIRST, (void *)&cb, destroy_cb);
308 if (cb.found > 1) {
309 zerror(zlogp, B_FALSE, "WARNING: multiple zone console "
310 "instances detected for zone '%s'; %d of %d "
311 "successfully removed.",
312 zone_name, cb.killed, cb.found);
313 }
314
315 di_fini(root);
316 return (0);
317 }
318
319 /*
320 * init_console_dev() drives the device-tree configuration of the zone
321 * console device. The general strategy is to use the libdevice (devctl)
322 * interfaces to instantiate a new zone console node. We do a lot of
323 * sanity checking, and are careful to reuse a console if one exists.
324 *
325 * Once the device is in the device tree, we kick devfsadm via di_init_devs()
326 * to ensure that the appropriate symlinks (to the master and slave console
327 * devices) are placed in /dev in the global zone.
328 */
329 static int
init_console_dev(zlog_t * zlogp)330 init_console_dev(zlog_t *zlogp)
331 {
332 char conspath[MAXPATHLEN];
333 devctl_hdl_t bus_hdl = NULL;
334 devctl_hdl_t dev_hdl = NULL;
335 devctl_ddef_t ddef_hdl = NULL;
336 di_devlink_handle_t dl = NULL;
337 int rv = -1;
338 int ndevs;
339 int masterfd;
340 int slavefd;
341 int i;
342
343 /*
344 * Don't re-setup console if it is working and ready already; just
345 * skip ahead to making devlinks, which we do for sanity's sake.
346 */
347 ndevs = count_console_devs(zlogp);
348 if (ndevs == 1) {
349 goto devlinks;
350 } else if (ndevs > 1 || ndevs == -1) {
351 /*
352 * For now, this seems like a reasonable but harsh punishment.
353 * If needed, we could try to get clever and delete all but
354 * the console which is pointed at by the current symlink.
355 */
356 if (destroy_console_devs(zlogp) == -1) {
357 goto error;
358 }
359 }
360
361 /*
362 * Time to make the consoles!
363 */
364 if ((bus_hdl = devctl_bus_acquire(ZCONSNEX_FILEPATH, 0)) == NULL) {
365 zerror(zlogp, B_TRUE, "%s failed", "devctl_bus_acquire");
366 goto error;
367 }
368 if ((ddef_hdl = devctl_ddef_alloc("zcons", 0)) == NULL) {
369 zerror(zlogp, B_TRUE, "failed to allocate ddef handle");
370 goto error;
371 }
372 /*
373 * Set three properties on this node; the first is the name of the
374 * zone; the second is a flag which lets pseudo know that it is
375 * OK to automatically allocate an instance # for this device;
376 * the third tells the device framework not to auto-detach this
377 * node-- we need the node to still be there when we ask devfsadmd
378 * to make links, and when we need to open it.
379 */
380 if (devctl_ddef_string(ddef_hdl, "zonename", zone_name) == -1) {
381 zerror(zlogp, B_TRUE, "failed to create zonename property");
382 goto error;
383 }
384 if (devctl_ddef_int(ddef_hdl, "auto-assign-instance", 1) == -1) {
385 zerror(zlogp, B_TRUE, "failed to create auto-assign-instance "
386 "property");
387 goto error;
388 }
389 if (devctl_ddef_int(ddef_hdl, "ddi-no-autodetach", 1) == -1) {
390 zerror(zlogp, B_TRUE, "failed to create ddi-no-auto-detach "
391 "property");
392 goto error;
393 }
394 if (devctl_bus_dev_create(bus_hdl, ddef_hdl, 0, &dev_hdl) == -1) {
395 zerror(zlogp, B_TRUE, "failed to create console node");
396 goto error;
397 }
398
399 devlinks:
400 if ((dl = di_devlink_init("zcons", DI_MAKE_LINK)) != NULL) {
401 (void) di_devlink_fini(&dl);
402 } else {
403 zerror(zlogp, B_TRUE, "failed to create devlinks");
404 goto error;
405 }
406
407 /*
408 * Open the master side of the console and issue the ZC_HOLDSLAVE ioctl,
409 * which will cause the master to retain a reference to the slave.
410 * This prevents ttymon from blowing through the slave's STREAMS anchor.
411 */
412 (void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
413 zone_name, ZCONS_MASTER_NAME);
414 if ((masterfd = open(conspath, O_RDWR | O_NOCTTY)) == -1) {
415 zerror(zlogp, B_TRUE, "ERROR: could not open master side of "
416 "zone console for %s to acquire slave handle", zone_name);
417 goto error;
418 }
419 (void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
420 zone_name, ZCONS_SLAVE_NAME);
421 if ((slavefd = open(conspath, O_RDWR | O_NOCTTY)) == -1) {
422 zerror(zlogp, B_TRUE, "ERROR: could not open slave side of zone"
423 " console for %s to acquire slave handle", zone_name);
424 (void) close(masterfd);
425 goto error;
426 }
427 /*
428 * This ioctl can occasionally return ENXIO if devfs doesn't have
429 * everything plumbed up yet due to heavy zone startup load. Wait for
430 * 1 sec. and retry a few times before we fail to boot the zone.
431 */
432 for (i = 0; i < 5; i++) {
433 if (ioctl(masterfd, ZC_HOLDSLAVE, (caddr_t)(intptr_t)slavefd)
434 == 0) {
435 rv = 0;
436 break;
437 } else if (errno != ENXIO) {
438 break;
439 }
440 (void) sleep(1);
441 }
442 if (rv != 0)
443 zerror(zlogp, B_TRUE, "ERROR: error while acquiring slave "
444 "handle of zone console for %s", zone_name);
445
446 (void) close(slavefd);
447 (void) close(masterfd);
448
449 error:
450 if (ddef_hdl)
451 devctl_ddef_free(ddef_hdl);
452 if (bus_hdl)
453 devctl_release(bus_hdl);
454 if (dev_hdl)
455 devctl_release(dev_hdl);
456 return (rv);
457 }
458
459 static int
init_console_sock(zlog_t * zlogp)460 init_console_sock(zlog_t *zlogp)
461 {
462 int servfd;
463 struct sockaddr_un servaddr;
464
465 bzero(&servaddr, sizeof (servaddr));
466 servaddr.sun_family = AF_UNIX;
467 (void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
468 CONSOLE_SOCKPATH, zone_name);
469
470 if ((servfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
471 zerror(zlogp, B_TRUE, "console setup: could not create socket");
472 return (-1);
473 }
474 (void) unlink(servaddr.sun_path);
475
476 if (bind(servfd, (struct sockaddr *)&servaddr,
477 sizeof (servaddr)) == -1) {
478 zerror(zlogp, B_TRUE,
479 "console setup: could not bind to socket");
480 goto out;
481 }
482
483 if (listen(servfd, 4) == -1) {
484 zerror(zlogp, B_TRUE,
485 "console setup: could not listen on socket");
486 goto out;
487 }
488 return (servfd);
489
490 out:
491 (void) unlink(servaddr.sun_path);
492 (void) close(servfd);
493 return (-1);
494 }
495
496 static void
destroy_console_sock(int servfd)497 destroy_console_sock(int servfd)
498 {
499 char path[MAXPATHLEN];
500
501 (void) snprintf(path, sizeof (path), CONSOLE_SOCKPATH, zone_name);
502 (void) unlink(path);
503 (void) shutdown(servfd, SHUT_RDWR);
504 (void) close(servfd);
505 }
506
507 /*
508 * Read the "ident" string from the client's descriptor; this routine also
509 * tolerates being called with pid=NULL, for times when you want to "eat"
510 * the ident string from a client without saving it.
511 */
512 static int
get_client_ident(int clifd,pid_t * pid,char * locale,size_t locale_len,int * disconnect)513 get_client_ident(int clifd, pid_t *pid, char *locale, size_t locale_len,
514 int *disconnect)
515 {
516 char buf[BUFSIZ], *bufp;
517 size_t buflen = sizeof (buf);
518 char c = '\0';
519 int i = 0, r;
520
521 /* "eat up the ident string" case, for simplicity */
522 if (pid == NULL) {
523 assert(locale == NULL && locale_len == 0);
524 while (read(clifd, &c, 1) == 1) {
525 if (c == '\n')
526 return (0);
527 }
528 }
529
530 bzero(buf, sizeof (buf));
531 while ((buflen > 1) && (r = read(clifd, &c, 1)) == 1) {
532 buflen--;
533 if (c == '\n')
534 break;
535
536 buf[i] = c;
537 i++;
538 }
539 if (r == -1)
540 return (-1);
541
542 /*
543 * We've filled the buffer, but still haven't seen \n. Keep eating
544 * until we find it; we don't expect this to happen, but this is
545 * defensive.
546 */
547 if (c != '\n') {
548 while ((r = read(clifd, &c, sizeof (c))) > 0)
549 if (c == '\n')
550 break;
551 }
552
553 /*
554 * Parse buffer for message of the form:
555 * IDENT <pid> <locale> <disconnect flag>
556 */
557 bufp = buf;
558 if (strncmp(bufp, "IDENT ", 6) != 0)
559 return (-1);
560 bufp += 6;
561 errno = 0;
562 *pid = strtoll(bufp, &bufp, 10);
563 if (errno != 0)
564 return (-1);
565
566 while (*bufp != '\0' && isspace(*bufp))
567 bufp++;
568 buflen = strlen(bufp) - 1;
569 *disconnect = atoi(&bufp[buflen]);
570 bufp[buflen - 1] = '\0';
571 (void) strlcpy(locale, bufp, locale_len);
572
573 return (0);
574 }
575
576 static int
accept_client(int servfd,pid_t * pid,char * locale,size_t locale_len,int * disconnect)577 accept_client(int servfd, pid_t *pid, char *locale, size_t locale_len,
578 int *disconnect)
579 {
580 int connfd;
581 struct sockaddr_un cliaddr;
582 socklen_t clilen;
583
584 clilen = sizeof (cliaddr);
585 connfd = accept(servfd, (struct sockaddr *)&cliaddr, &clilen);
586 if (connfd == -1)
587 return (-1);
588 if (get_client_ident(connfd, pid, locale, locale_len,
589 disconnect) == -1) {
590 (void) shutdown(connfd, SHUT_RDWR);
591 (void) close(connfd);
592 return (-1);
593 }
594 (void) write(connfd, "OK\n", 3);
595 return (connfd);
596 }
597
598 static void
reject_client(int servfd,pid_t clientpid)599 reject_client(int servfd, pid_t clientpid)
600 {
601 int connfd;
602 struct sockaddr_un cliaddr;
603 socklen_t clilen;
604 char nak[MAXPATHLEN];
605
606 clilen = sizeof (cliaddr);
607 connfd = accept(servfd, (struct sockaddr *)&cliaddr, &clilen);
608
609 /*
610 * After hear its ident string, tell client to get lost.
611 */
612 if (get_client_ident(connfd, NULL, NULL, 0, NULL) == 0) {
613 (void) snprintf(nak, sizeof (nak), "%lu\n",
614 clientpid);
615 (void) write(connfd, nak, strlen(nak));
616 }
617 (void) shutdown(connfd, SHUT_RDWR);
618 (void) close(connfd);
619 }
620
621 static void
event_message(int clifd,char * clilocale,zone_evt_t evt,int dflag)622 event_message(int clifd, char *clilocale, zone_evt_t evt, int dflag)
623 {
624 char *str, *lstr = NULL;
625 char lmsg[BUFSIZ];
626 char outbuf[BUFSIZ];
627
628 if (clifd == -1)
629 return;
630
631 switch (evt) {
632 case Z_EVT_ZONE_BOOTING:
633 if (*boot_args == '\0') {
634 str = "NOTICE: Zone booting up";
635 break;
636 }
637 /*LINTED*/
638 (void) snprintf(lmsg, sizeof (lmsg), localize_msg(clilocale,
639 "NOTICE: Zone booting up with arguments: %s"), boot_args);
640 lstr = lmsg;
641 break;
642 case Z_EVT_ZONE_READIED:
643 str = "NOTICE: Zone readied";
644 break;
645 case Z_EVT_ZONE_HALTED:
646 if (dflag)
647 str = "NOTICE: Zone halted. Disconnecting...";
648 else
649 str = "NOTICE: Zone halted";
650 break;
651 case Z_EVT_ZONE_REBOOTING:
652 if (*boot_args == '\0') {
653 str = "NOTICE: Zone rebooting";
654 break;
655 }
656 /*LINTED*/
657 (void) snprintf(lmsg, sizeof (lmsg), localize_msg(clilocale,
658 "NOTICE: Zone rebooting with arguments: %s"), boot_args);
659 lstr = lmsg;
660 break;
661 case Z_EVT_ZONE_UNINSTALLING:
662 str = "NOTICE: Zone is being uninstalled. Disconnecting...";
663 break;
664 case Z_EVT_ZONE_BOOTFAILED:
665 if (dflag)
666 str = "NOTICE: Zone boot failed. Disconnecting...";
667 else
668 str = "NOTICE: Zone boot failed";
669 break;
670 case Z_EVT_ZONE_BADARGS:
671 /*LINTED*/
672 (void) snprintf(lmsg, sizeof (lmsg),
673 localize_msg(clilocale,
674 "WARNING: Ignoring invalid boot arguments: %s"),
675 bad_boot_arg);
676 lstr = lmsg;
677 break;
678 default:
679 return;
680 }
681
682 if (lstr == NULL)
683 lstr = localize_msg(clilocale, str);
684 (void) snprintf(outbuf, sizeof (outbuf), "\r\n[%s]\r\n", lstr);
685 (void) write(clifd, outbuf, strlen(outbuf));
686 }
687
688 /*
689 * Check to see if the client at the other end of the socket is still
690 * alive; we know it is not if it throws EPIPE at us when we try to write
691 * an otherwise harmless 0-length message to it.
692 */
693 static int
test_client(int clifd)694 test_client(int clifd)
695 {
696 if ((write(clifd, "", 0) == -1) && errno == EPIPE)
697 return (-1);
698 return (0);
699 }
700
701 /*
702 * This routine drives the console I/O loop. It polls for input from the
703 * master side of the console (output to the console), and from the client
704 * (input from the console user). Additionally, it polls on the server fd,
705 * and disconnects any clients that might try to hook up with the zone while
706 * the console is in use.
707 *
708 * When the client first calls us up, it is expected to send a line giving
709 * its "identity"; this consists of the string 'IDENT <pid> <locale>'.
710 * This is so that we can report that the console is busy along with
711 * some diagnostics about who has it busy; the locale is used so that
712 * asynchronous messages about zone state (like the NOTICE: zone halted
713 * messages) can be output in the user's locale.
714 */
715 static void
do_console_io(zlog_t * zlogp,int consfd,int servfd)716 do_console_io(zlog_t *zlogp, int consfd, int servfd)
717 {
718 struct pollfd pollfds[4];
719 char ibuf[BUFSIZ];
720 int cc, ret;
721 int clifd = -1;
722 int pollerr = 0;
723 char clilocale[MAXPATHLEN];
724 pid_t clipid = 0;
725 int disconnect = 0;
726
727 /* console side, watch for read events */
728 pollfds[0].fd = consfd;
729 pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND |
730 POLLPRI | POLLERR | POLLHUP | POLLNVAL;
731
732 /* client side, watch for read events */
733 pollfds[1].fd = clifd;
734 pollfds[1].events = pollfds[0].events;
735
736 /* the server socket; watch for events (new connections) */
737 pollfds[2].fd = servfd;
738 pollfds[2].events = pollfds[0].events;
739
740 /* the eventstram; watch for events (e.g.: zone halted) */
741 pollfds[3].fd = eventstream[1];
742 pollfds[3].events = pollfds[0].events;
743
744 for (;;) {
745 pollfds[0].revents = pollfds[1].revents = 0;
746 pollfds[2].revents = pollfds[3].revents = 0;
747
748 ret = poll(pollfds,
749 sizeof (pollfds) / sizeof (struct pollfd), -1);
750 if (ret == -1 && errno != EINTR) {
751 zerror(zlogp, B_TRUE, "poll failed");
752 /* we are hosed, close connection */
753 break;
754 }
755
756 /* event from console side */
757 if (pollfds[0].revents) {
758 if (pollfds[0].revents &
759 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
760 errno = 0;
761 cc = read(consfd, ibuf, BUFSIZ);
762 if (cc <= 0 && (errno != EINTR) &&
763 (errno != EAGAIN))
764 break;
765 /*
766 * Lose I/O if no one is listening
767 */
768 if (clifd != -1 && cc > 0)
769 (void) write(clifd, ibuf, cc);
770 } else {
771 pollerr = pollfds[0].revents;
772 zerror(zlogp, B_FALSE,
773 "closing connection with (console) "
774 "pollerr %d\n", pollerr);
775 break;
776 }
777 }
778
779 /* event from client side */
780 if (pollfds[1].revents) {
781 if (pollfds[1].revents &
782 (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
783 errno = 0;
784 cc = read(clifd, ibuf, BUFSIZ);
785 if (cc <= 0 && (errno != EINTR) &&
786 (errno != EAGAIN))
787 break;
788 (void) write(consfd, ibuf, cc);
789 } else {
790 pollerr = pollfds[1].revents;
791 zerror(zlogp, B_FALSE,
792 "closing connection with (client) "
793 "pollerr %d\n", pollerr);
794 break;
795 }
796 }
797
798 /* event from server socket */
799 if (pollfds[2].revents &&
800 (pollfds[2].revents & (POLLIN | POLLRDNORM))) {
801 if (clifd != -1) {
802 /*
803 * Test the client to see if it is really
804 * still alive. If it has died but we
805 * haven't yet detected that, we might
806 * deny a legitimate connect attempt. If it
807 * is dead, we break out; once we tear down
808 * the old connection, the new connection
809 * will happen.
810 */
811 if (test_client(clifd) == -1) {
812 break;
813 }
814 /* we're already handling a client */
815 reject_client(servfd, clipid);
816
817
818 } else if ((clifd = accept_client(servfd, &clipid,
819 clilocale, sizeof (clilocale),
820 &disconnect)) != -1) {
821 pollfds[1].fd = clifd;
822
823 } else {
824 break;
825 }
826 }
827
828 /*
829 * Watch for events on the eventstream. This is how we get
830 * notified of the zone halting, etc. It provides us a
831 * "wakeup" from poll when important things happen, which
832 * is good.
833 */
834 if (pollfds[3].revents) {
835 int evt = eventstream_read();
836 /*
837 * After we drain out the event, if we aren't servicing
838 * a console client, we hop back out to our caller,
839 * which will check to see if it is time to shutdown
840 * the daemon, or if we should take another console
841 * service lap.
842 */
843 if (clifd == -1) {
844 break;
845 }
846 event_message(clifd, clilocale, evt, disconnect);
847 /*
848 * Special handling for the message that the zone is
849 * uninstalling; we boot the client, then break out
850 * of this function. When we return to the
851 * serve_console loop, we will see that the zone is
852 * in a state < READY, and so zoneadmd will shutdown.
853 */
854 if (evt == Z_EVT_ZONE_UNINSTALLING) {
855 break;
856 }
857 /*
858 * Diconnect if -C and -d options were specified and
859 * zone was halted or failed to boot.
860 */
861 if ((evt == Z_EVT_ZONE_HALTED ||
862 evt == Z_EVT_ZONE_BOOTFAILED) && disconnect) {
863 break;
864 }
865 }
866
867 }
868
869 if (clifd != -1) {
870 (void) shutdown(clifd, SHUT_RDWR);
871 (void) close(clifd);
872 }
873 }
874
875 int
init_console(zlog_t * zlogp)876 init_console(zlog_t *zlogp)
877 {
878 if (init_console_dev(zlogp) == -1) {
879 zerror(zlogp, B_FALSE,
880 "console setup: device initialization failed");
881 return (-1);
882 }
883
884 if ((serverfd = init_console_sock(zlogp)) == -1) {
885 zerror(zlogp, B_FALSE,
886 "console setup: socket initialization failed");
887 return (-1);
888 }
889 return (0);
890 }
891
892 /*
893 * serve_console() is the master loop for driving console I/O. It is also the
894 * routine which is ultimately responsible for "pulling the plug" on zoneadmd
895 * when it realizes that the daemon should shut down.
896 *
897 * The rules for shutdown are: there must be no console client, and the zone
898 * state must be < ready. However, we need to give things a chance to actually
899 * get going when the daemon starts up-- otherwise the daemon would immediately
900 * exit on startup if the zone was in the installed state, so we first drop
901 * into the do_console_io() loop in order to give *something* a chance to
902 * happen.
903 */
904 void
serve_console(zlog_t * zlogp)905 serve_console(zlog_t *zlogp)
906 {
907 int masterfd;
908 zone_state_t zstate;
909 char conspath[MAXPATHLEN];
910
911 (void) snprintf(conspath, sizeof (conspath),
912 "/dev/zcons/%s/%s", zone_name, ZCONS_MASTER_NAME);
913
914 for (;;) {
915 masterfd = open(conspath, O_RDWR|O_NONBLOCK|O_NOCTTY);
916 if (masterfd == -1) {
917 zerror(zlogp, B_TRUE, "failed to open console master");
918 (void) mutex_lock(&lock);
919 goto death;
920 }
921
922 /*
923 * Setting RPROTDIS on the stream means that the control
924 * portion of messages received (which we don't care about)
925 * will be discarded by the stream head. If we allowed such
926 * messages, we wouldn't be able to use read(2), as it fails
927 * (EBADMSG) when a message with a control element is received.
928 */
929 if (ioctl(masterfd, I_SRDOPT, RNORM|RPROTDIS) == -1) {
930 zerror(zlogp, B_TRUE, "failed to set options on "
931 "console master");
932 (void) mutex_lock(&lock);
933 goto death;
934 }
935
936 do_console_io(zlogp, masterfd, serverfd);
937
938 /*
939 * We would prefer not to do this, but hostile zone processes
940 * can cause the stream to become tainted, and reads will
941 * fail. So, in case something has gone seriously ill,
942 * we dismantle the stream and reopen the console when we
943 * take another lap.
944 */
945 (void) close(masterfd);
946
947 (void) mutex_lock(&lock);
948 /*
949 * We need to set death_throes (see below) atomically with
950 * respect to noticing that (a) we have no console client and
951 * (b) the zone is not installed. Otherwise we could get a
952 * request to boot during this time. Once we set death_throes,
953 * any incoming door stuff will be turned away.
954 */
955 if (zone_get_state(zone_name, &zstate) == Z_OK) {
956 if (zstate < ZONE_STATE_READY)
957 goto death;
958 } else {
959 zerror(zlogp, B_FALSE,
960 "unable to determine state of zone");
961 goto death;
962 }
963 /*
964 * Even if zone_get_state() fails, stay conservative, and
965 * take another lap.
966 */
967 (void) mutex_unlock(&lock);
968 }
969
970 death:
971 assert(MUTEX_HELD(&lock));
972 in_death_throes = B_TRUE;
973 (void) mutex_unlock(&lock);
974
975 destroy_console_sock(serverfd);
976 (void) destroy_console_devs(zlogp);
977 }
978