xref: /titanic_41/usr/src/cmd/zoneadmd/zcons.c (revision b6805bf78d2bbbeeaea8909a05623587b42d58b3)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  * Copyright 2012 Joyent, Inc.  All rights reserved.
26  */
27 
28 /*
29  * Console support for zones requires a significant infrastructure.  The
30  * core pieces are contained in this file, but other portions of note
31  * are in the zlogin(1M) command, the zcons(7D) driver, and in the
32  * devfsadm(1M) misc_link generator.
33  *
34  * Care is taken to make the console behave in an "intuitive" fashion for
35  * administrators.  Essentially, we try as much as possible to mimic the
36  * experience of using a system via a tip line and system controller.
37  *
38  * The zone console architecture looks like this:
39  *
40  *                                      Global Zone | Non-Global Zone
41  *                        .--------------.          |
42  *        .-----------.   | zoneadmd -z  |          | .--------. .---------.
43  *        | zlogin -C |   |     myzone   |          | | ttymon | | syslogd |
44  *        `-----------'   `--------------'          | `--------' `---------'
45  *                  |       |       | |             |      |       |
46  *  User            |       |       | |             |      V       V
47  * - - - - - - - - -|- - - -|- - - -|-|- - - - - - -|- - /dev/zconsole - - -
48  *  Kernel          V       V       | |                        |
49  *               [AF_UNIX Socket]   | `--------. .-------------'
50  *                                  |          | |
51  *                                  |          V V
52  *                                  |     +-----------+
53  *                                  |     |  ldterm,  |
54  *                                  |     |   etc.    |
55  *                                  |     +-----------+
56  *                                  |     +-[Anchor]--+
57  *                                  |     |   ptem    |
58  *                                  V     +-----------+
59  *                           +---master---+---slave---+
60  *                           |                        |
61  *                           |      zcons driver      |
62  *                           |    zonename="myzone"   |
63  *                           +------------------------+
64  *
65  * There are basically two major tasks which the console subsystem in
66  * zoneadmd accomplishes:
67  *
68  * - Setup and teardown of zcons driver instances.  One zcons instance
69  *   is maintained per zone; we take advantage of the libdevice APIs
70  *   to online new instances of zcons as needed.  Care is taken to
71  *   prune and manage these appropriately; see init_console_dev() and
72  *   destroy_console_dev().  The end result is the creation of the
73  *   zcons(7D) instance and an open file descriptor to the master side.
74  *   zcons instances are associated with zones via their zonename device
75  *   property.  This the console instance to persist across reboots,
76  *   and while the zone is halted.
77  *
78  * - Acting as a server for 'zlogin -C' instances.  When zlogin -C is
79  *   run, zlogin connects to zoneadmd via unix domain socket.  zoneadmd
80  *   functions as a two-way proxy for console I/O, relaying user input
81  *   to the master side of the console, and relaying output from the
82  *   zone to the user.
83  */
84 
85 #include <sys/types.h>
86 #include <sys/socket.h>
87 #include <sys/stat.h>
88 #include <sys/termios.h>
89 #include <sys/zcons.h>
90 #include <sys/mkdev.h>
91 
92 #include <assert.h>
93 #include <ctype.h>
94 #include <errno.h>
95 #include <fcntl.h>
96 #include <stdarg.h>
97 #include <stdio.h>
98 #include <stdlib.h>
99 #include <strings.h>
100 #include <stropts.h>
101 #include <thread.h>
102 #include <ucred.h>
103 #include <unistd.h>
104 #include <zone.h>
105 
106 #include <libdevinfo.h>
107 #include <libdevice.h>
108 #include <libzonecfg.h>
109 
110 #include <syslog.h>
111 #include <sys/modctl.h>
112 
113 #include "zoneadmd.h"
114 
115 #define	ZCONSNEX_DEVTREEPATH	"/pseudo/zconsnex@1"
116 #define	ZCONSNEX_FILEPATH	"/devices/pseudo/zconsnex@1"
117 
118 #define	CONSOLE_SOCKPATH	ZONES_TMPDIR "/%s.console_sock"
119 
120 static int	serverfd = -1;	/* console server unix domain socket fd */
121 char boot_args[BOOTARGS_MAX];
122 char bad_boot_arg[BOOTARGS_MAX];
123 
124 /*
125  * The eventstream is a simple one-directional flow of messages from the
126  * door server to the console subsystem, implemented with a pipe.
127  * It is used to wake up the console poller when it needs to take action,
128  * message the user, die off, etc.
129  */
130 static int eventstream[2];
131 
132 
133 
134 int
135 eventstream_init()
136 {
137 	if (pipe(eventstream) == -1)
138 		return (-1);
139 	return (0);
140 }
141 
142 void
143 eventstream_write(zone_evt_t evt)
144 {
145 	(void) write(eventstream[0], &evt, sizeof (evt));
146 }
147 
148 static zone_evt_t
149 eventstream_read(void)
150 {
151 	zone_evt_t evt = Z_EVT_NULL;
152 
153 	(void) read(eventstream[1], &evt, sizeof (evt));
154 	return (evt);
155 }
156 
157 /*
158  * count_console_devs() and its helper count_cb() do a walk of the
159  * subtree of the device tree where zone console nodes are represented.
160  * The goal is to count zone console instances already setup for a zone
161  * with the given name.  More than 1 is anomolous, and our caller will
162  * have to deal with that if we find that's the case.
163  *
164  * Note: this algorithm is a linear search of nodes in the zconsnex subtree
165  * of the device tree, and could be a scalability problem, but I don't see
166  * how to avoid it.
167  */
168 
169 /*
170  * cb_data is shared by count_cb and destroy_cb for simplicity.
171  */
172 struct cb_data {
173 	zlog_t *zlogp;
174 	int found;
175 	int killed;
176 };
177 
178 static int
179 count_cb(di_node_t node, void *arg)
180 {
181 	struct cb_data *cb = (struct cb_data *)arg;
182 	char *prop_data;
183 
184 	if (di_prop_lookup_strings(DDI_DEV_T_ANY, node, "zonename",
185 	    &prop_data) != -1) {
186 		assert(prop_data != NULL);
187 		if (strcmp(prop_data, zone_name) == 0) {
188 			cb->found++;
189 			return (DI_WALK_CONTINUE);
190 		}
191 	}
192 	return (DI_WALK_CONTINUE);
193 }
194 
195 static int
196 count_console_devs(zlog_t *zlogp)
197 {
198 	di_node_t root;
199 	struct cb_data cb;
200 
201 	bzero(&cb, sizeof (cb));
202 	cb.zlogp = zlogp;
203 
204 	if ((root = di_init(ZCONSNEX_DEVTREEPATH, DINFOCPYALL)) ==
205 	    DI_NODE_NIL) {
206 		zerror(zlogp, B_TRUE, "%s failed", "di_init");
207 		return (-1);
208 	}
209 
210 	(void) di_walk_node(root, DI_WALK_CLDFIRST, (void *)&cb, count_cb);
211 	di_fini(root);
212 	return (cb.found);
213 }
214 
215 /*
216  * destroy_console_devs() and its helper destroy_cb() tears down any console
217  * instances associated with this zone.  If things went very wrong, we
218  * might have more than one console instance hanging around.  This routine
219  * hunts down and tries to remove all of them.  Of course, if the console
220  * is open, the instance will not detach, which is a potential issue.
221  */
222 static int
223 destroy_cb(di_node_t node, void *arg)
224 {
225 	struct cb_data *cb = (struct cb_data *)arg;
226 	char *prop_data;
227 	char *tmp;
228 	char devpath[MAXPATHLEN];
229 	devctl_hdl_t hdl;
230 
231 	if (di_prop_lookup_strings(DDI_DEV_T_ANY, node, "zonename",
232 	    &prop_data) == -1)
233 		return (DI_WALK_CONTINUE);
234 
235 	assert(prop_data != NULL);
236 	if (strcmp(prop_data, zone_name) != 0) {
237 		/* this is the console for a different zone */
238 		return (DI_WALK_CONTINUE);
239 	}
240 
241 	cb->found++;
242 	tmp = di_devfs_path(node);
243 	(void) snprintf(devpath, sizeof (devpath), "/devices/%s", tmp);
244 	di_devfs_path_free(tmp);
245 
246 	if ((hdl = devctl_device_acquire(devpath, 0)) == NULL) {
247 		zerror(cb->zlogp, B_TRUE, "WARNING: console %s found, "
248 		    "but it could not be controlled.", devpath);
249 		return (DI_WALK_CONTINUE);
250 	}
251 	if (devctl_device_remove(hdl) == 0) {
252 		cb->killed++;
253 	} else {
254 		zerror(cb->zlogp, B_TRUE, "WARNING: console %s found, "
255 		    "but it could not be removed.", devpath);
256 	}
257 	devctl_release(hdl);
258 	return (DI_WALK_CONTINUE);
259 }
260 
261 static int
262 destroy_console_devs(zlog_t *zlogp)
263 {
264 	char conspath[MAXPATHLEN];
265 	di_node_t root;
266 	struct cb_data cb;
267 	int masterfd;
268 	int slavefd;
269 
270 	/*
271 	 * Signal the master side to release its handle on the slave side by
272 	 * issuing a ZC_RELEASESLAVE ioctl.
273 	 */
274 	(void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
275 	    zone_name, ZCONS_MASTER_NAME);
276 	if ((masterfd = open(conspath, O_RDWR | O_NOCTTY)) != -1) {
277 		(void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
278 		    zone_name, ZCONS_SLAVE_NAME);
279 		if ((slavefd = open(conspath, O_RDWR | O_NOCTTY)) != -1) {
280 			if (ioctl(masterfd, ZC_RELEASESLAVE,
281 			    (caddr_t)(intptr_t)slavefd) != 0)
282 				zerror(zlogp, B_TRUE, "WARNING: error while "
283 				    "releasing slave handle of zone console for"
284 				    " %s", zone_name);
285 			(void) close(slavefd);
286 		} else {
287 			zerror(zlogp, B_TRUE, "WARNING: could not open slave "
288 			    "side of zone console for %s to release slave "
289 			    "handle", zone_name);
290 		}
291 		(void) close(masterfd);
292 	} else {
293 		zerror(zlogp, B_TRUE, "WARNING: could not open master side of "
294 		    "zone console for %s to release slave handle", zone_name);
295 	}
296 
297 	bzero(&cb, sizeof (cb));
298 	cb.zlogp = zlogp;
299 
300 	if ((root = di_init(ZCONSNEX_DEVTREEPATH, DINFOCPYALL)) ==
301 	    DI_NODE_NIL) {
302 		zerror(zlogp, B_TRUE, "%s failed", "di_init");
303 		return (-1);
304 	}
305 
306 	(void) di_walk_node(root, DI_WALK_CLDFIRST, (void *)&cb, destroy_cb);
307 	if (cb.found > 1) {
308 		zerror(zlogp, B_FALSE, "WARNING: multiple zone console "
309 		    "instances detected for zone '%s'; %d of %d "
310 		    "successfully removed.",
311 		    zone_name, cb.killed, cb.found);
312 	}
313 
314 	di_fini(root);
315 	return (0);
316 }
317 
318 /*
319  * init_console_dev() drives the device-tree configuration of the zone
320  * console device.  The general strategy is to use the libdevice (devctl)
321  * interfaces to instantiate a new zone console node.  We do a lot of
322  * sanity checking, and are careful to reuse a console if one exists.
323  *
324  * Once the device is in the device tree, we kick devfsadm via di_init_devs()
325  * to ensure that the appropriate symlinks (to the master and slave console
326  * devices) are placed in /dev in the global zone.
327  */
328 static int
329 init_console_dev(zlog_t *zlogp)
330 {
331 	char conspath[MAXPATHLEN];
332 	devctl_hdl_t bus_hdl = NULL;
333 	devctl_hdl_t dev_hdl = NULL;
334 	devctl_ddef_t ddef_hdl = NULL;
335 	di_devlink_handle_t dl = NULL;
336 	int rv = -1;
337 	int ndevs;
338 	int masterfd;
339 	int slavefd;
340 	int i;
341 
342 	/*
343 	 * Don't re-setup console if it is working and ready already; just
344 	 * skip ahead to making devlinks, which we do for sanity's sake.
345 	 */
346 	ndevs = count_console_devs(zlogp);
347 	if (ndevs == 1) {
348 		goto devlinks;
349 	} else if (ndevs > 1 || ndevs == -1) {
350 		/*
351 		 * For now, this seems like a reasonable but harsh punishment.
352 		 * If needed, we could try to get clever and delete all but
353 		 * the console which is pointed at by the current symlink.
354 		 */
355 		if (destroy_console_devs(zlogp) == -1) {
356 			goto error;
357 		}
358 	}
359 
360 	/*
361 	 * Time to make the consoles!
362 	 */
363 	if ((bus_hdl = devctl_bus_acquire(ZCONSNEX_FILEPATH, 0)) == NULL) {
364 		zerror(zlogp, B_TRUE, "%s failed", "devctl_bus_acquire");
365 		goto error;
366 	}
367 	if ((ddef_hdl = devctl_ddef_alloc("zcons", 0)) == NULL) {
368 		zerror(zlogp, B_TRUE, "failed to allocate ddef handle");
369 		goto error;
370 	}
371 	/*
372 	 * Set three properties on this node; the first is the name of the
373 	 * zone; the second is a flag which lets pseudo know that it is
374 	 * OK to automatically allocate an instance # for this device;
375 	 * the third tells the device framework not to auto-detach this
376 	 * node-- we need the node to still be there when we ask devfsadmd
377 	 * to make links, and when we need to open it.
378 	 */
379 	if (devctl_ddef_string(ddef_hdl, "zonename", zone_name) == -1) {
380 		zerror(zlogp, B_TRUE, "failed to create zonename property");
381 		goto error;
382 	}
383 	if (devctl_ddef_int(ddef_hdl, "auto-assign-instance", 1) == -1) {
384 		zerror(zlogp, B_TRUE, "failed to create auto-assign-instance "
385 		    "property");
386 		goto error;
387 	}
388 	if (devctl_ddef_int(ddef_hdl, "ddi-no-autodetach", 1) == -1) {
389 		zerror(zlogp, B_TRUE, "failed to create ddi-no-auto-detach "
390 		    "property");
391 		goto error;
392 	}
393 	if (devctl_bus_dev_create(bus_hdl, ddef_hdl, 0, &dev_hdl) == -1) {
394 		zerror(zlogp, B_TRUE, "failed to create console node");
395 		goto error;
396 	}
397 
398 devlinks:
399 	if ((dl = di_devlink_init("zcons", DI_MAKE_LINK)) != NULL) {
400 		(void) di_devlink_fini(&dl);
401 	} else {
402 		zerror(zlogp, B_TRUE, "failed to create devlinks");
403 		goto error;
404 	}
405 
406 	/*
407 	 * Open the master side of the console and issue the ZC_HOLDSLAVE ioctl,
408 	 * which will cause the master to retain a reference to the slave.
409 	 * This prevents ttymon from blowing through the slave's STREAMS anchor.
410 	 */
411 	(void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
412 	    zone_name, ZCONS_MASTER_NAME);
413 	if ((masterfd = open(conspath, O_RDWR | O_NOCTTY)) == -1) {
414 		zerror(zlogp, B_TRUE, "ERROR: could not open master side of "
415 		    "zone console for %s to acquire slave handle", zone_name);
416 		goto error;
417 	}
418 	(void) snprintf(conspath, sizeof (conspath), "/dev/zcons/%s/%s",
419 	    zone_name, ZCONS_SLAVE_NAME);
420 	if ((slavefd = open(conspath, O_RDWR | O_NOCTTY)) == -1) {
421 		zerror(zlogp, B_TRUE, "ERROR: could not open slave side of zone"
422 		    " console for %s to acquire slave handle", zone_name);
423 		(void) close(masterfd);
424 		goto error;
425 	}
426 	/*
427 	 * This ioctl can occasionally return ENXIO if devfs doesn't have
428 	 * everything plumbed up yet due to heavy zone startup load. Wait for
429 	 * 1 sec. and retry a few times before we fail to boot the zone.
430 	 */
431 	for (i = 0; i < 5; i++) {
432 		if (ioctl(masterfd, ZC_HOLDSLAVE, (caddr_t)(intptr_t)slavefd)
433 		    == 0) {
434 			rv = 0;
435 			break;
436 		} else if (errno != ENXIO) {
437 			break;
438 		}
439 		(void) sleep(1);
440 	}
441 	if (rv != 0)
442 		zerror(zlogp, B_TRUE, "ERROR: error while acquiring slave "
443 		    "handle of zone console for %s", zone_name);
444 
445 	(void) close(slavefd);
446 	(void) close(masterfd);
447 
448 error:
449 	if (ddef_hdl)
450 		devctl_ddef_free(ddef_hdl);
451 	if (bus_hdl)
452 		devctl_release(bus_hdl);
453 	if (dev_hdl)
454 		devctl_release(dev_hdl);
455 	return (rv);
456 }
457 
458 static int
459 init_console_sock(zlog_t *zlogp)
460 {
461 	int servfd;
462 	struct sockaddr_un servaddr;
463 
464 	bzero(&servaddr, sizeof (servaddr));
465 	servaddr.sun_family = AF_UNIX;
466 	(void) snprintf(servaddr.sun_path, sizeof (servaddr.sun_path),
467 	    CONSOLE_SOCKPATH, zone_name);
468 
469 	if ((servfd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
470 		zerror(zlogp, B_TRUE, "console setup: could not create socket");
471 		return (-1);
472 	}
473 	(void) unlink(servaddr.sun_path);
474 
475 	if (bind(servfd, (struct sockaddr *)&servaddr,
476 	    sizeof (servaddr)) == -1) {
477 		zerror(zlogp, B_TRUE,
478 		    "console setup: could not bind to socket");
479 		goto out;
480 	}
481 
482 	if (listen(servfd, 4) == -1) {
483 		zerror(zlogp, B_TRUE,
484 		    "console setup: could not listen on socket");
485 		goto out;
486 	}
487 	return (servfd);
488 
489 out:
490 	(void) unlink(servaddr.sun_path);
491 	(void) close(servfd);
492 	return (-1);
493 }
494 
495 static void
496 destroy_console_sock(int servfd)
497 {
498 	char path[MAXPATHLEN];
499 
500 	(void) snprintf(path, sizeof (path), CONSOLE_SOCKPATH, zone_name);
501 	(void) unlink(path);
502 	(void) shutdown(servfd, SHUT_RDWR);
503 	(void) close(servfd);
504 }
505 
506 /*
507  * Read the "ident" string from the client's descriptor; this routine also
508  * tolerates being called with pid=NULL, for times when you want to "eat"
509  * the ident string from a client without saving it.
510  */
511 static int
512 get_client_ident(int clifd, pid_t *pid, char *locale, size_t locale_len)
513 {
514 	char buf[BUFSIZ], *bufp;
515 	size_t buflen = sizeof (buf);
516 	char c = '\0';
517 	int i = 0, r;
518 
519 	/* "eat up the ident string" case, for simplicity */
520 	if (pid == NULL) {
521 		assert(locale == NULL && locale_len == 0);
522 		while (read(clifd, &c, 1) == 1) {
523 			if (c == '\n')
524 				return (0);
525 		}
526 	}
527 
528 	bzero(buf, sizeof (buf));
529 	while ((buflen > 1) && (r = read(clifd, &c, 1)) == 1) {
530 		buflen--;
531 		if (c == '\n')
532 			break;
533 
534 		buf[i] = c;
535 		i++;
536 	}
537 	if (r == -1)
538 		return (-1);
539 
540 	/*
541 	 * We've filled the buffer, but still haven't seen \n.  Keep eating
542 	 * until we find it; we don't expect this to happen, but this is
543 	 * defensive.
544 	 */
545 	if (c != '\n') {
546 		while ((r = read(clifd, &c, sizeof (c))) > 0)
547 			if (c == '\n')
548 				break;
549 	}
550 
551 	/*
552 	 * Parse buffer for message of the form: IDENT <pid> <locale>
553 	 */
554 	bufp = buf;
555 	if (strncmp(bufp, "IDENT ", 6) != 0)
556 		return (-1);
557 	bufp += 6;
558 	errno = 0;
559 	*pid = strtoll(bufp, &bufp, 10);
560 	if (errno != 0)
561 		return (-1);
562 
563 	while (*bufp != '\0' && isspace(*bufp))
564 		bufp++;
565 	(void) strlcpy(locale, bufp, locale_len);
566 
567 	return (0);
568 }
569 
570 static int
571 accept_client(int servfd, pid_t *pid, char *locale, size_t locale_len)
572 {
573 	int connfd;
574 	struct sockaddr_un cliaddr;
575 	socklen_t clilen;
576 
577 	clilen = sizeof (cliaddr);
578 	connfd = accept(servfd, (struct sockaddr *)&cliaddr, &clilen);
579 	if (connfd == -1)
580 		return (-1);
581 	if (get_client_ident(connfd, pid, locale, locale_len) == -1) {
582 		(void) shutdown(connfd, SHUT_RDWR);
583 		(void) close(connfd);
584 		return (-1);
585 	}
586 	(void) write(connfd, "OK\n", 3);
587 	return (connfd);
588 }
589 
590 static void
591 reject_client(int servfd, pid_t clientpid)
592 {
593 	int connfd;
594 	struct sockaddr_un cliaddr;
595 	socklen_t clilen;
596 	char nak[MAXPATHLEN];
597 
598 	clilen = sizeof (cliaddr);
599 	connfd = accept(servfd, (struct sockaddr *)&cliaddr, &clilen);
600 
601 	/*
602 	 * After hear its ident string, tell client to get lost.
603 	 */
604 	if (get_client_ident(connfd, NULL, NULL, 0) == 0) {
605 		(void) snprintf(nak, sizeof (nak), "%lu\n",
606 		    clientpid);
607 		(void) write(connfd, nak, strlen(nak));
608 	}
609 	(void) shutdown(connfd, SHUT_RDWR);
610 	(void) close(connfd);
611 }
612 
613 static void
614 event_message(int clifd, char *clilocale, zone_evt_t evt)
615 {
616 	char *str, *lstr = NULL;
617 	char lmsg[BUFSIZ];
618 	char outbuf[BUFSIZ];
619 
620 	if (clifd == -1)
621 		return;
622 
623 	switch (evt) {
624 	case Z_EVT_ZONE_BOOTING:
625 		if (*boot_args == '\0') {
626 			str = "NOTICE: Zone booting up";
627 			break;
628 		}
629 		/*LINTED*/
630 		(void) snprintf(lmsg, sizeof (lmsg), localize_msg(clilocale,
631 		    "NOTICE: Zone booting up with arguments: %s"), boot_args);
632 		lstr = lmsg;
633 		break;
634 	case Z_EVT_ZONE_READIED:
635 		str = "NOTICE: Zone readied";
636 		break;
637 	case Z_EVT_ZONE_HALTED:
638 		str = "NOTICE: Zone halted";
639 		break;
640 	case Z_EVT_ZONE_REBOOTING:
641 		if (*boot_args == '\0') {
642 			str = "NOTICE: Zone rebooting";
643 			break;
644 		}
645 		/*LINTED*/
646 		(void) snprintf(lmsg, sizeof (lmsg), localize_msg(clilocale,
647 		    "NOTICE: Zone rebooting with arguments: %s"), boot_args);
648 		lstr = lmsg;
649 		break;
650 	case Z_EVT_ZONE_UNINSTALLING:
651 		str = "NOTICE: Zone is being uninstalled.  Disconnecting...";
652 		break;
653 	case Z_EVT_ZONE_BOOTFAILED:
654 		str = "NOTICE: Zone boot failed";
655 		break;
656 	case Z_EVT_ZONE_BADARGS:
657 		/*LINTED*/
658 		(void) snprintf(lmsg, sizeof (lmsg),
659 		    localize_msg(clilocale,
660 		    "WARNING: Ignoring invalid boot arguments: %s"),
661 		    bad_boot_arg);
662 		lstr = lmsg;
663 		break;
664 	default:
665 		return;
666 	}
667 
668 	if (lstr == NULL)
669 		lstr = localize_msg(clilocale, str);
670 	(void) snprintf(outbuf, sizeof (outbuf), "\r\n[%s]\r\n", lstr);
671 	(void) write(clifd, outbuf, strlen(outbuf));
672 }
673 
674 /*
675  * Check to see if the client at the other end of the socket is still
676  * alive; we know it is not if it throws EPIPE at us when we try to write
677  * an otherwise harmless 0-length message to it.
678  */
679 static int
680 test_client(int clifd)
681 {
682 	if ((write(clifd, "", 0) == -1) && errno == EPIPE)
683 		return (-1);
684 	return (0);
685 }
686 
687 /*
688  * This routine drives the console I/O loop.  It polls for input from the
689  * master side of the console (output to the console), and from the client
690  * (input from the console user).  Additionally, it polls on the server fd,
691  * and disconnects any clients that might try to hook up with the zone while
692  * the console is in use.
693  *
694  * When the client first calls us up, it is expected to send a line giving
695  * its "identity"; this consists of the string 'IDENT <pid> <locale>'.
696  * This is so that we can report that the console is busy along with
697  * some diagnostics about who has it busy; the locale is used so that
698  * asynchronous messages about zone state (like the NOTICE: zone halted
699  * messages) can be output in the user's locale.
700  */
701 static void
702 do_console_io(zlog_t *zlogp, int consfd, int servfd)
703 {
704 	struct pollfd pollfds[4];
705 	char ibuf[BUFSIZ];
706 	int cc, ret;
707 	int clifd = -1;
708 	int pollerr = 0;
709 	char clilocale[MAXPATHLEN];
710 	pid_t clipid = 0;
711 
712 	/* console side, watch for read events */
713 	pollfds[0].fd = consfd;
714 	pollfds[0].events = POLLIN | POLLRDNORM | POLLRDBAND |
715 	    POLLPRI | POLLERR | POLLHUP | POLLNVAL;
716 
717 	/* client side, watch for read events */
718 	pollfds[1].fd = clifd;
719 	pollfds[1].events = pollfds[0].events;
720 
721 	/* the server socket; watch for events (new connections) */
722 	pollfds[2].fd = servfd;
723 	pollfds[2].events = pollfds[0].events;
724 
725 	/* the eventstram; watch for events (e.g.: zone halted) */
726 	pollfds[3].fd = eventstream[1];
727 	pollfds[3].events = pollfds[0].events;
728 
729 	for (;;) {
730 		pollfds[0].revents = pollfds[1].revents = 0;
731 		pollfds[2].revents = pollfds[3].revents = 0;
732 
733 		ret = poll(pollfds,
734 		    sizeof (pollfds) / sizeof (struct pollfd), -1);
735 		if (ret == -1 && errno != EINTR) {
736 			zerror(zlogp, B_TRUE, "poll failed");
737 			/* we are hosed, close connection */
738 			break;
739 		}
740 
741 		/* event from console side */
742 		if (pollfds[0].revents) {
743 			if (pollfds[0].revents &
744 			    (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
745 				errno = 0;
746 				cc = read(consfd, ibuf, BUFSIZ);
747 				if (cc <= 0 && (errno != EINTR) &&
748 				    (errno != EAGAIN))
749 					break;
750 				/*
751 				 * Lose I/O if no one is listening
752 				 */
753 				if (clifd != -1 && cc > 0)
754 					(void) write(clifd, ibuf, cc);
755 			} else {
756 				pollerr = pollfds[0].revents;
757 				zerror(zlogp, B_FALSE,
758 				    "closing connection with (console) "
759 				    "pollerr %d\n", pollerr);
760 				break;
761 			}
762 		}
763 
764 		/* event from client side */
765 		if (pollfds[1].revents) {
766 			if (pollfds[1].revents &
767 			    (POLLIN | POLLRDNORM | POLLRDBAND | POLLPRI)) {
768 				errno = 0;
769 				cc = read(clifd, ibuf, BUFSIZ);
770 				if (cc <= 0 && (errno != EINTR) &&
771 				    (errno != EAGAIN))
772 					break;
773 				(void) write(consfd, ibuf, cc);
774 			} else {
775 				pollerr = pollfds[1].revents;
776 				zerror(zlogp, B_FALSE,
777 				    "closing connection with (client) "
778 				    "pollerr %d\n", pollerr);
779 				break;
780 			}
781 		}
782 
783 		/* event from server socket */
784 		if (pollfds[2].revents &&
785 		    (pollfds[2].revents & (POLLIN | POLLRDNORM))) {
786 			if (clifd != -1) {
787 				/*
788 				 * Test the client to see if it is really
789 				 * still alive.  If it has died but we
790 				 * haven't yet detected that, we might
791 				 * deny a legitimate connect attempt.  If it
792 				 * is dead, we break out; once we tear down
793 				 * the old connection, the new connection
794 				 * will happen.
795 				 */
796 				if (test_client(clifd) == -1) {
797 					break;
798 				}
799 				/* we're already handling a client */
800 				reject_client(servfd, clipid);
801 
802 
803 			} else if ((clifd = accept_client(servfd, &clipid,
804 			    clilocale, sizeof (clilocale))) != -1) {
805 				pollfds[1].fd = clifd;
806 
807 			} else {
808 				break;
809 			}
810 		}
811 
812 		/*
813 		 * Watch for events on the eventstream.  This is how we get
814 		 * notified of the zone halting, etc.  It provides us a
815 		 * "wakeup" from poll when important things happen, which
816 		 * is good.
817 		 */
818 		if (pollfds[3].revents) {
819 			int evt = eventstream_read();
820 			/*
821 			 * After we drain out the event, if we aren't servicing
822 			 * a console client, we hop back out to our caller,
823 			 * which will check to see if it is time to shutdown
824 			 * the daemon, or if we should take another console
825 			 * service lap.
826 			 */
827 			if (clifd == -1) {
828 				break;
829 			}
830 			event_message(clifd, clilocale, evt);
831 			/*
832 			 * Special handling for the message that the zone is
833 			 * uninstalling; we boot the client, then break out
834 			 * of this function.  When we return to the
835 			 * serve_console loop, we will see that the zone is
836 			 * in a state < READY, and so zoneadmd will shutdown.
837 			 */
838 			if (evt == Z_EVT_ZONE_UNINSTALLING) {
839 				break;
840 			}
841 		}
842 
843 	}
844 
845 	if (clifd != -1) {
846 		(void) shutdown(clifd, SHUT_RDWR);
847 		(void) close(clifd);
848 	}
849 }
850 
851 int
852 init_console(zlog_t *zlogp)
853 {
854 	if (init_console_dev(zlogp) == -1) {
855 		zerror(zlogp, B_FALSE,
856 		    "console setup: device initialization failed");
857 		return (-1);
858 	}
859 
860 	if ((serverfd = init_console_sock(zlogp)) == -1) {
861 		zerror(zlogp, B_FALSE,
862 		    "console setup: socket initialization failed");
863 		return (-1);
864 	}
865 	return (0);
866 }
867 
868 /*
869  * serve_console() is the master loop for driving console I/O.  It is also the
870  * routine which is ultimately responsible for "pulling the plug" on zoneadmd
871  * when it realizes that the daemon should shut down.
872  *
873  * The rules for shutdown are: there must be no console client, and the zone
874  * state must be < ready.  However, we need to give things a chance to actually
875  * get going when the daemon starts up-- otherwise the daemon would immediately
876  * exit on startup if the zone was in the installed state, so we first drop
877  * into the do_console_io() loop in order to give *something* a chance to
878  * happen.
879  */
880 void
881 serve_console(zlog_t *zlogp)
882 {
883 	int masterfd;
884 	zone_state_t zstate;
885 	char conspath[MAXPATHLEN];
886 
887 	(void) snprintf(conspath, sizeof (conspath),
888 	    "/dev/zcons/%s/%s", zone_name, ZCONS_MASTER_NAME);
889 
890 	for (;;) {
891 		masterfd = open(conspath, O_RDWR|O_NONBLOCK|O_NOCTTY);
892 		if (masterfd == -1) {
893 			zerror(zlogp, B_TRUE, "failed to open console master");
894 			(void) mutex_lock(&lock);
895 			goto death;
896 		}
897 
898 		/*
899 		 * Setting RPROTDIS on the stream means that the control
900 		 * portion of messages received (which we don't care about)
901 		 * will be discarded by the stream head.  If we allowed such
902 		 * messages, we wouldn't be able to use read(2), as it fails
903 		 * (EBADMSG) when a message with a control element is received.
904 		 */
905 		if (ioctl(masterfd, I_SRDOPT, RNORM|RPROTDIS) == -1) {
906 			zerror(zlogp, B_TRUE, "failed to set options on "
907 			    "console master");
908 			(void) mutex_lock(&lock);
909 			goto death;
910 		}
911 
912 		do_console_io(zlogp, masterfd, serverfd);
913 
914 		/*
915 		 * We would prefer not to do this, but hostile zone processes
916 		 * can cause the stream to become tainted, and reads will
917 		 * fail.  So, in case something has gone seriously ill,
918 		 * we dismantle the stream and reopen the console when we
919 		 * take another lap.
920 		 */
921 		(void) close(masterfd);
922 
923 		(void) mutex_lock(&lock);
924 		/*
925 		 * We need to set death_throes (see below) atomically with
926 		 * respect to noticing that (a) we have no console client and
927 		 * (b) the zone is not installed.  Otherwise we could get a
928 		 * request to boot during this time.  Once we set death_throes,
929 		 * any incoming door stuff will be turned away.
930 		 */
931 		if (zone_get_state(zone_name, &zstate) == Z_OK) {
932 			if (zstate < ZONE_STATE_READY)
933 				goto death;
934 		} else {
935 			zerror(zlogp, B_FALSE,
936 			    "unable to determine state of zone");
937 			goto death;
938 		}
939 		/*
940 		 * Even if zone_get_state() fails, stay conservative, and
941 		 * take another lap.
942 		 */
943 		(void) mutex_unlock(&lock);
944 	}
945 
946 death:
947 	assert(MUTEX_HELD(&lock));
948 	in_death_throes = B_TRUE;
949 	(void) mutex_unlock(&lock);
950 
951 	destroy_console_sock(serverfd);
952 	(void) destroy_console_devs(zlogp);
953 }
954