1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * zoneadmd manages zones; one zoneadmd process is launched for each 28 * non-global zone on the system. This daemon juggles four jobs: 29 * 30 * - Implement setup and teardown of the zone "virtual platform": mount and 31 * unmount filesystems; create and destroy network interfaces; communicate 32 * with devfsadmd to lay out devices for the zone; instantiate the zone 33 * console device; configure process runtime attributes such as resource 34 * controls, pool bindings, fine-grained privileges. 35 * 36 * - Launch the zone's init(1M) process. 37 * 38 * - Implement a door server; clients (like zoneadm) connect to the door 39 * server and request zone state changes. The kernel is also a client of 40 * this door server. A request to halt or reboot the zone which originates 41 * *inside* the zone results in a door upcall from the kernel into zoneadmd. 42 * 43 * One minor problem is that messages emitted by zoneadmd need to be passed 44 * back to the zoneadm process making the request. These messages need to 45 * be rendered in the client's locale; so, this is passed in as part of the 46 * request. The exception is the kernel upcall to zoneadmd, in which case 47 * messages are syslog'd. 48 * 49 * To make all of this work, the Makefile adds -a to xgettext to extract *all* 50 * strings, and an exclusion file (zoneadmd.xcl) is used to exclude those 51 * strings which do not need to be translated. 52 * 53 * - Act as a console server for zlogin -C processes; see comments in zcons.c 54 * for more information about the zone console architecture. 55 * 56 * DESIGN NOTES 57 * 58 * Restart: 59 * A chief design constraint of zoneadmd is that it should be restartable in 60 * the case that the administrator kills it off, or it suffers a fatal error, 61 * without the running zone being impacted; this is akin to being able to 62 * reboot the service processor of a server without affecting the OS instance. 63 */ 64 65 #include <sys/param.h> 66 #include <sys/mman.h> 67 #include <sys/types.h> 68 #include <sys/stat.h> 69 #include <sys/sysmacros.h> 70 71 #include <bsm/adt.h> 72 #include <bsm/adt_event.h> 73 74 #include <alloca.h> 75 #include <assert.h> 76 #include <errno.h> 77 #include <door.h> 78 #include <fcntl.h> 79 #include <locale.h> 80 #include <signal.h> 81 #include <stdarg.h> 82 #include <stdio.h> 83 #include <stdlib.h> 84 #include <string.h> 85 #include <strings.h> 86 #include <synch.h> 87 #include <syslog.h> 88 #include <thread.h> 89 #include <unistd.h> 90 #include <wait.h> 91 #include <limits.h> 92 #include <zone.h> 93 #include <libbrand.h> 94 #include <sys/brand.h> 95 #include <libcontract.h> 96 #include <libcontract_priv.h> 97 #include <sys/brand.h> 98 #include <sys/contract/process.h> 99 #include <sys/ctfs.h> 100 #include <libdladm.h> 101 #include <sys/dls_mgmt.h> 102 103 #include <libzonecfg.h> 104 #include "zoneadmd.h" 105 106 static char *progname; 107 char *zone_name; /* zone which we are managing */ 108 char *pool_name; 109 char default_brand[MAXNAMELEN]; 110 char brand_name[MAXNAMELEN]; 111 boolean_t zone_isnative; 112 boolean_t zone_iscluster; 113 boolean_t zone_islabeled; 114 static zoneid_t zone_id; 115 dladm_handle_t dld_handle = NULL; 116 117 static char pre_statechg_hook[2 * MAXPATHLEN]; 118 static char post_statechg_hook[2 * MAXPATHLEN]; 119 char query_hook[2 * MAXPATHLEN]; 120 121 zlog_t logsys; 122 123 mutex_t lock = DEFAULTMUTEX; /* to serialize stuff */ 124 mutex_t msglock = DEFAULTMUTEX; /* for calling setlocale() */ 125 126 static sema_t scratch_sem; /* for scratch zones */ 127 128 static char zone_door_path[MAXPATHLEN]; 129 static int zone_door = -1; 130 131 boolean_t in_death_throes = B_FALSE; /* daemon is dying */ 132 boolean_t bringup_failure_recovery = B_FALSE; /* ignore certain failures */ 133 134 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */ 135 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */ 136 #endif 137 138 #define DEFAULT_LOCALE "C" 139 140 static const char * 141 z_cmd_name(zone_cmd_t zcmd) 142 { 143 /* This list needs to match the enum in sys/zone.h */ 144 static const char *zcmdstr[] = { 145 "ready", "boot", "forceboot", "reboot", "halt", 146 "note_uninstalling", "mount", "forcemount", "unmount" 147 }; 148 149 if (zcmd >= sizeof (zcmdstr) / sizeof (*zcmdstr)) 150 return ("unknown"); 151 else 152 return (zcmdstr[(int)zcmd]); 153 } 154 155 static char * 156 get_execbasename(char *execfullname) 157 { 158 char *last_slash, *execbasename; 159 160 /* guard against '/' at end of command invocation */ 161 for (;;) { 162 last_slash = strrchr(execfullname, '/'); 163 if (last_slash == NULL) { 164 execbasename = execfullname; 165 break; 166 } else { 167 execbasename = last_slash + 1; 168 if (*execbasename == '\0') { 169 *last_slash = '\0'; 170 continue; 171 } 172 break; 173 } 174 } 175 return (execbasename); 176 } 177 178 static void 179 usage(void) 180 { 181 (void) fprintf(stderr, gettext("Usage: %s -z zonename\n"), progname); 182 (void) fprintf(stderr, 183 gettext("\tNote: %s should not be run directly.\n"), progname); 184 exit(2); 185 } 186 187 /* ARGSUSED */ 188 static void 189 sigchld(int sig) 190 { 191 } 192 193 char * 194 localize_msg(char *locale, const char *msg) 195 { 196 char *out; 197 198 (void) mutex_lock(&msglock); 199 (void) setlocale(LC_MESSAGES, locale); 200 out = gettext(msg); 201 (void) setlocale(LC_MESSAGES, DEFAULT_LOCALE); 202 (void) mutex_unlock(&msglock); 203 return (out); 204 } 205 206 /* PRINTFLIKE3 */ 207 void 208 zerror(zlog_t *zlogp, boolean_t use_strerror, const char *fmt, ...) 209 { 210 va_list alist; 211 char buf[MAXPATHLEN * 2]; /* enough space for err msg with a path */ 212 char *bp; 213 int saved_errno = errno; 214 215 if (zlogp == NULL) 216 return; 217 if (zlogp == &logsys) 218 (void) snprintf(buf, sizeof (buf), "[zone '%s'] ", 219 zone_name); 220 else 221 buf[0] = '\0'; 222 bp = &(buf[strlen(buf)]); 223 224 /* 225 * In theory, the locale pointer should be set to either "C" or a 226 * char array, so it should never be NULL 227 */ 228 assert(zlogp->locale != NULL); 229 /* Locale is per process, but we are multi-threaded... */ 230 fmt = localize_msg(zlogp->locale, fmt); 231 232 va_start(alist, fmt); 233 (void) vsnprintf(bp, sizeof (buf) - (bp - buf), fmt, alist); 234 va_end(alist); 235 bp = &(buf[strlen(buf)]); 236 if (use_strerror) 237 (void) snprintf(bp, sizeof (buf) - (bp - buf), ": %s", 238 strerror(saved_errno)); 239 if (zlogp == &logsys) { 240 (void) syslog(LOG_ERR, "%s", buf); 241 } else if (zlogp->logfile != NULL) { 242 (void) fprintf(zlogp->logfile, "%s\n", buf); 243 } else { 244 size_t buflen; 245 size_t copylen; 246 247 buflen = snprintf(zlogp->log, zlogp->loglen, "%s\n", buf); 248 copylen = MIN(buflen, zlogp->loglen); 249 zlogp->log += copylen; 250 zlogp->loglen -= copylen; 251 } 252 } 253 254 /* 255 * Emit a warning for any boot arguments which are unrecognized. Since 256 * Solaris boot arguments are getopt(3c) compatible (see kernel(1m)), we 257 * put the arguments into an argv style array, use getopt to process them, 258 * and put the resultant argument string back into outargs. 259 * 260 * During the filtering, we pull out any arguments which are truly "boot" 261 * arguments, leaving only those which are to be passed intact to the 262 * progenitor process. The one we support at the moment is -i, which 263 * indicates to the kernel which program should be launched as 'init'. 264 * 265 * A return of Z_INVAL indicates specifically that the arguments are 266 * not valid; this is a non-fatal error. Except for Z_OK, all other return 267 * values are treated as fatal. 268 */ 269 static int 270 filter_bootargs(zlog_t *zlogp, const char *inargs, char *outargs, 271 char *init_file, char *badarg) 272 { 273 int argc = 0, argc_save; 274 int i; 275 int err; 276 char *arg, *lasts, **argv = NULL, **argv_save; 277 char zonecfg_args[BOOTARGS_MAX]; 278 char scratchargs[BOOTARGS_MAX], *sargs; 279 char c; 280 281 bzero(outargs, BOOTARGS_MAX); 282 bzero(badarg, BOOTARGS_MAX); 283 284 /* 285 * If the user didn't specify transient boot arguments, check 286 * to see if there were any specified in the zone configuration, 287 * and use them if applicable. 288 */ 289 if (inargs == NULL || inargs[0] == '\0') { 290 zone_dochandle_t handle; 291 if ((handle = zonecfg_init_handle()) == NULL) { 292 zerror(zlogp, B_TRUE, 293 "getting zone configuration handle"); 294 return (Z_BAD_HANDLE); 295 } 296 err = zonecfg_get_snapshot_handle(zone_name, handle); 297 if (err != Z_OK) { 298 zerror(zlogp, B_FALSE, 299 "invalid configuration snapshot"); 300 zonecfg_fini_handle(handle); 301 return (Z_BAD_HANDLE); 302 } 303 304 bzero(zonecfg_args, sizeof (zonecfg_args)); 305 (void) zonecfg_get_bootargs(handle, zonecfg_args, 306 sizeof (zonecfg_args)); 307 inargs = zonecfg_args; 308 zonecfg_fini_handle(handle); 309 } 310 311 if (strlen(inargs) >= BOOTARGS_MAX) { 312 zerror(zlogp, B_FALSE, "boot argument string too long"); 313 return (Z_INVAL); 314 } 315 316 (void) strlcpy(scratchargs, inargs, sizeof (scratchargs)); 317 sargs = scratchargs; 318 while ((arg = strtok_r(sargs, " \t", &lasts)) != NULL) { 319 sargs = NULL; 320 argc++; 321 } 322 323 if ((argv = calloc(argc + 1, sizeof (char *))) == NULL) { 324 zerror(zlogp, B_FALSE, "memory allocation failed"); 325 return (Z_NOMEM); 326 } 327 328 argv_save = argv; 329 argc_save = argc; 330 331 (void) strlcpy(scratchargs, inargs, sizeof (scratchargs)); 332 sargs = scratchargs; 333 i = 0; 334 while ((arg = strtok_r(sargs, " \t", &lasts)) != NULL) { 335 sargs = NULL; 336 if ((argv[i] = strdup(arg)) == NULL) { 337 err = Z_NOMEM; 338 zerror(zlogp, B_FALSE, "memory allocation failed"); 339 goto done; 340 } 341 i++; 342 } 343 344 /* 345 * We preserve compatibility with the Solaris system boot behavior, 346 * which allows: 347 * 348 * # reboot kernel/unix -s -m verbose 349 * 350 * In this example, kernel/unix tells the booter what file to 351 * boot. We don't want reboot in a zone to be gratuitously different, 352 * so we silently ignore the boot file, if necessary. 353 */ 354 if (argv[0] == NULL) 355 goto done; 356 357 assert(argv[0][0] != ' '); 358 assert(argv[0][0] != '\t'); 359 360 if (argv[0][0] != '-' && argv[0][0] != '\0') { 361 argv = &argv[1]; 362 argc--; 363 } 364 365 optind = 0; 366 opterr = 0; 367 err = Z_OK; 368 while ((c = getopt(argc, argv, "fi:m:s")) != -1) { 369 switch (c) { 370 case 'i': 371 /* 372 * -i is handled by the runtime and is not passed 373 * along to userland 374 */ 375 (void) strlcpy(init_file, optarg, MAXPATHLEN); 376 break; 377 case 'f': 378 /* This has already been processed by zoneadm */ 379 break; 380 case 'm': 381 case 's': 382 /* These pass through unmolested */ 383 (void) snprintf(outargs, BOOTARGS_MAX, 384 "%s -%c %s ", outargs, c, optarg ? optarg : ""); 385 break; 386 case '?': 387 /* 388 * We warn about unknown arguments but pass them 389 * along anyway-- if someone wants to develop their 390 * own init replacement, they can pass it whatever 391 * args they want. 392 */ 393 err = Z_INVAL; 394 (void) snprintf(outargs, BOOTARGS_MAX, 395 "%s -%c", outargs, optopt); 396 (void) snprintf(badarg, BOOTARGS_MAX, 397 "%s -%c", badarg, optopt); 398 break; 399 } 400 } 401 402 /* 403 * For Solaris Zones we warn about and discard non-option arguments. 404 * Hence 'boot foo bar baz gub' --> 'boot'. However, to be similar 405 * to the kernel, we concat up all the other remaining boot args. 406 * and warn on them as a group. 407 */ 408 if (optind < argc) { 409 err = Z_INVAL; 410 while (optind < argc) { 411 (void) snprintf(badarg, BOOTARGS_MAX, "%s%s%s", 412 badarg, strlen(badarg) > 0 ? " " : "", 413 argv[optind]); 414 optind++; 415 } 416 zerror(zlogp, B_FALSE, "WARNING: Unused or invalid boot " 417 "arguments `%s'.", badarg); 418 } 419 420 done: 421 for (i = 0; i < argc_save; i++) { 422 if (argv_save[i] != NULL) 423 free(argv_save[i]); 424 } 425 free(argv_save); 426 return (err); 427 } 428 429 430 static int 431 mkzonedir(zlog_t *zlogp) 432 { 433 struct stat st; 434 /* 435 * We must create and lock everyone but root out of ZONES_TMPDIR 436 * since anyone can open any UNIX domain socket, regardless of 437 * its file system permissions. Sigh... 438 */ 439 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) { 440 zerror(zlogp, B_TRUE, "could not mkdir '%s'", ZONES_TMPDIR); 441 return (-1); 442 } 443 /* paranoia */ 444 if ((stat(ZONES_TMPDIR, &st) < 0) || !S_ISDIR(st.st_mode)) { 445 zerror(zlogp, B_TRUE, "'%s' is not a directory", ZONES_TMPDIR); 446 return (-1); 447 } 448 (void) chmod(ZONES_TMPDIR, S_IRWXU); 449 return (0); 450 } 451 452 /* 453 * Run the brand's pre-state change callback, if it exists. 454 */ 455 static int 456 brand_prestatechg(zlog_t *zlogp, int state, int cmd) 457 { 458 char cmdbuf[2 * MAXPATHLEN]; 459 const char *altroot; 460 461 if (pre_statechg_hook[0] == '\0') 462 return (0); 463 464 altroot = zonecfg_get_root(); 465 if (snprintf(cmdbuf, sizeof (cmdbuf), "%s %d %d %s", pre_statechg_hook, 466 state, cmd, altroot) > sizeof (cmdbuf)) 467 return (-1); 468 469 if (do_subproc(zlogp, cmdbuf, NULL) != 0) 470 return (-1); 471 472 return (0); 473 } 474 475 /* 476 * Run the brand's post-state change callback, if it exists. 477 */ 478 static int 479 brand_poststatechg(zlog_t *zlogp, int state, int cmd) 480 { 481 char cmdbuf[2 * MAXPATHLEN]; 482 const char *altroot; 483 484 if (post_statechg_hook[0] == '\0') 485 return (0); 486 487 altroot = zonecfg_get_root(); 488 if (snprintf(cmdbuf, sizeof (cmdbuf), "%s %d %d %s", post_statechg_hook, 489 state, cmd, altroot) > sizeof (cmdbuf)) 490 return (-1); 491 492 if (do_subproc(zlogp, cmdbuf, NULL) != 0) 493 return (-1); 494 495 return (0); 496 } 497 498 /* 499 * Bring a zone up to the pre-boot "ready" stage. The mount_cmd argument is 500 * 'true' if this is being invoked as part of the processing for the "mount" 501 * subcommand. 502 */ 503 static int 504 zone_ready(zlog_t *zlogp, zone_mnt_t mount_cmd, int zstate) 505 { 506 int err; 507 508 if (brand_prestatechg(zlogp, zstate, Z_READY) != 0) 509 return (-1); 510 511 if ((err = zonecfg_create_snapshot(zone_name)) != Z_OK) { 512 zerror(zlogp, B_FALSE, "unable to create snapshot: %s", 513 zonecfg_strerror(err)); 514 goto bad; 515 } 516 517 if ((zone_id = vplat_create(zlogp, mount_cmd)) == -1) { 518 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK) 519 zerror(zlogp, B_FALSE, "destroying snapshot: %s", 520 zonecfg_strerror(err)); 521 goto bad; 522 } 523 if (vplat_bringup(zlogp, mount_cmd, zone_id) != 0) { 524 bringup_failure_recovery = B_TRUE; 525 (void) vplat_teardown(NULL, (mount_cmd != Z_MNT_BOOT), B_FALSE); 526 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK) 527 zerror(zlogp, B_FALSE, "destroying snapshot: %s", 528 zonecfg_strerror(err)); 529 goto bad; 530 } 531 532 if (brand_poststatechg(zlogp, zstate, Z_READY) != 0) 533 goto bad; 534 535 return (0); 536 537 bad: 538 /* 539 * If something goes wrong, we up the zones's state to the target 540 * state, READY, and then invoke the hook as if we're halting. 541 */ 542 (void) brand_poststatechg(zlogp, ZONE_STATE_READY, Z_HALT); 543 return (-1); 544 } 545 546 int 547 init_template(void) 548 { 549 int fd; 550 int err = 0; 551 552 fd = open64(CTFS_ROOT "/process/template", O_RDWR); 553 if (fd == -1) 554 return (-1); 555 556 /* 557 * For now, zoneadmd doesn't do anything with the contract. 558 * Deliver no events, don't inherit, and allow it to be orphaned. 559 */ 560 err |= ct_tmpl_set_critical(fd, 0); 561 err |= ct_tmpl_set_informative(fd, 0); 562 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR); 563 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT); 564 if (err || ct_tmpl_activate(fd)) { 565 (void) close(fd); 566 return (-1); 567 } 568 569 return (fd); 570 } 571 572 typedef struct fs_callback { 573 zlog_t *zlogp; 574 zoneid_t zoneid; 575 boolean_t mount_cmd; 576 } fs_callback_t; 577 578 static int 579 mount_early_fs(void *data, const char *spec, const char *dir, 580 const char *fstype, const char *opt) 581 { 582 zlog_t *zlogp = ((fs_callback_t *)data)->zlogp; 583 zoneid_t zoneid = ((fs_callback_t *)data)->zoneid; 584 boolean_t mount_cmd = ((fs_callback_t *)data)->mount_cmd; 585 char rootpath[MAXPATHLEN]; 586 pid_t child; 587 int child_status; 588 int tmpl_fd; 589 int rv; 590 ctid_t ct; 591 592 /* determine the zone rootpath */ 593 if (mount_cmd) { 594 char zonepath[MAXPATHLEN]; 595 char luroot[MAXPATHLEN]; 596 597 if (zone_get_zonepath(zone_name, 598 zonepath, sizeof (zonepath)) != Z_OK) { 599 zerror(zlogp, B_FALSE, "unable to determine zone path"); 600 return (-1); 601 } 602 603 (void) snprintf(luroot, sizeof (luroot), "%s/lu", zonepath); 604 resolve_lofs(zlogp, luroot, sizeof (luroot)); 605 (void) strlcpy(rootpath, luroot, sizeof (rootpath)); 606 } else { 607 if (zone_get_rootpath(zone_name, 608 rootpath, sizeof (rootpath)) != Z_OK) { 609 zerror(zlogp, B_FALSE, "unable to determine zone root"); 610 return (-1); 611 } 612 } 613 614 if ((rv = valid_mount_path(zlogp, rootpath, spec, dir, fstype)) < 0) { 615 zerror(zlogp, B_FALSE, "%s%s is not a valid mount point", 616 rootpath, dir); 617 return (-1); 618 } else if (rv > 0) { 619 /* The mount point path doesn't exist, create it now. */ 620 if (make_one_dir(zlogp, rootpath, dir, 621 DEFAULT_DIR_MODE, DEFAULT_DIR_USER, 622 DEFAULT_DIR_GROUP) != 0) { 623 zerror(zlogp, B_FALSE, "failed to create mount point"); 624 return (-1); 625 } 626 627 /* 628 * Now this might seem weird, but we need to invoke 629 * valid_mount_path() again. Why? Because it checks 630 * to make sure that the mount point path is canonical, 631 * which it can only do if the path exists, so now that 632 * we've created the path we have to verify it again. 633 */ 634 if ((rv = valid_mount_path(zlogp, rootpath, spec, dir, 635 fstype)) < 0) { 636 zerror(zlogp, B_FALSE, 637 "%s%s is not a valid mount point", rootpath, dir); 638 return (-1); 639 } 640 } 641 642 if ((tmpl_fd = init_template()) == -1) { 643 zerror(zlogp, B_TRUE, "failed to create contract"); 644 return (-1); 645 } 646 647 if ((child = fork()) == -1) { 648 (void) ct_tmpl_clear(tmpl_fd); 649 (void) close(tmpl_fd); 650 zerror(zlogp, B_TRUE, "failed to fork"); 651 return (-1); 652 653 } else if (child == 0) { /* child */ 654 char opt_buf[MAX_MNTOPT_STR]; 655 int optlen = 0; 656 int mflag = MS_DATA; 657 658 (void) ct_tmpl_clear(tmpl_fd); 659 /* 660 * Even though there are no procs running in the zone, we 661 * do this for paranoia's sake. 662 */ 663 (void) closefrom(0); 664 665 if (zone_enter(zoneid) == -1) { 666 _exit(errno); 667 } 668 if (opt != NULL) { 669 /* 670 * The mount() system call is incredibly annoying. 671 * If options are specified, we need to copy them 672 * into a temporary buffer since the mount() system 673 * call will overwrite the options string. It will 674 * also fail if the new option string it wants to 675 * write is bigger than the one we passed in, so 676 * you must pass in a buffer of the maximum possible 677 * option string length. sigh. 678 */ 679 (void) strlcpy(opt_buf, opt, sizeof (opt_buf)); 680 opt = opt_buf; 681 optlen = MAX_MNTOPT_STR; 682 mflag = MS_OPTIONSTR; 683 } 684 if (mount(spec, dir, mflag, fstype, NULL, 0, opt, optlen) != 0) 685 _exit(errno); 686 _exit(0); 687 } 688 689 /* parent */ 690 if (contract_latest(&ct) == -1) 691 ct = -1; 692 (void) ct_tmpl_clear(tmpl_fd); 693 (void) close(tmpl_fd); 694 if (waitpid(child, &child_status, 0) != child) { 695 /* unexpected: we must have been signalled */ 696 (void) contract_abandon_id(ct); 697 return (-1); 698 } 699 (void) contract_abandon_id(ct); 700 if (WEXITSTATUS(child_status) != 0) { 701 errno = WEXITSTATUS(child_status); 702 zerror(zlogp, B_TRUE, "mount of %s failed", dir); 703 return (-1); 704 } 705 706 return (0); 707 } 708 709 /* 710 * If retstr is not NULL, the output of the subproc is returned in the str, 711 * otherwise it is output using zerror(). Any memory allocated for retstr 712 * should be freed by the caller. 713 */ 714 int 715 do_subproc(zlog_t *zlogp, char *cmdbuf, char **retstr) 716 { 717 char buf[1024]; /* arbitrary large amount */ 718 char *inbuf; 719 FILE *file; 720 int status; 721 int rd_cnt; 722 723 if (retstr != NULL) { 724 if ((*retstr = malloc(1024)) == NULL) { 725 zerror(zlogp, B_FALSE, "out of memory"); 726 return (-1); 727 } 728 inbuf = *retstr; 729 rd_cnt = 0; 730 } else { 731 inbuf = buf; 732 } 733 734 file = popen(cmdbuf, "r"); 735 if (file == NULL) { 736 zerror(zlogp, B_TRUE, "could not launch: %s", cmdbuf); 737 return (-1); 738 } 739 740 while (fgets(inbuf, 1024, file) != NULL) { 741 if (retstr == NULL) { 742 if (zlogp != &logsys) 743 zerror(zlogp, B_FALSE, "%s", inbuf); 744 } else { 745 char *p; 746 747 rd_cnt += 1024 - 1; 748 if ((p = realloc(*retstr, rd_cnt + 1024)) == NULL) { 749 zerror(zlogp, B_FALSE, "out of memory"); 750 (void) pclose(file); 751 return (-1); 752 } 753 754 *retstr = p; 755 inbuf = *retstr + rd_cnt; 756 } 757 } 758 status = pclose(file); 759 760 if (WIFSIGNALED(status)) { 761 zerror(zlogp, B_FALSE, "%s unexpectedly terminated due to " 762 "signal %d", cmdbuf, WTERMSIG(status)); 763 return (-1); 764 } 765 assert(WIFEXITED(status)); 766 if (WEXITSTATUS(status) == ZEXIT_EXEC) { 767 zerror(zlogp, B_FALSE, "failed to exec %s", cmdbuf); 768 return (-1); 769 } 770 return (WEXITSTATUS(status)); 771 } 772 773 static int 774 zone_bootup(zlog_t *zlogp, const char *bootargs, int zstate) 775 { 776 zoneid_t zoneid; 777 struct stat st; 778 char zpath[MAXPATHLEN], initpath[MAXPATHLEN], init_file[MAXPATHLEN]; 779 char nbootargs[BOOTARGS_MAX]; 780 char cmdbuf[MAXPATHLEN]; 781 fs_callback_t cb; 782 brand_handle_t bh; 783 zone_iptype_t iptype; 784 boolean_t links_loaded = B_FALSE; 785 dladm_status_t status; 786 char errmsg[DLADM_STRSIZE]; 787 int err; 788 789 if (brand_prestatechg(zlogp, zstate, Z_BOOT) != 0) 790 return (-1); 791 792 if ((zoneid = getzoneidbyname(zone_name)) == -1) { 793 zerror(zlogp, B_TRUE, "unable to get zoneid"); 794 goto bad; 795 } 796 797 cb.zlogp = zlogp; 798 cb.zoneid = zoneid; 799 cb.mount_cmd = B_FALSE; 800 801 /* Get a handle to the brand info for this zone */ 802 if ((bh = brand_open(brand_name)) == NULL) { 803 zerror(zlogp, B_FALSE, "unable to determine zone brand"); 804 goto bad; 805 } 806 807 /* 808 * Get the list of filesystems to mount from the brand 809 * configuration. These mounts are done via a thread that will 810 * enter the zone, so they are done from within the context of the 811 * zone. 812 */ 813 if (brand_platform_iter_mounts(bh, mount_early_fs, &cb) != 0) { 814 zerror(zlogp, B_FALSE, "unable to mount filesystems"); 815 brand_close(bh); 816 goto bad; 817 } 818 819 /* 820 * Get the brand's boot callback if it exists. 821 */ 822 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK) { 823 zerror(zlogp, B_FALSE, "unable to determine zone path"); 824 brand_close(bh); 825 goto bad; 826 } 827 (void) strcpy(cmdbuf, EXEC_PREFIX); 828 if (brand_get_boot(bh, zone_name, zpath, cmdbuf + EXEC_LEN, 829 sizeof (cmdbuf) - EXEC_LEN) != 0) { 830 zerror(zlogp, B_FALSE, 831 "unable to determine branded zone's boot callback"); 832 brand_close(bh); 833 goto bad; 834 } 835 836 /* Get the path for this zone's init(1M) (or equivalent) process. */ 837 if (brand_get_initname(bh, init_file, MAXPATHLEN) != 0) { 838 zerror(zlogp, B_FALSE, 839 "unable to determine zone's init(1M) location"); 840 brand_close(bh); 841 goto bad; 842 } 843 844 brand_close(bh); 845 846 err = filter_bootargs(zlogp, bootargs, nbootargs, init_file, 847 bad_boot_arg); 848 if (err == Z_INVAL) 849 eventstream_write(Z_EVT_ZONE_BADARGS); 850 else if (err != Z_OK) 851 goto bad; 852 853 assert(init_file[0] != '\0'); 854 855 /* Try to anticipate possible problems: Make sure init is executable. */ 856 if (zone_get_rootpath(zone_name, zpath, sizeof (zpath)) != Z_OK) { 857 zerror(zlogp, B_FALSE, "unable to determine zone root"); 858 goto bad; 859 } 860 861 (void) snprintf(initpath, sizeof (initpath), "%s%s", zpath, init_file); 862 863 if (stat(initpath, &st) == -1) { 864 zerror(zlogp, B_TRUE, "could not stat %s", initpath); 865 goto bad; 866 } 867 868 if ((st.st_mode & S_IXUSR) == 0) { 869 zerror(zlogp, B_FALSE, "%s is not executable", initpath); 870 goto bad; 871 } 872 873 /* 874 * Exclusive stack zones interact with the dlmgmtd running in the 875 * global zone. dladm_zone_boot() tells dlmgmtd that this zone is 876 * booting, and loads its datalinks from the zone's datalink 877 * configuration file. 878 */ 879 if (vplat_get_iptype(zlogp, &iptype) == 0 && iptype == ZS_EXCLUSIVE) { 880 status = dladm_zone_boot(dld_handle, zoneid); 881 if (status != DLADM_STATUS_OK) { 882 zerror(zlogp, B_FALSE, "unable to load zone datalinks: " 883 " %s", dladm_status2str(status, errmsg)); 884 goto bad; 885 } 886 links_loaded = B_TRUE; 887 } 888 889 /* 890 * If there is a brand 'boot' callback, execute it now to give the 891 * brand one last chance to do any additional setup before the zone 892 * is booted. 893 */ 894 if ((strlen(cmdbuf) > EXEC_LEN) && 895 (do_subproc(zlogp, cmdbuf, NULL) != Z_OK)) { 896 zerror(zlogp, B_FALSE, "%s failed", cmdbuf); 897 goto bad; 898 } 899 900 if (zone_setattr(zoneid, ZONE_ATTR_INITNAME, init_file, 0) == -1) { 901 zerror(zlogp, B_TRUE, "could not set zone boot file"); 902 goto bad; 903 } 904 905 if (zone_setattr(zoneid, ZONE_ATTR_BOOTARGS, nbootargs, 0) == -1) { 906 zerror(zlogp, B_TRUE, "could not set zone boot arguments"); 907 goto bad; 908 } 909 910 if (zone_boot(zoneid) == -1) { 911 zerror(zlogp, B_TRUE, "unable to boot zone"); 912 goto bad; 913 } 914 915 if (brand_poststatechg(zlogp, zstate, Z_BOOT) != 0) 916 goto bad; 917 918 return (0); 919 920 bad: 921 /* 922 * If something goes wrong, we up the zones's state to the target 923 * state, RUNNING, and then invoke the hook as if we're halting. 924 */ 925 (void) brand_poststatechg(zlogp, ZONE_STATE_RUNNING, Z_HALT); 926 if (links_loaded) 927 (void) dladm_zone_halt(dld_handle, zoneid); 928 return (-1); 929 } 930 931 static int 932 zone_halt(zlog_t *zlogp, boolean_t unmount_cmd, boolean_t rebooting, int zstate) 933 { 934 int err; 935 936 if (brand_prestatechg(zlogp, zstate, Z_HALT) != 0) 937 return (-1); 938 939 if (vplat_teardown(zlogp, unmount_cmd, rebooting) != 0) { 940 if (!bringup_failure_recovery) 941 zerror(zlogp, B_FALSE, "unable to destroy zone"); 942 return (-1); 943 } 944 945 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK) 946 zerror(zlogp, B_FALSE, "destroying snapshot: %s", 947 zonecfg_strerror(err)); 948 949 if (brand_poststatechg(zlogp, zstate, Z_HALT) != 0) 950 return (-1); 951 952 return (0); 953 } 954 955 /* 956 * Generate AUE_zone_state for a command that boots a zone. 957 */ 958 static void 959 audit_put_record(zlog_t *zlogp, ucred_t *uc, int return_val, 960 char *new_state) 961 { 962 adt_session_data_t *ah; 963 adt_event_data_t *event; 964 int pass_fail, fail_reason; 965 966 if (!adt_audit_enabled()) 967 return; 968 969 if (return_val == 0) { 970 pass_fail = ADT_SUCCESS; 971 fail_reason = ADT_SUCCESS; 972 } else { 973 pass_fail = ADT_FAILURE; 974 fail_reason = ADT_FAIL_VALUE_PROGRAM; 975 } 976 977 if (adt_start_session(&ah, NULL, 0)) { 978 zerror(zlogp, B_TRUE, gettext("audit failure.")); 979 return; 980 } 981 if (adt_set_from_ucred(ah, uc, ADT_NEW)) { 982 zerror(zlogp, B_TRUE, gettext("audit failure.")); 983 (void) adt_end_session(ah); 984 return; 985 } 986 987 event = adt_alloc_event(ah, ADT_zone_state); 988 if (event == NULL) { 989 zerror(zlogp, B_TRUE, gettext("audit failure.")); 990 (void) adt_end_session(ah); 991 return; 992 } 993 event->adt_zone_state.zonename = zone_name; 994 event->adt_zone_state.new_state = new_state; 995 996 if (adt_put_event(event, pass_fail, fail_reason)) 997 zerror(zlogp, B_TRUE, gettext("audit failure.")); 998 999 adt_free_event(event); 1000 1001 (void) adt_end_session(ah); 1002 } 1003 1004 /* 1005 * The main routine for the door server that deals with zone state transitions. 1006 */ 1007 /* ARGSUSED */ 1008 static void 1009 server(void *cookie, char *args, size_t alen, door_desc_t *dp, 1010 uint_t n_desc) 1011 { 1012 ucred_t *uc = NULL; 1013 const priv_set_t *eset; 1014 1015 zone_state_t zstate; 1016 zone_cmd_t cmd; 1017 zone_cmd_arg_t *zargp; 1018 1019 boolean_t kernelcall; 1020 1021 int rval = -1; 1022 uint64_t uniqid; 1023 zoneid_t zoneid = -1; 1024 zlog_t zlog; 1025 zlog_t *zlogp; 1026 zone_cmd_rval_t *rvalp; 1027 size_t rlen = getpagesize(); /* conservative */ 1028 fs_callback_t cb; 1029 brand_handle_t bh; 1030 1031 /* LINTED E_BAD_PTR_CAST_ALIGN */ 1032 zargp = (zone_cmd_arg_t *)args; 1033 1034 /* 1035 * When we get the door unref message, we've fdetach'd the door, and 1036 * it is time for us to shut down zoneadmd. 1037 */ 1038 if (zargp == DOOR_UNREF_DATA) { 1039 /* 1040 * See comment at end of main() for info on the last rites. 1041 */ 1042 exit(0); 1043 } 1044 1045 if (zargp == NULL) { 1046 (void) door_return(NULL, 0, 0, 0); 1047 } 1048 1049 rvalp = alloca(rlen); 1050 bzero(rvalp, rlen); 1051 zlog.logfile = NULL; 1052 zlog.buflen = zlog.loglen = rlen - sizeof (zone_cmd_rval_t) + 1; 1053 zlog.buf = rvalp->errbuf; 1054 zlog.log = zlog.buf; 1055 /* defer initialization of zlog.locale until after credential check */ 1056 zlogp = &zlog; 1057 1058 if (alen != sizeof (zone_cmd_arg_t)) { 1059 /* 1060 * This really shouldn't be happening. 1061 */ 1062 zerror(&logsys, B_FALSE, "argument size (%d bytes) " 1063 "unexpected (expected %d bytes)", alen, 1064 sizeof (zone_cmd_arg_t)); 1065 goto out; 1066 } 1067 cmd = zargp->cmd; 1068 1069 if (door_ucred(&uc) != 0) { 1070 zerror(&logsys, B_TRUE, "door_ucred"); 1071 goto out; 1072 } 1073 eset = ucred_getprivset(uc, PRIV_EFFECTIVE); 1074 if (ucred_getzoneid(uc) != GLOBAL_ZONEID || 1075 (eset != NULL ? !priv_ismember(eset, PRIV_SYS_CONFIG) : 1076 ucred_geteuid(uc) != 0)) { 1077 zerror(&logsys, B_FALSE, "insufficient privileges"); 1078 goto out; 1079 } 1080 1081 kernelcall = ucred_getpid(uc) == 0; 1082 1083 /* 1084 * This is safe because we only use a zlog_t throughout the 1085 * duration of a door call; i.e., by the time the pointer 1086 * might become invalid, the door call would be over. 1087 */ 1088 zlog.locale = kernelcall ? DEFAULT_LOCALE : zargp->locale; 1089 1090 (void) mutex_lock(&lock); 1091 1092 /* 1093 * Once we start to really die off, we don't want more connections. 1094 */ 1095 if (in_death_throes) { 1096 (void) mutex_unlock(&lock); 1097 ucred_free(uc); 1098 (void) door_return(NULL, 0, 0, 0); 1099 thr_exit(NULL); 1100 } 1101 1102 /* 1103 * Check for validity of command. 1104 */ 1105 if (cmd != Z_READY && cmd != Z_BOOT && cmd != Z_FORCEBOOT && 1106 cmd != Z_REBOOT && cmd != Z_HALT && cmd != Z_NOTE_UNINSTALLING && 1107 cmd != Z_MOUNT && cmd != Z_FORCEMOUNT && cmd != Z_UNMOUNT) { 1108 zerror(&logsys, B_FALSE, "invalid command %d", (int)cmd); 1109 goto out; 1110 } 1111 1112 if (kernelcall && (cmd != Z_HALT && cmd != Z_REBOOT)) { 1113 /* 1114 * Can't happen 1115 */ 1116 zerror(&logsys, B_FALSE, "received unexpected kernel upcall %d", 1117 cmd); 1118 goto out; 1119 } 1120 /* 1121 * We ignore the possibility of someone calling zone_create(2) 1122 * explicitly; all requests must come through zoneadmd. 1123 */ 1124 if (zone_get_state(zone_name, &zstate) != Z_OK) { 1125 /* 1126 * Something terribly wrong happened 1127 */ 1128 zerror(&logsys, B_FALSE, "unable to determine state of zone"); 1129 goto out; 1130 } 1131 1132 if (kernelcall) { 1133 /* 1134 * Kernel-initiated requests may lose their validity if the 1135 * zone_t the kernel was referring to has gone away. 1136 */ 1137 if ((zoneid = getzoneidbyname(zone_name)) == -1 || 1138 zone_getattr(zoneid, ZONE_ATTR_UNIQID, &uniqid, 1139 sizeof (uniqid)) == -1 || uniqid != zargp->uniqid) { 1140 /* 1141 * We're not talking about the same zone. The request 1142 * must have arrived too late. Return error. 1143 */ 1144 rval = -1; 1145 goto out; 1146 } 1147 zlogp = &logsys; /* Log errors to syslog */ 1148 } 1149 1150 /* 1151 * If we are being asked to forcibly mount or boot a zone, we 1152 * pretend that an INCOMPLETE zone is actually INSTALLED. 1153 */ 1154 if (zstate == ZONE_STATE_INCOMPLETE && 1155 (cmd == Z_FORCEBOOT || cmd == Z_FORCEMOUNT)) 1156 zstate = ZONE_STATE_INSTALLED; 1157 1158 switch (zstate) { 1159 case ZONE_STATE_CONFIGURED: 1160 case ZONE_STATE_INCOMPLETE: 1161 /* 1162 * Not our area of expertise; we just print a nice message 1163 * and die off. 1164 */ 1165 zerror(zlogp, B_FALSE, 1166 "%s operation is invalid for zones in state '%s'", 1167 z_cmd_name(cmd), zone_state_str(zstate)); 1168 break; 1169 1170 case ZONE_STATE_INSTALLED: 1171 switch (cmd) { 1172 case Z_READY: 1173 rval = zone_ready(zlogp, Z_MNT_BOOT, zstate); 1174 if (rval == 0) 1175 eventstream_write(Z_EVT_ZONE_READIED); 1176 break; 1177 case Z_BOOT: 1178 case Z_FORCEBOOT: 1179 eventstream_write(Z_EVT_ZONE_BOOTING); 1180 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate)) 1181 == 0) { 1182 rval = zone_bootup(zlogp, zargp->bootbuf, 1183 zstate); 1184 } 1185 audit_put_record(zlogp, uc, rval, "boot"); 1186 if (rval != 0) { 1187 bringup_failure_recovery = B_TRUE; 1188 (void) zone_halt(zlogp, B_FALSE, B_FALSE, 1189 zstate); 1190 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1191 } 1192 break; 1193 case Z_HALT: 1194 if (kernelcall) /* Invalid; can't happen */ 1195 abort(); 1196 /* 1197 * We could have two clients racing to halt this 1198 * zone; the second client loses, but his request 1199 * doesn't fail, since the zone is now in the desired 1200 * state. 1201 */ 1202 zerror(zlogp, B_FALSE, "zone is already halted"); 1203 rval = 0; 1204 break; 1205 case Z_REBOOT: 1206 if (kernelcall) /* Invalid; can't happen */ 1207 abort(); 1208 zerror(zlogp, B_FALSE, "%s operation is invalid " 1209 "for zones in state '%s'", z_cmd_name(cmd), 1210 zone_state_str(zstate)); 1211 rval = -1; 1212 break; 1213 case Z_NOTE_UNINSTALLING: 1214 if (kernelcall) /* Invalid; can't happen */ 1215 abort(); 1216 /* 1217 * Tell the console to print out a message about this. 1218 * Once it does, we will be in_death_throes. 1219 */ 1220 eventstream_write(Z_EVT_ZONE_UNINSTALLING); 1221 break; 1222 case Z_MOUNT: 1223 case Z_FORCEMOUNT: 1224 if (kernelcall) /* Invalid; can't happen */ 1225 abort(); 1226 if (!zone_isnative && !zone_iscluster && 1227 !zone_islabeled) { 1228 /* 1229 * -U mounts the zone without lofs mounting 1230 * zone file systems back into the scratch 1231 * zone. This is required when mounting 1232 * non-native branded zones. 1233 */ 1234 (void) strlcpy(zargp->bootbuf, "-U", 1235 BOOTARGS_MAX); 1236 } 1237 1238 rval = zone_ready(zlogp, 1239 strcmp(zargp->bootbuf, "-U") == 0 ? 1240 Z_MNT_UPDATE : Z_MNT_SCRATCH, zstate); 1241 if (rval != 0) 1242 break; 1243 1244 eventstream_write(Z_EVT_ZONE_READIED); 1245 1246 /* 1247 * Get a handle to the default brand info. 1248 * We must always use the default brand file system 1249 * list when mounting the zone. 1250 */ 1251 if ((bh = brand_open(default_brand)) == NULL) { 1252 rval = -1; 1253 break; 1254 } 1255 1256 /* 1257 * Get the list of filesystems to mount from 1258 * the brand configuration. These mounts are done 1259 * via a thread that will enter the zone, so they 1260 * are done from within the context of the zone. 1261 */ 1262 cb.zlogp = zlogp; 1263 cb.zoneid = zone_id; 1264 cb.mount_cmd = B_TRUE; 1265 rval = brand_platform_iter_mounts(bh, 1266 mount_early_fs, &cb); 1267 1268 brand_close(bh); 1269 1270 /* 1271 * Ordinarily, /dev/fd would be mounted inside the zone 1272 * by svc:/system/filesystem/usr:default, but since 1273 * we're not booting the zone, we need to do this 1274 * manually. 1275 */ 1276 if (rval == 0) 1277 rval = mount_early_fs(&cb, 1278 "fd", "/dev/fd", "fd", NULL); 1279 break; 1280 case Z_UNMOUNT: 1281 if (kernelcall) /* Invalid; can't happen */ 1282 abort(); 1283 zerror(zlogp, B_FALSE, "zone is already unmounted"); 1284 rval = 0; 1285 break; 1286 } 1287 break; 1288 1289 case ZONE_STATE_READY: 1290 switch (cmd) { 1291 case Z_READY: 1292 /* 1293 * We could have two clients racing to ready this 1294 * zone; the second client loses, but his request 1295 * doesn't fail, since the zone is now in the desired 1296 * state. 1297 */ 1298 zerror(zlogp, B_FALSE, "zone is already ready"); 1299 rval = 0; 1300 break; 1301 case Z_BOOT: 1302 (void) strlcpy(boot_args, zargp->bootbuf, 1303 sizeof (boot_args)); 1304 eventstream_write(Z_EVT_ZONE_BOOTING); 1305 rval = zone_bootup(zlogp, zargp->bootbuf, zstate); 1306 audit_put_record(zlogp, uc, rval, "boot"); 1307 if (rval != 0) { 1308 bringup_failure_recovery = B_TRUE; 1309 (void) zone_halt(zlogp, B_FALSE, B_TRUE, 1310 zstate); 1311 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1312 } 1313 boot_args[0] = '\0'; 1314 break; 1315 case Z_HALT: 1316 if (kernelcall) /* Invalid; can't happen */ 1317 abort(); 1318 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate)) 1319 != 0) 1320 break; 1321 eventstream_write(Z_EVT_ZONE_HALTED); 1322 break; 1323 case Z_REBOOT: 1324 case Z_NOTE_UNINSTALLING: 1325 case Z_MOUNT: 1326 case Z_UNMOUNT: 1327 if (kernelcall) /* Invalid; can't happen */ 1328 abort(); 1329 zerror(zlogp, B_FALSE, "%s operation is invalid " 1330 "for zones in state '%s'", z_cmd_name(cmd), 1331 zone_state_str(zstate)); 1332 rval = -1; 1333 break; 1334 } 1335 break; 1336 1337 case ZONE_STATE_MOUNTED: 1338 switch (cmd) { 1339 case Z_UNMOUNT: 1340 if (kernelcall) /* Invalid; can't happen */ 1341 abort(); 1342 rval = zone_halt(zlogp, B_TRUE, B_FALSE, zstate); 1343 if (rval == 0) { 1344 eventstream_write(Z_EVT_ZONE_HALTED); 1345 (void) sema_post(&scratch_sem); 1346 } 1347 break; 1348 default: 1349 if (kernelcall) /* Invalid; can't happen */ 1350 abort(); 1351 zerror(zlogp, B_FALSE, "%s operation is invalid " 1352 "for zones in state '%s'", z_cmd_name(cmd), 1353 zone_state_str(zstate)); 1354 rval = -1; 1355 break; 1356 } 1357 break; 1358 1359 case ZONE_STATE_RUNNING: 1360 case ZONE_STATE_SHUTTING_DOWN: 1361 case ZONE_STATE_DOWN: 1362 switch (cmd) { 1363 case Z_READY: 1364 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate)) 1365 != 0) 1366 break; 1367 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate)) == 0) 1368 eventstream_write(Z_EVT_ZONE_READIED); 1369 else 1370 eventstream_write(Z_EVT_ZONE_HALTED); 1371 break; 1372 case Z_BOOT: 1373 /* 1374 * We could have two clients racing to boot this 1375 * zone; the second client loses, but his request 1376 * doesn't fail, since the zone is now in the desired 1377 * state. 1378 */ 1379 zerror(zlogp, B_FALSE, "zone is already booted"); 1380 rval = 0; 1381 break; 1382 case Z_HALT: 1383 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate)) 1384 != 0) 1385 break; 1386 eventstream_write(Z_EVT_ZONE_HALTED); 1387 break; 1388 case Z_REBOOT: 1389 (void) strlcpy(boot_args, zargp->bootbuf, 1390 sizeof (boot_args)); 1391 eventstream_write(Z_EVT_ZONE_REBOOTING); 1392 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate)) 1393 != 0) { 1394 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1395 boot_args[0] = '\0'; 1396 break; 1397 } 1398 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate)) 1399 != 0) { 1400 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1401 boot_args[0] = '\0'; 1402 break; 1403 } 1404 rval = zone_bootup(zlogp, zargp->bootbuf, zstate); 1405 audit_put_record(zlogp, uc, rval, "reboot"); 1406 if (rval != 0) { 1407 (void) zone_halt(zlogp, B_FALSE, B_TRUE, 1408 zstate); 1409 eventstream_write(Z_EVT_ZONE_BOOTFAILED); 1410 } 1411 boot_args[0] = '\0'; 1412 break; 1413 case Z_NOTE_UNINSTALLING: 1414 case Z_MOUNT: 1415 case Z_UNMOUNT: 1416 zerror(zlogp, B_FALSE, "%s operation is invalid " 1417 "for zones in state '%s'", z_cmd_name(cmd), 1418 zone_state_str(zstate)); 1419 rval = -1; 1420 break; 1421 } 1422 break; 1423 default: 1424 abort(); 1425 } 1426 1427 /* 1428 * Because the state of the zone may have changed, we make sure 1429 * to wake the console poller, which is in charge of initiating 1430 * the shutdown procedure as necessary. 1431 */ 1432 eventstream_write(Z_EVT_NULL); 1433 1434 out: 1435 (void) mutex_unlock(&lock); 1436 if (kernelcall) { 1437 rvalp = NULL; 1438 rlen = 0; 1439 } else { 1440 rvalp->rval = rval; 1441 } 1442 if (uc != NULL) 1443 ucred_free(uc); 1444 (void) door_return((char *)rvalp, rlen, NULL, 0); 1445 thr_exit(NULL); 1446 } 1447 1448 static int 1449 setup_door(zlog_t *zlogp) 1450 { 1451 if ((zone_door = door_create(server, NULL, 1452 DOOR_UNREF | DOOR_REFUSE_DESC | DOOR_NO_CANCEL)) < 0) { 1453 zerror(zlogp, B_TRUE, "%s failed", "door_create"); 1454 return (-1); 1455 } 1456 (void) fdetach(zone_door_path); 1457 1458 if (fattach(zone_door, zone_door_path) != 0) { 1459 zerror(zlogp, B_TRUE, "fattach to %s failed", zone_door_path); 1460 (void) door_revoke(zone_door); 1461 (void) fdetach(zone_door_path); 1462 zone_door = -1; 1463 return (-1); 1464 } 1465 return (0); 1466 } 1467 1468 /* 1469 * zoneadm(1m) will start zoneadmd if it thinks it isn't running; this 1470 * is where zoneadmd itself will check to see that another instance of 1471 * zoneadmd isn't already controlling this zone. 1472 * 1473 * The idea here is that we want to open the path to which we will 1474 * attach our door, lock it, and then make sure that no-one has beat us 1475 * to fattach(3c)ing onto it. 1476 * 1477 * fattach(3c) is really a mount, so there are actually two possible 1478 * vnodes we could be dealing with. Our strategy is as follows: 1479 * 1480 * - If the file we opened is a regular file (common case): 1481 * There is no fattach(3c)ed door, so we have a chance of becoming 1482 * the managing zoneadmd. We attempt to lock the file: if it is 1483 * already locked, that means someone else raced us here, so we 1484 * lose and give up. zoneadm(1m) will try to contact the zoneadmd 1485 * that beat us to it. 1486 * 1487 * - If the file we opened is a namefs file: 1488 * This means there is already an established door fattach(3c)'ed 1489 * to the rendezvous path. We've lost the race, so we give up. 1490 * Note that in this case we also try to grab the file lock, and 1491 * will succeed in acquiring it since the vnode locked by the 1492 * "winning" zoneadmd was a regular one, and the one we locked was 1493 * the fattach(3c)'ed door node. At any rate, no harm is done, and 1494 * we just return to zoneadm(1m) which knows to retry. 1495 */ 1496 static int 1497 make_daemon_exclusive(zlog_t *zlogp) 1498 { 1499 int doorfd = -1; 1500 int err, ret = -1; 1501 struct stat st; 1502 struct flock flock; 1503 zone_state_t zstate; 1504 1505 top: 1506 if ((err = zone_get_state(zone_name, &zstate)) != Z_OK) { 1507 zerror(zlogp, B_FALSE, "failed to get zone state: %s", 1508 zonecfg_strerror(err)); 1509 goto out; 1510 } 1511 if ((doorfd = open(zone_door_path, O_CREAT|O_RDWR, 1512 S_IREAD|S_IWRITE)) < 0) { 1513 zerror(zlogp, B_TRUE, "failed to open %s", zone_door_path); 1514 goto out; 1515 } 1516 if (fstat(doorfd, &st) < 0) { 1517 zerror(zlogp, B_TRUE, "failed to stat %s", zone_door_path); 1518 goto out; 1519 } 1520 /* 1521 * Lock the file to synchronize with other zoneadmd 1522 */ 1523 flock.l_type = F_WRLCK; 1524 flock.l_whence = SEEK_SET; 1525 flock.l_start = (off_t)0; 1526 flock.l_len = (off_t)0; 1527 if (fcntl(doorfd, F_SETLK, &flock) < 0) { 1528 /* 1529 * Someone else raced us here and grabbed the lock file 1530 * first. A warning here is inappropriate since nothing 1531 * went wrong. 1532 */ 1533 goto out; 1534 } 1535 1536 if (strcmp(st.st_fstype, "namefs") == 0) { 1537 struct door_info info; 1538 1539 /* 1540 * There is already something fattach()'ed to this file. 1541 * Lets see what the door is up to. 1542 */ 1543 if (door_info(doorfd, &info) == 0 && info.di_target != -1) { 1544 /* 1545 * Another zoneadmd process seems to be in 1546 * control of the situation and we don't need to 1547 * be here. A warning here is inappropriate 1548 * since nothing went wrong. 1549 * 1550 * If the door has been revoked, the zoneadmd 1551 * process currently managing the zone is going 1552 * away. We'll return control to zoneadm(1m) 1553 * which will try again (by which time zoneadmd 1554 * will hopefully have exited). 1555 */ 1556 goto out; 1557 } 1558 1559 /* 1560 * If we got this far, there's a fattach(3c)'ed door 1561 * that belongs to a process that has exited, which can 1562 * happen if the previous zoneadmd died unexpectedly. 1563 * 1564 * Let user know that something is amiss, but that we can 1565 * recover; if the zone is in the installed state, then don't 1566 * message, since having a running zoneadmd isn't really 1567 * expected/needed. We want to keep occurences of this message 1568 * limited to times when zoneadmd is picking back up from a 1569 * zoneadmd that died while the zone was in some non-trivial 1570 * state. 1571 */ 1572 if (zstate > ZONE_STATE_INSTALLED) { 1573 zerror(zlogp, B_FALSE, 1574 "zone '%s': WARNING: zone is in state '%s', but " 1575 "zoneadmd does not appear to be available; " 1576 "restarted zoneadmd to recover.", 1577 zone_name, zone_state_str(zstate)); 1578 } 1579 1580 (void) fdetach(zone_door_path); 1581 (void) close(doorfd); 1582 goto top; 1583 } 1584 ret = 0; 1585 out: 1586 (void) close(doorfd); 1587 return (ret); 1588 } 1589 1590 /* 1591 * Setup the brand's pre and post state change callbacks, as well as the 1592 * query callback, if any of these exist. 1593 */ 1594 static int 1595 brand_callback_init(brand_handle_t bh, char *zone_name) 1596 { 1597 char zpath[MAXPATHLEN]; 1598 1599 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK) 1600 return (-1); 1601 1602 (void) strlcpy(pre_statechg_hook, EXEC_PREFIX, 1603 sizeof (pre_statechg_hook)); 1604 1605 if (brand_get_prestatechange(bh, zone_name, zpath, 1606 pre_statechg_hook + EXEC_LEN, 1607 sizeof (pre_statechg_hook) - EXEC_LEN) != 0) 1608 return (-1); 1609 1610 if (strlen(pre_statechg_hook) <= EXEC_LEN) 1611 pre_statechg_hook[0] = '\0'; 1612 1613 (void) strlcpy(post_statechg_hook, EXEC_PREFIX, 1614 sizeof (post_statechg_hook)); 1615 1616 if (brand_get_poststatechange(bh, zone_name, zpath, 1617 post_statechg_hook + EXEC_LEN, 1618 sizeof (post_statechg_hook) - EXEC_LEN) != 0) 1619 return (-1); 1620 1621 if (strlen(post_statechg_hook) <= EXEC_LEN) 1622 post_statechg_hook[0] = '\0'; 1623 1624 (void) strlcpy(query_hook, EXEC_PREFIX, 1625 sizeof (query_hook)); 1626 1627 if (brand_get_query(bh, zone_name, zpath, query_hook + EXEC_LEN, 1628 sizeof (query_hook) - EXEC_LEN) != 0) 1629 return (-1); 1630 1631 if (strlen(query_hook) <= EXEC_LEN) 1632 query_hook[0] = '\0'; 1633 1634 return (0); 1635 } 1636 1637 int 1638 main(int argc, char *argv[]) 1639 { 1640 int opt; 1641 zoneid_t zid; 1642 priv_set_t *privset; 1643 zone_state_t zstate; 1644 char parents_locale[MAXPATHLEN]; 1645 brand_handle_t bh; 1646 int err; 1647 1648 pid_t pid; 1649 sigset_t blockset; 1650 sigset_t block_cld; 1651 1652 struct { 1653 sema_t sem; 1654 int status; 1655 zlog_t log; 1656 } *shstate; 1657 size_t shstatelen = getpagesize(); 1658 1659 zlog_t errlog; 1660 zlog_t *zlogp; 1661 1662 int ctfd; 1663 1664 progname = get_execbasename(argv[0]); 1665 1666 /* 1667 * Make sure stderr is unbuffered 1668 */ 1669 (void) setbuffer(stderr, NULL, 0); 1670 1671 /* 1672 * Get out of the way of mounted filesystems, since we will daemonize 1673 * soon. 1674 */ 1675 (void) chdir("/"); 1676 1677 /* 1678 * Use the default system umask per PSARC 1998/110 rather than 1679 * anything that may have been set by the caller. 1680 */ 1681 (void) umask(CMASK); 1682 1683 /* 1684 * Initially we want to use our parent's locale. 1685 */ 1686 (void) setlocale(LC_ALL, ""); 1687 (void) textdomain(TEXT_DOMAIN); 1688 (void) strlcpy(parents_locale, setlocale(LC_MESSAGES, NULL), 1689 sizeof (parents_locale)); 1690 1691 /* 1692 * This zlog_t is used for writing to stderr 1693 */ 1694 errlog.logfile = stderr; 1695 errlog.buflen = errlog.loglen = 0; 1696 errlog.buf = errlog.log = NULL; 1697 errlog.locale = parents_locale; 1698 1699 /* 1700 * We start off writing to stderr until we're ready to daemonize. 1701 */ 1702 zlogp = &errlog; 1703 1704 /* 1705 * Process options. 1706 */ 1707 while ((opt = getopt(argc, argv, "R:z:")) != EOF) { 1708 switch (opt) { 1709 case 'R': 1710 zonecfg_set_root(optarg); 1711 break; 1712 case 'z': 1713 zone_name = optarg; 1714 break; 1715 default: 1716 usage(); 1717 } 1718 } 1719 1720 if (zone_name == NULL) 1721 usage(); 1722 1723 /* 1724 * Because usage() prints directly to stderr, it has gettext() 1725 * wrapping, which depends on the locale. But since zerror() calls 1726 * localize() which tweaks the locale, it is not safe to call zerror() 1727 * until after the last call to usage(). Fortunately, the last call 1728 * to usage() is just above and the first call to zerror() is just 1729 * below. Don't mess this up. 1730 */ 1731 if (strcmp(zone_name, GLOBAL_ZONENAME) == 0) { 1732 zerror(zlogp, B_FALSE, "cannot manage the %s zone", 1733 GLOBAL_ZONENAME); 1734 return (1); 1735 } 1736 1737 if (zone_get_id(zone_name, &zid) != 0) { 1738 zerror(zlogp, B_FALSE, "could not manage %s: %s", zone_name, 1739 zonecfg_strerror(Z_NO_ZONE)); 1740 return (1); 1741 } 1742 1743 if ((err = zone_get_state(zone_name, &zstate)) != Z_OK) { 1744 zerror(zlogp, B_FALSE, "failed to get zone state: %s", 1745 zonecfg_strerror(err)); 1746 return (1); 1747 } 1748 if (zstate < ZONE_STATE_INCOMPLETE) { 1749 zerror(zlogp, B_FALSE, 1750 "cannot manage a zone which is in state '%s'", 1751 zone_state_str(zstate)); 1752 return (1); 1753 } 1754 1755 if (zonecfg_default_brand(default_brand, 1756 sizeof (default_brand)) != Z_OK) { 1757 zerror(zlogp, B_FALSE, "unable to determine default brand"); 1758 return (1); 1759 } 1760 1761 /* Get a handle to the brand info for this zone */ 1762 if (zone_get_brand(zone_name, brand_name, sizeof (brand_name)) 1763 != Z_OK) { 1764 zerror(zlogp, B_FALSE, "unable to determine zone brand"); 1765 return (1); 1766 } 1767 zone_isnative = (strcmp(brand_name, NATIVE_BRAND_NAME) == 0); 1768 zone_islabeled = (strcmp(brand_name, LABELED_BRAND_NAME) == 0); 1769 1770 /* 1771 * In the alternate root environment, the only supported 1772 * operations are mount and unmount. In this case, just treat 1773 * the zone as native if it is cluster. Cluster zones can be 1774 * native for the purpose of LU or upgrade, and the cluster 1775 * brand may not exist in the miniroot (such as in net install 1776 * upgrade). 1777 */ 1778 if (strcmp(brand_name, CLUSTER_BRAND_NAME) == 0) { 1779 zone_iscluster = B_TRUE; 1780 if (zonecfg_in_alt_root()) { 1781 (void) strlcpy(brand_name, default_brand, 1782 sizeof (brand_name)); 1783 } 1784 } else { 1785 zone_iscluster = B_FALSE; 1786 } 1787 1788 if ((bh = brand_open(brand_name)) == NULL) { 1789 zerror(zlogp, B_FALSE, "unable to open zone brand"); 1790 return (1); 1791 } 1792 1793 /* Get state change brand hooks. */ 1794 if (brand_callback_init(bh, zone_name) == -1) { 1795 zerror(zlogp, B_TRUE, 1796 "failed to initialize brand state change hooks"); 1797 brand_close(bh); 1798 return (1); 1799 } 1800 1801 brand_close(bh); 1802 1803 /* 1804 * Check that we have all privileges. It would be nice to pare 1805 * this down, but this is at least a first cut. 1806 */ 1807 if ((privset = priv_allocset()) == NULL) { 1808 zerror(zlogp, B_TRUE, "%s failed", "priv_allocset"); 1809 return (1); 1810 } 1811 1812 if (getppriv(PRIV_EFFECTIVE, privset) != 0) { 1813 zerror(zlogp, B_TRUE, "%s failed", "getppriv"); 1814 priv_freeset(privset); 1815 return (1); 1816 } 1817 1818 if (priv_isfullset(privset) == B_FALSE) { 1819 zerror(zlogp, B_FALSE, "You lack sufficient privilege to " 1820 "run this command (all privs required)"); 1821 priv_freeset(privset); 1822 return (1); 1823 } 1824 priv_freeset(privset); 1825 1826 if (mkzonedir(zlogp) != 0) 1827 return (1); 1828 1829 /* 1830 * Pre-fork: setup shared state 1831 */ 1832 if ((shstate = (void *)mmap(NULL, shstatelen, 1833 PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANON, -1, (off_t)0)) == 1834 MAP_FAILED) { 1835 zerror(zlogp, B_TRUE, "%s failed", "mmap"); 1836 return (1); 1837 } 1838 if (sema_init(&shstate->sem, 0, USYNC_PROCESS, NULL) != 0) { 1839 zerror(zlogp, B_TRUE, "%s failed", "sema_init()"); 1840 (void) munmap((char *)shstate, shstatelen); 1841 return (1); 1842 } 1843 shstate->log.logfile = NULL; 1844 shstate->log.buflen = shstatelen - sizeof (*shstate); 1845 shstate->log.loglen = shstate->log.buflen; 1846 shstate->log.buf = (char *)shstate + sizeof (*shstate); 1847 shstate->log.log = shstate->log.buf; 1848 shstate->log.locale = parents_locale; 1849 shstate->status = -1; 1850 1851 /* 1852 * We need a SIGCHLD handler so the sema_wait() below will wake 1853 * up if the child dies without doing a sema_post(). 1854 */ 1855 (void) sigset(SIGCHLD, sigchld); 1856 /* 1857 * We must mask SIGCHLD until after we've coped with the fork 1858 * sufficiently to deal with it; otherwise we can race and 1859 * receive the signal before pid has been initialized 1860 * (yes, this really happens). 1861 */ 1862 (void) sigemptyset(&block_cld); 1863 (void) sigaddset(&block_cld, SIGCHLD); 1864 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL); 1865 1866 if ((ctfd = init_template()) == -1) { 1867 zerror(zlogp, B_TRUE, "failed to create contract"); 1868 return (1); 1869 } 1870 1871 /* 1872 * Do not let another thread localize a message while we are forking. 1873 */ 1874 (void) mutex_lock(&msglock); 1875 pid = fork(); 1876 (void) mutex_unlock(&msglock); 1877 1878 /* 1879 * In all cases (parent, child, and in the event of an error) we 1880 * don't want to cause creation of contracts on subsequent fork()s. 1881 */ 1882 (void) ct_tmpl_clear(ctfd); 1883 (void) close(ctfd); 1884 1885 if (pid == -1) { 1886 zerror(zlogp, B_TRUE, "could not fork"); 1887 return (1); 1888 1889 } else if (pid > 0) { /* parent */ 1890 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL); 1891 /* 1892 * This marks a window of vulnerability in which we receive 1893 * the SIGCLD before falling into sema_wait (normally we would 1894 * get woken up from sema_wait with EINTR upon receipt of 1895 * SIGCLD). So we may need to use some other scheme like 1896 * sema_posting in the sigcld handler. 1897 * blech 1898 */ 1899 (void) sema_wait(&shstate->sem); 1900 (void) sema_destroy(&shstate->sem); 1901 if (shstate->status != 0) 1902 (void) waitpid(pid, NULL, WNOHANG); 1903 /* 1904 * It's ok if we die with SIGPIPE. It's not like we could have 1905 * done anything about it. 1906 */ 1907 (void) fprintf(stderr, "%s", shstate->log.buf); 1908 _exit(shstate->status == 0 ? 0 : 1); 1909 } 1910 1911 /* 1912 * The child charges on. 1913 */ 1914 (void) sigset(SIGCHLD, SIG_DFL); 1915 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL); 1916 1917 /* 1918 * SIGPIPE can be delivered if we write to a socket for which the 1919 * peer endpoint is gone. That can lead to too-early termination 1920 * of zoneadmd, and that's not good eats. 1921 */ 1922 (void) sigset(SIGPIPE, SIG_IGN); 1923 /* 1924 * Stop using stderr 1925 */ 1926 zlogp = &shstate->log; 1927 1928 /* 1929 * We don't need stdout/stderr from now on. 1930 */ 1931 closefrom(0); 1932 1933 /* 1934 * Initialize the syslog zlog_t. This needs to be done after 1935 * the call to closefrom(). 1936 */ 1937 logsys.buf = logsys.log = NULL; 1938 logsys.buflen = logsys.loglen = 0; 1939 logsys.logfile = NULL; 1940 logsys.locale = DEFAULT_LOCALE; 1941 1942 openlog("zoneadmd", LOG_PID, LOG_DAEMON); 1943 1944 /* 1945 * The eventstream is used to publish state changes in the zone 1946 * from the door threads to the console I/O poller. 1947 */ 1948 if (eventstream_init() == -1) { 1949 zerror(zlogp, B_TRUE, "unable to create eventstream"); 1950 goto child_out; 1951 } 1952 1953 (void) snprintf(zone_door_path, sizeof (zone_door_path), 1954 "%s" ZONE_DOOR_PATH, zonecfg_get_root(), zone_name); 1955 1956 /* 1957 * See if another zoneadmd is running for this zone. If not, then we 1958 * can now modify system state. 1959 */ 1960 if (make_daemon_exclusive(zlogp) == -1) 1961 goto child_out; 1962 1963 1964 /* 1965 * Create/join a new session; we need to be careful of what we do with 1966 * the console from now on so we don't end up being the session leader 1967 * for the terminal we're going to be handing out. 1968 */ 1969 (void) setsid(); 1970 1971 /* 1972 * This thread shouldn't be receiving any signals; in particular, 1973 * SIGCHLD should be received by the thread doing the fork(). 1974 */ 1975 (void) sigfillset(&blockset); 1976 (void) thr_sigsetmask(SIG_BLOCK, &blockset, NULL); 1977 1978 /* 1979 * Setup the console device and get ready to serve the console; 1980 * once this has completed, we're ready to let console clients 1981 * make an attempt to connect (they will block until 1982 * serve_console_sock() below gets called, and any pending 1983 * connection is accept()ed). 1984 */ 1985 if (!zonecfg_in_alt_root() && init_console(zlogp) < 0) 1986 goto child_out; 1987 1988 /* 1989 * Take the lock now, so that when the door server gets going, we 1990 * are guaranteed that it won't take a request until we are sure 1991 * that everything is completely set up. See the child_out: label 1992 * below to see why this matters. 1993 */ 1994 (void) mutex_lock(&lock); 1995 1996 /* Init semaphore for scratch zones. */ 1997 if (sema_init(&scratch_sem, 0, USYNC_THREAD, NULL) == -1) { 1998 zerror(zlogp, B_TRUE, 1999 "failed to initialize semaphore for scratch zone"); 2000 goto child_out; 2001 } 2002 2003 /* open the dladm handle */ 2004 if (dladm_open(&dld_handle) != DLADM_STATUS_OK) { 2005 zerror(zlogp, B_FALSE, "failed to open dladm handle"); 2006 goto child_out; 2007 } 2008 2009 /* 2010 * Note: door setup must occur *after* the console is setup. 2011 * This is so that as zlogin tests the door to see if zoneadmd 2012 * is ready yet, we know that the console will get serviced 2013 * once door_info() indicates that the door is "up". 2014 */ 2015 if (setup_door(zlogp) == -1) 2016 goto child_out; 2017 2018 /* 2019 * Things seem OK so far; tell the parent process that we're done 2020 * with setup tasks. This will cause the parent to exit, signalling 2021 * to zoneadm, zlogin, or whatever forked it that we are ready to 2022 * service requests. 2023 */ 2024 shstate->status = 0; 2025 (void) sema_post(&shstate->sem); 2026 (void) munmap((char *)shstate, shstatelen); 2027 shstate = NULL; 2028 2029 (void) mutex_unlock(&lock); 2030 2031 /* 2032 * zlogp is now invalid, so reset it to the syslog logger. 2033 */ 2034 zlogp = &logsys; 2035 2036 /* 2037 * Now that we are free of any parents, switch to the default locale. 2038 */ 2039 (void) setlocale(LC_ALL, DEFAULT_LOCALE); 2040 2041 /* 2042 * At this point the setup portion of main() is basically done, so 2043 * we reuse this thread to manage the zone console. When 2044 * serve_console() has returned, we are past the point of no return 2045 * in the life of this zoneadmd. 2046 */ 2047 if (zonecfg_in_alt_root()) { 2048 /* 2049 * This is just awful, but mounted scratch zones don't (and 2050 * can't) have consoles. We just wait for unmount instead. 2051 */ 2052 while (sema_wait(&scratch_sem) == EINTR) 2053 ; 2054 } else { 2055 serve_console(zlogp); 2056 assert(in_death_throes); 2057 } 2058 2059 /* 2060 * This is the next-to-last part of the exit interlock. Upon calling 2061 * fdetach(), the door will go unreferenced; once any 2062 * outstanding requests (like the door thread doing Z_HALT) are 2063 * done, the door will get an UNREF notification; when it handles 2064 * the UNREF, the door server will cause the exit. It's possible 2065 * that fdetach() can fail because the file is in use, in which 2066 * case we'll retry the operation. 2067 */ 2068 assert(!MUTEX_HELD(&lock)); 2069 for (;;) { 2070 if ((fdetach(zone_door_path) == 0) || (errno != EBUSY)) 2071 break; 2072 yield(); 2073 } 2074 2075 for (;;) 2076 (void) pause(); 2077 2078 child_out: 2079 assert(pid == 0); 2080 if (shstate != NULL) { 2081 shstate->status = -1; 2082 (void) sema_post(&shstate->sem); 2083 (void) munmap((char *)shstate, shstatelen); 2084 } 2085 2086 /* 2087 * This might trigger an unref notification, but if so, 2088 * we are still holding the lock, so our call to exit will 2089 * ultimately win the race and will publish the right exit 2090 * code. 2091 */ 2092 if (zone_door != -1) { 2093 assert(MUTEX_HELD(&lock)); 2094 (void) door_revoke(zone_door); 2095 (void) fdetach(zone_door_path); 2096 } 2097 2098 if (dld_handle != NULL) 2099 dladm_close(dld_handle); 2100 2101 return (1); /* return from main() forcibly exits an MT process */ 2102 } 2103