xref: /titanic_52/usr/src/cmd/svc/configd/backend.c (revision 4e6f6c8344ddd39ded306346bd0107934d29b982)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * sqlite is not compatible with _FILE_OFFSET_BITS=64, but we need to
29  * be able to statvfs(2) possibly large systems.  This define gives us
30  * access to the transitional interfaces.  See lfcompile64(5) for how
31  * _LARGEFILE64_SOURCE works.
32  */
33 #define	_LARGEFILE64_SOURCE
34 
35 #include <assert.h>
36 #include <atomic.h>
37 #include <door.h>
38 #include <dirent.h>
39 #include <errno.h>
40 #include <fcntl.h>
41 #include <limits.h>
42 #include <pthread.h>
43 #include <stdarg.h>
44 #include <stdio.h>
45 #include <stdlib.h>
46 #include <string.h>
47 #include <strings.h>
48 #include <sys/stat.h>
49 #include <sys/statvfs.h>
50 #include <time.h>
51 #include <unistd.h>
52 #include <zone.h>
53 #include <libscf_priv.h>
54 
55 #include "configd.h"
56 #include "repcache_protocol.h"
57 
58 #include <sqlite.h>
59 #include <sqlite-misc.h>
60 
61 /*
62  * This file has two purposes:
63  *
64  * 1. It contains the database schema, and the code for setting up our backend
65  *    databases, including installing said schema.
66  *
67  * 2. It provides a simplified interface to the SQL database library, and
68  *    synchronizes MT access to the database.
69  */
70 
71 #define	IS_VOLATILE(be)		((be)->be_ppath != NULL)
72 #define	MAX_FLIGHT_RECORDER_EVENTS	100
73 
74 typedef enum backend_switch_results {
75 	BACKEND_SWITCH_FATAL =	-1,
76 	BACKEND_SWITCH_OK =	0,
77 	BACKEND_SWITCH_RO
78 } backend_switch_results_t;
79 
80 typedef struct backend_spent {
81 	uint64_t bs_count;
82 	hrtime_t bs_time;
83 	hrtime_t bs_vtime;
84 } backend_spent_t;
85 
86 typedef struct backend_totals {
87 	backend_spent_t	bt_lock;	/* waiting for lock */
88 	backend_spent_t	bt_exec;	/* time spent executing SQL */
89 } backend_totals_t;
90 
91 /*
92  * There are times when svcadm asks configd to move the BACKEND_TYPE_NORMAL
93  * repository to volatile storage.  See backend_switch().  When the
94  * repository is on volatile storage, we save the location of the permanent
95  * repository in be_ppath.  We use the saved path when the time comes to
96  * move the repository back.  When the repository is on permanent storage,
97  * be_ppath is set to NULL.  Also see the definition of IS_VOLATILE() above
98  * for testing if the repository is on volatile storage.
99  */
100 typedef struct sqlite_backend {
101 	pthread_mutex_t	be_lock;
102 	pthread_t	be_thread;	/* thread holding lock */
103 	struct sqlite	*be_db;
104 	const char	*be_path;	/* path to db */
105 	const char	*be_ppath;	/* saved path to persistent db when */
106 					/* backend is volatile */
107 	const char	*be_checkpoint;	/* path to repository checkpoint */
108 	int		be_readonly;	/* readonly at start, and still is */
109 	int		be_writing;	/* held for writing */
110 	backend_type_t	be_type;	/* type of db */
111 	hrtime_t	be_lastcheck;	/* time of last read-only check */
112 	backend_totals_t be_totals[2];	/* one for reading, one for writing */
113 } sqlite_backend_t;
114 
115 struct backend_tx {
116 	sqlite_backend_t	*bt_be;
117 	int			bt_readonly;
118 	int			bt_type;
119 	int			bt_full;	/* SQLITE_FULL during tx */
120 };
121 
122 #define	UPDATE_TOTALS_WR(sb, writing, field, ts, vts) { \
123 	backend_spent_t *__bsp = &(sb)->be_totals[!!(writing)].field; \
124 	__bsp->bs_count++;						\
125 	__bsp->bs_time += (gethrtime() - ts);				\
126 	__bsp->bs_vtime += (gethrvtime() - vts);			\
127 }
128 
129 #define	UPDATE_TOTALS(sb, field, ts, vts) \
130 	UPDATE_TOTALS_WR(sb, (sb)->be_writing, field, ts, vts)
131 
132 struct backend_query {
133 	char	*bq_buf;
134 	size_t	bq_size;
135 };
136 
137 struct backend_tbl_info {
138 	const char *bti_name;
139 	const char *bti_cols;
140 };
141 
142 struct backend_idx_info {
143 	const char *bxi_tbl;
144 	const char *bxi_idx;
145 	const char *bxi_cols;
146 };
147 
148 /* Definitions for the flight recorder: */
149 
150 typedef enum be_flight_type {
151 	BE_FLIGHT_EV_NOEVENT = 0,	/* No event yet recorded. */
152 	BE_FLIGHT_EV_BACKUP,		/* Information about repo. backup */
153 	BE_FLIGHT_EV_BACKUP_ENTER,	/* Enter */
154 					/* backend_create_backup_locked() */
155 	BE_FLIGHT_EV_CHECKPOINT,	/* Request to checkpoint repository */
156 					/* for boot time backup */
157 	BE_FLIGHT_EV_CHECKPOINT_EXISTS,	/* Existing checkpoint detected on */
158 					/* restart */
159 	BE_FLIGHT_EV_LINGERING_FAST,	/* Use lingering fast repository */
160 	BE_FLIGHT_EV_NO_BACKUP,		/* Requested backup not made */
161 	BE_FLIGHT_EV_REPO_CREATE,	/* Main repository created */
162 	BE_FLIGHT_EV_RESTART,		/* This is a restart of configd */
163 	BE_FLIGHT_EV_SWITCH,		/* Switch repositories */
164 	BE_FLIGHT_EV_TRANS_RW		/* Root transitioned to read/write */
165 } be_flight_type_t;
166 
167 typedef enum be_flight_status {
168 	BE_FLIGHT_ST_INFO = 0,		/* No status.  Event is informative */
169 	BE_FLIGHT_ST_BOOT_BACKUP,	/* Boot time backup */
170 	BE_FLIGHT_ST_CHECKPOINT_BACKUP,	/* Backup from checkpoint */
171 	BE_FLIGHT_ST_CLIENT,		/* Request form client as opposed to */
172 					/* internal call */
173 	BE_FLIGHT_ST_DUPLICATE,		/* Backup duplicates existing one */
174 	BE_FLIGHT_ST_FAIL,		/* Operation failed. */
175 	BE_FLIGHT_ST_FAST,		/* Fast repository (tmpfs) */
176 	BE_FLIGHT_ST_MI_BACKUP,		/* Manifest-import backup */
177 	BE_FLIGHT_ST_NO_SWITCH,		/* Don't switch repositories */
178 	BE_FLIGHT_ST_OTHER_BACKUP,	/* Other type of backup */
179 	BE_FLIGHT_ST_PERMANENT,		/* Repository on permanet storage */
180 	BE_FLIGHT_ST_REPO_BACKUP,	/* Backup from repository */
181 	BE_FLIGHT_ST_RO,		/* Main repository is read-only */
182 	BE_FLIGHT_ST_RW,		/* Main repository is read/write */
183 	BE_FLIGHT_ST_SUCCESS,		/* Operation was successful */
184 	BE_FLIGHT_ST_SWITCH		/* Switch repository */
185 } be_flight_status_t;
186 
187 typedef struct be_flight_event {
188 	be_flight_type_t	bfe_type;	/* Type of event. */
189 	be_flight_status_t	bfe_status;	/* Result of the event. */
190 	time_t			bfe_time;	/* Time of the event. */
191 	uint_t			bfe_sequence;	/* Sequence number. */
192 } be_flight_event_t;
193 
194 static pthread_mutex_t backend_panic_lock = PTHREAD_MUTEX_INITIALIZER;
195 static pthread_cond_t backend_panic_cv = PTHREAD_COND_INITIALIZER;
196 pthread_t backend_panic_thread = 0;
197 
198 int backend_do_trace = 0;		/* invoke tracing callback */
199 int backend_print_trace = 0;		/* tracing callback prints SQL */
200 int backend_panic_abort = 0;		/* abort when panicking */
201 
202 /* Data for the flight_recorder. */
203 
204 static pthread_mutex_t backend_flight_recorder_lock = PTHREAD_MUTEX_INITIALIZER;
205 static be_flight_event_t flight_recorder[MAX_FLIGHT_RECORDER_EVENTS];
206 static uint_t flight_recorder_next = 0;
207 static uint_t flight_recorder_missed = 0;
208 static uint_t flight_recorder_sequence = 0;
209 
210 /* interval between read-only checks while starting up */
211 #define	BACKEND_READONLY_CHECK_INTERVAL	(2 * (hrtime_t)NANOSEC)
212 
213 /*
214  * Any incompatible change to the below schema should bump the version number.
215  * The schema has been changed to support value ordering,  but this change
216  * is backwards-compatible - i.e. a previous svc.configd can use a
217  * repository database with the new schema perfectly well.  As a result,
218  * the schema version has not been updated,  allowing downgrade of systems
219  * without losing repository data.
220  */
221 #define	BACKEND_SCHEMA_VERSION		5
222 
223 static struct backend_tbl_info tbls_normal[] = { /* BACKEND_TYPE_NORMAL */
224 	/*
225 	 * service_tbl holds all services.  svc_id is the identifier of the
226 	 * service.
227 	 */
228 	{
229 		"service_tbl",
230 		"svc_id          INTEGER PRIMARY KEY,"
231 		"svc_name        CHAR(256) NOT NULL"
232 	},
233 
234 	/*
235 	 * instance_tbl holds all of the instances.  The parent service id
236 	 * is instance_svc.
237 	 */
238 	{
239 		"instance_tbl",
240 		"instance_id     INTEGER PRIMARY KEY,"
241 		"instance_name   CHAR(256) NOT NULL,"
242 		"instance_svc    INTEGER NOT NULL"
243 	},
244 
245 	/*
246 	 * snapshot_lnk_tbl links (instance, snapshot name) with snapshots.
247 	 */
248 	{
249 		"snapshot_lnk_tbl",
250 		"lnk_id          INTEGER PRIMARY KEY,"
251 		"lnk_inst_id     INTEGER NOT NULL,"
252 		"lnk_snap_name   CHAR(256) NOT NULL,"
253 		"lnk_snap_id     INTEGER NOT NULL"
254 	},
255 
256 	/*
257 	 * snaplevel_tbl maps a snapshot id to a set of named, ordered
258 	 * snaplevels.
259 	 */
260 	{
261 		"snaplevel_tbl",
262 		"snap_id                 INTEGER NOT NULL,"
263 		"snap_level_num          INTEGER NOT NULL,"
264 		"snap_level_id           INTEGER NOT NULL,"
265 		"snap_level_service_id   INTEGER NOT NULL,"
266 		"snap_level_service      CHAR(256) NOT NULL,"
267 		"snap_level_instance_id  INTEGER NULL,"
268 		"snap_level_instance     CHAR(256) NULL"
269 	},
270 
271 	/*
272 	 * snaplevel_lnk_tbl links snaplevels to property groups.
273 	 * snaplvl_pg_* is identical to the original property group,
274 	 * and snaplvl_gen_id overrides the generation number.
275 	 * The service/instance ids are as in the snaplevel.
276 	 */
277 	{
278 		"snaplevel_lnk_tbl",
279 		"snaplvl_level_id INTEGER NOT NULL,"
280 		"snaplvl_pg_id    INTEGER NOT NULL,"
281 		"snaplvl_pg_name  CHAR(256) NOT NULL,"
282 		"snaplvl_pg_type  CHAR(256) NOT NULL,"
283 		"snaplvl_pg_flags INTEGER NOT NULL,"
284 		"snaplvl_gen_id   INTEGER NOT NULL"
285 	},
286 
287 	{ NULL, NULL }
288 };
289 
290 static struct backend_idx_info idxs_normal[] = { /* BACKEND_TYPE_NORMAL */
291 	{ "service_tbl",	"name",	"svc_name" },
292 	{ "instance_tbl",	"name",	"instance_svc, instance_name" },
293 	{ "snapshot_lnk_tbl",	"name",	"lnk_inst_id, lnk_snap_name" },
294 	{ "snapshot_lnk_tbl",	"snapid", "lnk_snap_id" },
295 	{ "snaplevel_tbl",	"id",	"snap_id" },
296 	{ "snaplevel_lnk_tbl",	"id",	"snaplvl_pg_id" },
297 	{ "snaplevel_lnk_tbl",	"level", "snaplvl_level_id" },
298 	{ NULL, NULL, NULL }
299 };
300 
301 static struct backend_tbl_info tbls_np[] = { /* BACKEND_TYPE_NONPERSIST */
302 	{ NULL, NULL }
303 };
304 
305 static struct backend_idx_info idxs_np[] = {	/* BACKEND_TYPE_NONPERSIST */
306 	{ NULL, NULL, NULL }
307 };
308 
309 static struct backend_tbl_info tbls_common[] = { /* all backend types */
310 	/*
311 	 * pg_tbl defines property groups.  They are associated with a single
312 	 * service or instance.  The pg_gen_id links them with the latest
313 	 * "edited" version of its properties.
314 	 */
315 	{
316 		"pg_tbl",
317 		"pg_id           INTEGER PRIMARY KEY,"
318 		"pg_parent_id    INTEGER NOT NULL,"
319 		"pg_name         CHAR(256) NOT NULL,"
320 		"pg_type         CHAR(256) NOT NULL,"
321 		"pg_flags        INTEGER NOT NULL,"
322 		"pg_gen_id       INTEGER NOT NULL"
323 	},
324 
325 	/*
326 	 * prop_lnk_tbl links a particular pg_id and gen_id to a set of
327 	 * (prop_name, prop_type, val_id) trios.
328 	 */
329 	{
330 		"prop_lnk_tbl",
331 		"lnk_prop_id     INTEGER PRIMARY KEY,"
332 		"lnk_pg_id       INTEGER NOT NULL,"
333 		"lnk_gen_id      INTEGER NOT NULL,"
334 		"lnk_prop_name   CHAR(256) NOT NULL,"
335 		"lnk_prop_type   CHAR(2) NOT NULL,"
336 		"lnk_val_id      INTEGER"
337 	},
338 
339 	/*
340 	 * value_tbl maps a value_id to a set of values.  For any given
341 	 * value_id, value_type is constant.  The table definition here
342 	 * is repeated in backend_check_upgrade(),  and must be kept in-sync.
343 	 */
344 	{
345 		"value_tbl",
346 		"value_id        INTEGER NOT NULL,"
347 		"value_type      CHAR(1) NOT NULL,"
348 		"value_value     VARCHAR NOT NULL,"
349 		"value_order     INTEGER DEFAULT 0"
350 	},
351 
352 	/*
353 	 * id_tbl has one row per id space
354 	 */
355 	{
356 		"id_tbl",
357 		"id_name         STRING NOT NULL,"
358 		"id_next         INTEGER NOT NULL"
359 	},
360 
361 	/*
362 	 * schema_version has a single row, which contains
363 	 * BACKEND_SCHEMA_VERSION at the time of creation.
364 	 */
365 	{
366 		"schema_version",
367 		"schema_version  INTEGER"
368 	},
369 	{ NULL, NULL }
370 };
371 
372 /*
373  * The indexing of value_tbl is repeated in backend_check_upgrade() and
374  * must be kept in sync with the indexing specification here.
375  */
376 static struct backend_idx_info idxs_common[] = { /* all backend types */
377 	{ "pg_tbl",		"parent", "pg_parent_id" },
378 	{ "pg_tbl",		"name",	"pg_parent_id, pg_name" },
379 	{ "pg_tbl",		"type",	"pg_parent_id, pg_type" },
380 	{ "prop_lnk_tbl",	"base",	"lnk_pg_id, lnk_gen_id" },
381 	{ "prop_lnk_tbl",	"val",	"lnk_val_id" },
382 	{ "value_tbl",		"id",	"value_id" },
383 	{ "id_tbl",		"id",	"id_name" },
384 	{ NULL, NULL, NULL }
385 };
386 
387 struct run_single_int_info {
388 	uint32_t	*rs_out;
389 	int		rs_result;
390 };
391 
392 static rep_protocol_responseid_t backend_copy_repository(const char *,
393     const char *, int);
394 static rep_protocol_responseid_t backend_do_copy(const char *, int,
395     const char *, int, size_t *);
396 
397 /*
398  * The flight recorder keeps track of events that happen primarily while
399  * the system is booting.  Once the system is up an running, one can take a
400  * gcore(1) of configd and examine the events with mdb.  Since we're most
401  * interested in early boot events, we stop recording events when the
402  * recorder is full.
403  */
404 static void
405 flight_recorder_event(be_flight_type_t type, be_flight_status_t res)
406 {
407 	be_flight_event_t *data;
408 	uint_t item;
409 	uint_t sequence;
410 
411 	if (pthread_mutex_lock(&backend_flight_recorder_lock) != 0) {
412 		atomic_inc_uint(&flight_recorder_missed);
413 		return;
414 	}
415 	if (flight_recorder_next >= MAX_FLIGHT_RECORDER_EVENTS) {
416 		/* Hit end of the array.  No more event recording. */
417 		item = flight_recorder_next;
418 	} else {
419 		item = flight_recorder_next++;
420 		sequence = flight_recorder_sequence++;
421 	}
422 	(void) pthread_mutex_unlock(&backend_flight_recorder_lock);
423 
424 	if (item >= MAX_FLIGHT_RECORDER_EVENTS) {
425 		/* Array is filled.  Stop recording events */
426 		atomic_inc_uint(&flight_recorder_missed);
427 		return;
428 	}
429 	data = &flight_recorder[item];
430 	(void) memset(data, 0, sizeof (*data));
431 	data->bfe_type = type;
432 	data->bfe_status = res;
433 	data->bfe_sequence = sequence;
434 	data->bfe_time = time(NULL);
435 }
436 
437 /*ARGSUSED*/
438 static int
439 run_single_int_callback(void *arg, int columns, char **vals, char **names)
440 {
441 	struct run_single_int_info *info = arg;
442 	uint32_t val;
443 
444 	char *endptr = vals[0];
445 
446 	assert(info->rs_result != REP_PROTOCOL_SUCCESS);
447 	assert(columns == 1);
448 
449 	if (vals[0] == NULL)
450 		return (BACKEND_CALLBACK_CONTINUE);
451 
452 	errno = 0;
453 	val = strtoul(vals[0], &endptr, 10);
454 	if ((val == 0 && endptr == vals[0]) || *endptr != 0 || errno != 0)
455 		backend_panic("malformed integer \"%20s\"", vals[0]);
456 
457 	*info->rs_out = val;
458 	info->rs_result = REP_PROTOCOL_SUCCESS;
459 	return (BACKEND_CALLBACK_CONTINUE);
460 }
461 
462 /*ARGSUSED*/
463 int
464 backend_fail_if_seen(void *arg, int columns, char **vals, char **names)
465 {
466 	return (BACKEND_CALLBACK_ABORT);
467 }
468 
469 /*
470  * check to see if we can successfully start a transaction;  if not, the
471  * filesystem is mounted read-only.
472  */
473 static int
474 backend_is_readonly(struct sqlite *db, const char *path)
475 {
476 	int r;
477 	statvfs64_t stat;
478 
479 	if (statvfs64(path, &stat) == 0 && (stat.f_flag & ST_RDONLY))
480 		return (SQLITE_READONLY);
481 
482 	r = sqlite_exec(db,
483 	    "BEGIN TRANSACTION; "
484 	    "UPDATE schema_version SET schema_version = schema_version; ",
485 	    NULL, NULL, NULL);
486 	(void) sqlite_exec(db, "ROLLBACK TRANSACTION", NULL, NULL, NULL);
487 	return (r);
488 }
489 
490 static void
491 backend_trace_sql(void *arg, const char *sql)
492 {
493 	sqlite_backend_t *be = arg;
494 
495 	if (backend_print_trace) {
496 		(void) fprintf(stderr, "%d: %s\n", be->be_type, sql);
497 	}
498 }
499 
500 static sqlite_backend_t be_info[BACKEND_TYPE_TOTAL];
501 static sqlite_backend_t *bes[BACKEND_TYPE_TOTAL];
502 
503 /*
504  * For a native build,  repositories are created from scratch, so upgrade
505  * is not an issue.  This variable is implicitly protected by
506  * bes[BACKEND_TYPE_NORMAL]->be_lock.
507  */
508 #ifdef NATIVE_BUILD
509 static boolean_t be_normal_upgraded = B_TRUE;
510 #else
511 static boolean_t be_normal_upgraded = B_FALSE;
512 #endif	/* NATIVE_BUILD */
513 
514 /*
515  * Has backend been upgraded? In nonpersistent case, answer is always
516  * yes.
517  */
518 boolean_t
519 backend_is_upgraded(backend_tx_t *bt)
520 {
521 	if (bt->bt_type == BACKEND_TYPE_NONPERSIST)
522 		return (B_TRUE);
523 	return (be_normal_upgraded);
524 }
525 
526 #define	BACKEND_PANIC_TIMEOUT	(50 * MILLISEC)
527 /*
528  * backend_panic() -- some kind of database problem or corruption has been hit.
529  * We attempt to quiesce the other database users -- all of the backend sql
530  * entry points will call backend_panic(NULL) if a panic is in progress, as
531  * will any attempt to start a transaction.
532  *
533  * We give threads holding a backend lock 50ms (BACKEND_PANIC_TIMEOUT) to
534  * either drop the lock or call backend_panic().  If they don't respond in
535  * time, we'll just exit anyway.
536  */
537 void
538 backend_panic(const char *format, ...)
539 {
540 	int i;
541 	va_list args;
542 	int failed = 0;
543 
544 	(void) pthread_mutex_lock(&backend_panic_lock);
545 	if (backend_panic_thread != 0) {
546 		(void) pthread_mutex_unlock(&backend_panic_lock);
547 		/*
548 		 * first, drop any backend locks we're holding, then
549 		 * sleep forever on the panic_cv.
550 		 */
551 		for (i = 0; i < BACKEND_TYPE_TOTAL; i++) {
552 			if (bes[i] != NULL &&
553 			    bes[i]->be_thread == pthread_self())
554 				(void) pthread_mutex_unlock(&bes[i]->be_lock);
555 		}
556 		(void) pthread_mutex_lock(&backend_panic_lock);
557 		for (;;)
558 			(void) pthread_cond_wait(&backend_panic_cv,
559 			    &backend_panic_lock);
560 	}
561 	backend_panic_thread = pthread_self();
562 	(void) pthread_mutex_unlock(&backend_panic_lock);
563 
564 	for (i = 0; i < BACKEND_TYPE_TOTAL; i++) {
565 		if (bes[i] != NULL && bes[i]->be_thread == pthread_self())
566 			(void) pthread_mutex_unlock(&bes[i]->be_lock);
567 	}
568 
569 	va_start(args, format);
570 	configd_vcritical(format, args);
571 	va_end(args);
572 
573 	for (i = 0; i < BACKEND_TYPE_TOTAL; i++) {
574 		timespec_t rel;
575 
576 		rel.tv_sec = 0;
577 		rel.tv_nsec = BACKEND_PANIC_TIMEOUT;
578 
579 		if (bes[i] != NULL && bes[i]->be_thread != pthread_self()) {
580 			if (pthread_mutex_reltimedlock_np(&bes[i]->be_lock,
581 			    &rel) != 0)
582 				failed++;
583 		}
584 	}
585 	if (failed) {
586 		configd_critical("unable to quiesce database\n");
587 	}
588 
589 	if (backend_panic_abort)
590 		abort();
591 
592 	exit(CONFIGD_EXIT_DATABASE_BAD);
593 }
594 
595 /*
596  * Returns
597  *   _SUCCESS
598  *   _DONE - callback aborted query
599  *   _NO_RESOURCES - out of memory (_FULL & _TOOBIG?)
600  */
601 static int
602 backend_error(sqlite_backend_t *be, int error, char *errmsg)
603 {
604 	if (error == SQLITE_OK)
605 		return (REP_PROTOCOL_SUCCESS);
606 
607 	switch (error) {
608 	case SQLITE_ABORT:
609 		free(errmsg);
610 		return (REP_PROTOCOL_DONE);
611 
612 	case SQLITE_NOMEM:
613 	case SQLITE_FULL:
614 	case SQLITE_TOOBIG:
615 		free(errmsg);
616 		return (REP_PROTOCOL_FAIL_NO_RESOURCES);
617 
618 	default:
619 		backend_panic("%s: db error: %s", be->be_path, errmsg);
620 		/*NOTREACHED*/
621 	}
622 }
623 
624 static void
625 backend_backup_cleanup(const char **out_arg, ssize_t out_sz)
626 {
627 	char **out = (char **)out_arg;
628 
629 	while (out_sz-- > 0)
630 		free(*out++);
631 	free(out_arg);
632 }
633 
634 /*
635  * builds a inverse-time-sorted array of backup files.  The path is a
636  * a single buffer, and the pointers look like:
637  *
638  *	/this/is/a/full/path/to/repository-name-YYYYMMDDHHMMSS
639  *	^pathname		^	       ^(pathname+pathlen)
640  *				basename
641  *
642  * dirname will either be pathname, or ".".
643  *
644  * Returns the number of elements in the array, 0 if there are no previous
645  * backups, or -1 on error.
646  */
647 static ssize_t
648 backend_backup_get_prev(char *pathname, size_t pathlen, const char ***out_arg)
649 {
650 	char b_start, b_end;
651 	DIR *dir;
652 	char **out = NULL;
653 	char *name, *p;
654 	char *dirname, *basename;
655 	char *pathend;
656 	struct dirent *ent;
657 
658 	size_t count = 0;
659 	size_t baselen;
660 
661 	/*
662 	 * year, month, day, hour, min, sec, plus an '_'.
663 	 */
664 	const size_t ndigits = 4 + 5*2 + 1;
665 	const size_t baroffset = 4 + 2*2;
666 
667 	size_t idx;
668 
669 	pathend = pathname + pathlen;
670 	b_end = *pathend;
671 	*pathend = '\0';
672 
673 	basename = strrchr(pathname, '/');
674 
675 	if (basename != NULL) {
676 		assert(pathend > pathname && basename < pathend);
677 		basename++;
678 		dirname = pathname;
679 	} else {
680 		basename = pathname;
681 		dirname = ".";
682 	}
683 
684 	baselen = strlen(basename);
685 
686 	/*
687 	 * munge the string temporarily for the opendir(), then restore it.
688 	 */
689 	b_start = basename[0];
690 
691 	basename[0] = '\0';
692 	dir = opendir(dirname);
693 	basename[0] = b_start;		/* restore path */
694 
695 	if (dir == NULL)
696 		goto fail;
697 
698 
699 	while ((ent = readdir(dir)) != NULL) {
700 		/*
701 		 * Must match:
702 		 *	basename-YYYYMMDD_HHMMSS
703 		 * or we ignore it.
704 		 */
705 		if (strncmp(ent->d_name, basename, baselen) != 0)
706 			continue;
707 
708 		name = ent->d_name;
709 		if (name[baselen] != '-')
710 			continue;
711 
712 		p = name + baselen + 1;
713 
714 		for (idx = 0; idx < ndigits; idx++) {
715 			char c = p[idx];
716 			if (idx == baroffset && c != '_')
717 				break;
718 			if (idx != baroffset && (c < '0' || c > '9'))
719 				break;
720 		}
721 		if (idx != ndigits || p[idx] != '\0')
722 			continue;
723 
724 		/*
725 		 * We have a match.  insertion-sort it into our list.
726 		 */
727 		name = strdup(name);
728 		if (name == NULL)
729 			goto fail_closedir;
730 		p = strrchr(name, '-');
731 
732 		for (idx = 0; idx < count; idx++) {
733 			char *tmp = out[idx];
734 			char *tp = strrchr(tmp, '-');
735 
736 			int cmp = strcmp(p, tp);
737 			if (cmp == 0)
738 				cmp = strcmp(name, tmp);
739 
740 			if (cmp == 0) {
741 				free(name);
742 				name = NULL;
743 				break;
744 			} else if (cmp > 0) {
745 				out[idx] = name;
746 				name = tmp;
747 				p = tp;
748 			}
749 		}
750 
751 		if (idx == count) {
752 			char **new_out = realloc(out,
753 			    (count + 1) * sizeof (*out));
754 
755 			if (new_out == NULL) {
756 				free(name);
757 				goto fail_closedir;
758 			}
759 
760 			out = new_out;
761 			out[count++] = name;
762 		} else {
763 			assert(name == NULL);
764 		}
765 	}
766 	(void) closedir(dir);
767 
768 	basename[baselen] = b_end;
769 
770 	*out_arg = (const char **)out;
771 	return (count);
772 
773 fail_closedir:
774 	(void) closedir(dir);
775 fail:
776 	basename[0] = b_start;
777 	*pathend = b_end;
778 
779 	backend_backup_cleanup((const char **)out, count);
780 
781 	*out_arg = NULL;
782 	return (-1);
783 }
784 
785 /*
786  * Copies the repository path into out, a buffer of out_len bytes,
787  * removes the ".db" (or whatever) extension, and, if name is non-NULL,
788  * appends "-name" to it.  If name is non-NULL, it can fail with:
789  *
790  *	_TRUNCATED	will not fit in buffer.
791  *	_BAD_REQUEST	name is not a valid identifier
792  */
793 static rep_protocol_responseid_t
794 backend_backup_base(sqlite_backend_t *be, const char *name,
795     char *out, size_t out_len)
796 {
797 	char *p, *q;
798 	size_t len;
799 
800 	/*
801 	 * for paths of the form /path/to/foo.db, we truncate at the final
802 	 * '.'.
803 	 */
804 	(void) strlcpy(out, IS_VOLATILE(be) ? be->be_ppath : be->be_path,
805 	    out_len);
806 
807 	p = strrchr(out, '/');
808 	q = strrchr(out, '.');
809 
810 	if (p != NULL && q != NULL && q > p)
811 		*q = 0;
812 
813 	if (name != NULL) {
814 		len = strlen(out);
815 		assert(len < out_len);
816 
817 		out += len;
818 		out_len -= len;
819 
820 		len = strlen(name);
821 
822 		/*
823 		 * verify that the name tag is entirely alphabetic,
824 		 * non-empty, and not too long.
825 		 */
826 		if (len == 0 || len >= REP_PROTOCOL_NAME_LEN ||
827 		    uu_check_name(name, UU_NAME_DOMAIN) < 0)
828 			return (REP_PROTOCOL_FAIL_BAD_REQUEST);
829 
830 		if (snprintf(out, out_len, "-%s", name) >= out_len)
831 			return (REP_PROTOCOL_FAIL_TRUNCATED);
832 	}
833 
834 	return (REP_PROTOCOL_SUCCESS);
835 }
836 
837 /*
838  * Make a checkpoint of the repository, so that we can use it for a backup
839  * when the root file system becomes read/write.  We'll first copy the
840  * repository into a temporary file and then rename it to
841  * REPOSITORY_CHECKPOINT.  This is protection against configd crashing in
842  * the middle of the copy and leaving a partial copy at
843  * REPOSITORY_CHECKPOINT.  Renames are atomic.
844  */
845 static rep_protocol_responseid_t
846 backend_checkpoint_repository(sqlite_backend_t *be)
847 {
848 	rep_protocol_responseid_t r;
849 
850 	assert(be->be_readonly);	/* Only need a checkpoint if / is ro */
851 	assert(be->be_type == BACKEND_TYPE_NORMAL);
852 	assert(be->be_checkpoint == NULL); /* Only 1 checkpoint */
853 
854 	r = backend_copy_repository(be->be_path, REPOSITORY_CHECKPOINT, 0);
855 	if (r == REP_PROTOCOL_SUCCESS)
856 		be->be_checkpoint = REPOSITORY_CHECKPOINT;
857 
858 	flight_recorder_event(BE_FLIGHT_EV_CHECKPOINT,
859 	    r == REP_PROTOCOL_SUCCESS ? BE_FLIGHT_ST_SUCCESS :
860 	    BE_FLIGHT_ST_FAIL);
861 
862 	return (r);
863 }
864 
865 /*
866  * See if a backup is needed.  We do a backup unless both files are
867  * byte-for-byte identical.
868  */
869 static int
870 backend_check_backup_needed(const char *rep_name, const char *backup_name)
871 {
872 	int repfd = open(rep_name, O_RDONLY);
873 	int fd = open(backup_name, O_RDONLY);
874 	struct stat s_rep, s_backup;
875 	int c1, c2;
876 
877 	FILE *f_rep = NULL;
878 	FILE *f_backup = NULL;
879 
880 	if (repfd < 0 || fd < 0)
881 		goto fail;
882 
883 	if (fstat(repfd, &s_rep) < 0 || fstat(fd, &s_backup) < 0)
884 		goto fail;
885 
886 	/*
887 	 * if they are the same file, we need to do a backup to break the
888 	 * hard link or symlink involved.
889 	 */
890 	if (s_rep.st_ino == s_backup.st_ino && s_rep.st_dev == s_backup.st_dev)
891 		goto fail;
892 
893 	if (s_rep.st_size != s_backup.st_size)
894 		goto fail;
895 
896 	if ((f_rep = fdopen(repfd, "r")) == NULL ||
897 	    (f_backup = fdopen(fd, "r")) == NULL)
898 		goto fail;
899 
900 	do {
901 		c1 = getc(f_rep);
902 		c2 = getc(f_backup);
903 		if (c1 != c2)
904 			goto fail;
905 	} while (c1 != EOF);
906 
907 	if (!ferror(f_rep) && !ferror(f_backup)) {
908 		(void) fclose(f_rep);
909 		(void) fclose(f_backup);
910 		(void) close(repfd);
911 		(void) close(fd);
912 		return (0);
913 	}
914 
915 fail:
916 	if (f_rep != NULL)
917 		(void) fclose(f_rep);
918 	if (f_backup != NULL)
919 		(void) fclose(f_backup);
920 	if (repfd >= 0)
921 		(void) close(repfd);
922 	if (fd >= 0)
923 		(void) close(fd);
924 	return (1);
925 }
926 
927 /*
928  * This interface is called to perform the actual copy
929  *
930  * Return:
931  *	_FAIL_UNKNOWN		read/write fails
932  *	_FAIL_NO_RESOURCES	out of memory
933  *	_SUCCESS		copy succeeds
934  */
935 static rep_protocol_responseid_t
936 backend_do_copy(const char *src, int srcfd, const char *dst,
937     int dstfd, size_t *sz)
938 {
939 	char *buf;
940 	off_t nrd, nwr, n, r_off = 0, w_off = 0;
941 
942 	if ((buf = malloc(8192)) == NULL)
943 		return (REP_PROTOCOL_FAIL_NO_RESOURCES);
944 
945 	while ((nrd = read(srcfd, buf, 8192)) != 0) {
946 		if (nrd < 0) {
947 			if (errno == EINTR)
948 				continue;
949 
950 			configd_critical(
951 			    "Backend copy failed: fails to read from %s "
952 			    "at offset %d: %s\n", src, r_off, strerror(errno));
953 			free(buf);
954 			return (REP_PROTOCOL_FAIL_UNKNOWN);
955 		}
956 
957 		r_off += nrd;
958 
959 		nwr = 0;
960 		do {
961 			if ((n = write(dstfd, &buf[nwr], nrd - nwr)) < 0) {
962 				if (errno == EINTR)
963 					continue;
964 
965 				configd_critical(
966 				    "Backend copy failed: fails to write to %s "
967 				    "at offset %d: %s\n", dst, w_off,
968 				    strerror(errno));
969 				free(buf);
970 				return (REP_PROTOCOL_FAIL_UNKNOWN);
971 			}
972 
973 			nwr += n;
974 			w_off += n;
975 
976 		} while (nwr < nrd);
977 	}
978 
979 	if (sz)
980 		*sz = w_off;
981 
982 	free(buf);
983 	return (REP_PROTOCOL_SUCCESS);
984 }
985 
986 /*
987  * Can return:
988  *	_BAD_REQUEST		name is not valid
989  *	_TRUNCATED		name is too long for current repository path
990  *	_UNKNOWN		failed for unknown reason (details written to
991  *				console)
992  *	_BACKEND_READONLY	backend is not writable
993  *	_NO_RESOURCES		out of memory
994  *	_SUCCESS		Backup completed successfully.
995  */
996 static rep_protocol_responseid_t
997 backend_create_backup_locked(sqlite_backend_t *be, const char *name)
998 {
999 	const char **old_list;
1000 	ssize_t old_sz;
1001 	ssize_t old_max = max_repository_backups;
1002 	ssize_t cur;
1003 	char *finalname;
1004 	char *finalpath;
1005 	char *tmppath;
1006 	int infd, outfd;
1007 	size_t len;
1008 	time_t now;
1009 	struct tm now_tm;
1010 	be_flight_status_t backup_type;
1011 	rep_protocol_responseid_t result;
1012 	const char *src;
1013 	int use_checkpoint;
1014 
1015 	if (strcmp(name, REPOSITORY_BOOT_BACKUP) == 0) {
1016 		backup_type = BE_FLIGHT_ST_BOOT_BACKUP;
1017 	} else if (strcmp(name, "manifest_import") ==  0) {
1018 		backup_type = BE_FLIGHT_ST_MI_BACKUP;
1019 	} else {
1020 		backup_type = BE_FLIGHT_ST_OTHER_BACKUP;
1021 	}
1022 	flight_recorder_event(BE_FLIGHT_EV_BACKUP_ENTER, backup_type);
1023 
1024 	if ((finalpath = malloc(PATH_MAX)) == NULL)
1025 		return (REP_PROTOCOL_FAIL_NO_RESOURCES);
1026 
1027 	if ((tmppath = malloc(PATH_MAX)) == NULL) {
1028 		free(finalpath);
1029 		return (REP_PROTOCOL_FAIL_NO_RESOURCES);
1030 	}
1031 
1032 	if (be->be_readonly) {
1033 		flight_recorder_event(BE_FLIGHT_EV_NO_BACKUP, BE_FLIGHT_ST_RO);
1034 		result = REP_PROTOCOL_FAIL_BACKEND_READONLY;
1035 		goto out;
1036 	}
1037 
1038 	result = backend_backup_base(be, name, finalpath, PATH_MAX);
1039 	if (result != REP_PROTOCOL_SUCCESS)
1040 		goto out;
1041 
1042 	/*
1043 	 * If this is a boot backup and if we made a checkpoint before the
1044 	 * root file system became read/write, then we should use the
1045 	 * checkpoint as the source.  Otherwise, we'll use the actual
1046 	 * repository as the source.
1047 	 */
1048 	if (be->be_checkpoint && name &&
1049 	    strcmp(REPOSITORY_BOOT_BACKUP, name) == 0) {
1050 		backup_type = BE_FLIGHT_ST_CHECKPOINT_BACKUP;
1051 		use_checkpoint = 1;
1052 		src = be->be_checkpoint;
1053 	} else {
1054 		backup_type = BE_FLIGHT_ST_REPO_BACKUP;
1055 		use_checkpoint = 0;
1056 		src = be->be_path;
1057 	}
1058 	flight_recorder_event(BE_FLIGHT_EV_BACKUP, backup_type);
1059 	if (!backend_check_backup_needed(src, finalpath)) {
1060 		/*
1061 		 * No changes, so there is no need for a backup.
1062 		 */
1063 		flight_recorder_event(BE_FLIGHT_EV_NO_BACKUP,
1064 		    BE_FLIGHT_ST_DUPLICATE);
1065 		result = REP_PROTOCOL_SUCCESS;
1066 		goto out;
1067 	}
1068 
1069 	/*
1070 	 * remember the original length, and the basename location
1071 	 */
1072 	len = strlen(finalpath);
1073 	finalname = strrchr(finalpath, '/');
1074 	if (finalname != NULL)
1075 		finalname++;
1076 	else
1077 		finalname = finalpath;
1078 
1079 	(void) strlcpy(tmppath, finalpath, PATH_MAX);
1080 	if (strlcat(tmppath, "-tmpXXXXXX", PATH_MAX) >= PATH_MAX) {
1081 		result = REP_PROTOCOL_FAIL_TRUNCATED;
1082 		goto out;
1083 	}
1084 
1085 	now = time(NULL);
1086 	if (localtime_r(&now, &now_tm) == NULL) {
1087 		configd_critical(
1088 		    "\"%s\" backup failed: localtime(3C) failed: %s\n", name,
1089 		    strerror(errno));
1090 		result = REP_PROTOCOL_FAIL_UNKNOWN;
1091 		goto out;
1092 	}
1093 
1094 	if (strftime(finalpath + len, PATH_MAX - len,
1095 	    "-%Y""%m""%d""_""%H""%M""%S", &now_tm) >= PATH_MAX - len) {
1096 		result = REP_PROTOCOL_FAIL_TRUNCATED;
1097 		goto out;
1098 	}
1099 
1100 	infd = open(src, O_RDONLY);
1101 	if (infd < 0) {
1102 		configd_critical("\"%s\" backup failed: opening %s: %s\n", name,
1103 		    src, strerror(errno));
1104 		result = REP_PROTOCOL_FAIL_UNKNOWN;
1105 		goto out;
1106 	}
1107 
1108 	outfd = mkstemp(tmppath);
1109 	if (outfd < 0) {
1110 		configd_critical("\"%s\" backup failed: mkstemp(%s): %s\n",
1111 		    name, tmppath, strerror(errno));
1112 		(void) close(infd);
1113 		result = REP_PROTOCOL_FAIL_UNKNOWN;
1114 		goto out;
1115 	}
1116 
1117 	if ((result = backend_do_copy(src, infd, (const char *)tmppath,
1118 	    outfd, NULL)) != REP_PROTOCOL_SUCCESS)
1119 		goto fail;
1120 
1121 	/*
1122 	 * grab the old list before doing our re-name.
1123 	 */
1124 	if (old_max > 0)
1125 		old_sz = backend_backup_get_prev(finalpath, len, &old_list);
1126 
1127 	if (rename(tmppath, finalpath) < 0) {
1128 		configd_critical(
1129 		    "\"%s\" backup failed: rename(%s, %s): %s\n",
1130 		    name, tmppath, finalpath, strerror(errno));
1131 		result = REP_PROTOCOL_FAIL_UNKNOWN;
1132 		goto fail;
1133 	}
1134 
1135 	tmppath[len] = 0;	/* strip -XXXXXX, for reference symlink */
1136 
1137 	(void) unlink(tmppath);
1138 	if (symlink(finalname, tmppath) < 0) {
1139 		configd_critical(
1140 		    "\"%s\" backup completed, but updating "
1141 		    "\"%s\" symlink to \"%s\" failed: %s\n",
1142 		    name, tmppath, finalname, strerror(errno));
1143 	}
1144 
1145 	if (old_max > 0 && old_sz > 0) {
1146 		/* unlink all but the first (old_max - 1) files */
1147 		for (cur = old_max - 1; cur < old_sz; cur++) {
1148 			(void) strlcpy(finalname, old_list[cur],
1149 			    PATH_MAX - (finalname - finalpath));
1150 			if (unlink(finalpath) < 0)
1151 				configd_critical(
1152 				    "\"%s\" backup completed, but removing old "
1153 				    "file \"%s\" failed: %s\n",
1154 				    name, finalpath, strerror(errno));
1155 		}
1156 
1157 		backend_backup_cleanup(old_list, old_sz);
1158 	}
1159 
1160 	result = REP_PROTOCOL_SUCCESS;
1161 	flight_recorder_event(BE_FLIGHT_EV_BACKUP, BE_FLIGHT_ST_SUCCESS);
1162 
1163 fail:
1164 	(void) close(infd);
1165 	(void) close(outfd);
1166 	if (result != REP_PROTOCOL_SUCCESS) {
1167 		flight_recorder_event(BE_FLIGHT_EV_BACKUP, BE_FLIGHT_ST_FAIL);
1168 		(void) unlink(tmppath);
1169 	}
1170 
1171 out:
1172 	/* Get rid of the checkpoint file now that we've used it. */
1173 	if (use_checkpoint && (result == REP_PROTOCOL_SUCCESS)) {
1174 		(void) unlink(be->be_checkpoint);
1175 		be->be_checkpoint = NULL;
1176 	}
1177 	free(finalpath);
1178 	free(tmppath);
1179 
1180 	return (result);
1181 }
1182 
1183 /*
1184  * Check if value_tbl has been upgraded in the main database,  and
1185  * if not (if the value_order column is not present),  and do_upgrade is true,
1186  * upgrade value_tbl in repository to contain the additional value_order
1187  * column. The version of sqlite used means ALTER TABLE is not
1188  * available, so we cannot simply use "ALTER TABLE value_tbl ADD COLUMN".
1189  * Rather we need to create a temporary table with the additional column,
1190  * import the value_tbl, drop the original value_tbl, recreate the value_tbl
1191  * with the additional column, import the values from value_tbl_tmp,
1192  * reindex and finally drop value_tbl_tmp.  During boot, we wish to check
1193  * if the repository has been upgraded before it is writable,  so that
1194  * property value retrieval can use the appropriate form of the SELECT
1195  * statement that retrieves property values.  As a result, we need to check
1196  * if the repository has been upgraded prior to the point when we can
1197  * actually carry out the update.
1198  */
1199 void
1200 backend_check_upgrade(sqlite_backend_t *be, boolean_t do_upgrade)
1201 {
1202 	char *errp;
1203 	int r;
1204 
1205 	if (be_normal_upgraded)
1206 		return;
1207 	/*
1208 	 * Test if upgrade is needed. If value_order column does not exist,
1209 	 * we need to upgrade the schema.
1210 	 */
1211 	r = sqlite_exec(be->be_db, "SELECT value_order FROM value_tbl LIMIT 1;",
1212 	    NULL, NULL, NULL);
1213 	if (r == SQLITE_ERROR && do_upgrade) {
1214 		/* No value_order column - needs upgrade */
1215 		configd_info("Upgrading SMF repository format...");
1216 		r = sqlite_exec(be->be_db,
1217 		    "BEGIN TRANSACTION; "
1218 		    "CREATE TABLE value_tbl_tmp ( "
1219 		    "value_id   INTEGER NOT NULL, "
1220 		    "value_type CHAR(1) NOT NULL, "
1221 		    "value_value VARCHAR NOT NULL, "
1222 		    "value_order INTEGER DEFAULT 0); "
1223 		    "INSERT INTO value_tbl_tmp "
1224 		    "(value_id, value_type, value_value) "
1225 		    "SELECT value_id, value_type, value_value FROM value_tbl; "
1226 		    "DROP TABLE value_tbl; "
1227 		    "CREATE TABLE value_tbl( "
1228 		    "value_id   INTEGER NOT NULL, "
1229 		    "value_type CHAR(1) NOT NULL, "
1230 		    "value_value VARCHAR NOT NULL, "
1231 		    "value_order INTEGER DEFAULT 0); "
1232 		    "INSERT INTO value_tbl SELECT * FROM value_tbl_tmp; "
1233 		    "CREATE INDEX value_tbl_id ON value_tbl (value_id); "
1234 		    "DROP TABLE value_tbl_tmp; "
1235 		    "COMMIT TRANSACTION; "
1236 		    "VACUUM; ",
1237 		    NULL, NULL, &errp);
1238 		if (r == SQLITE_OK) {
1239 			configd_info("SMF repository upgrade is complete.");
1240 		} else {
1241 			backend_panic("%s: repository upgrade failed: %s",
1242 			    be->be_path, errp);
1243 			/* NOTREACHED */
1244 		}
1245 	}
1246 	if (r == SQLITE_OK)
1247 		be_normal_upgraded = B_TRUE;
1248 	else
1249 		be_normal_upgraded = B_FALSE;
1250 }
1251 
1252 static int
1253 backend_check_readonly(sqlite_backend_t *be, int writing, hrtime_t t)
1254 {
1255 	const char *check_path;
1256 	char *errp;
1257 	struct sqlite *new;
1258 	int r;
1259 
1260 	assert(be->be_readonly);
1261 	assert(be == bes[BACKEND_TYPE_NORMAL]);
1262 
1263 	/*
1264 	 * If we don't *need* to be writable, only check every once in a
1265 	 * while.
1266 	 */
1267 	if (!writing) {
1268 		if ((uint64_t)(t - be->be_lastcheck) <
1269 		    BACKEND_READONLY_CHECK_INTERVAL)
1270 			return (REP_PROTOCOL_SUCCESS);
1271 		be->be_lastcheck = t;
1272 	}
1273 
1274 	/*
1275 	 * It could be that the repository has been moved to non-persistent
1276 	 * storage for performance reasons.  In this case we need to check
1277 	 * the persistent path to see if it is writable.  The
1278 	 * non-persistent path will always be writable.
1279 	 */
1280 	check_path = IS_VOLATILE(be) ? be->be_ppath : be->be_path;
1281 
1282 	new = sqlite_open(check_path, 0600, &errp);
1283 	if (new == NULL) {
1284 		backend_panic("reopening %s: %s\n", check_path, errp);
1285 		/*NOTREACHED*/
1286 	}
1287 	r = backend_is_readonly(new, check_path);
1288 
1289 	if (r != SQLITE_OK) {
1290 		/*
1291 		 * The underlying storage for the permanent repository is
1292 		 * still read-only, so we don't want to change the state or
1293 		 * move the checkpointed backup if it exists.  On the other
1294 		 * hand if the repository has been copied to volatile
1295 		 * storage, we'll let our caller go ahead and write to the
1296 		 * database.
1297 		 */
1298 		sqlite_close(new);
1299 		if (writing && (IS_VOLATILE(be) == 0))
1300 			return (REP_PROTOCOL_FAIL_BACKEND_READONLY);
1301 		return (REP_PROTOCOL_SUCCESS);
1302 	}
1303 
1304 	/*
1305 	 * We can write!  If the repository is not on volatile storage,
1306 	 * swap the db handles.  Mark ourself as writable, upgrade the
1307 	 * repository if necessary and make a backup.
1308 	 */
1309 	be->be_readonly = 0;
1310 	flight_recorder_event(BE_FLIGHT_EV_TRANS_RW, BE_FLIGHT_ST_RW);
1311 	if (IS_VOLATILE(be)) {
1312 		/*
1313 		 * If the repository is on volatile storage, don't switch
1314 		 * the handles.  We'll continue to use the repository that
1315 		 * is on tmpfs until we're told to move it back by one of
1316 		 * our clients.  Clients, specifically manifest_import,
1317 		 * move the repository to tmpfs for performance reasons,
1318 		 * and that is the reason to not switch it back until we're
1319 		 * told to do so.
1320 		 */
1321 		flight_recorder_event(BE_FLIGHT_EV_TRANS_RW,
1322 		    BE_FLIGHT_ST_NO_SWITCH);
1323 		sqlite_close(new);
1324 	} else {
1325 		flight_recorder_event(BE_FLIGHT_EV_TRANS_RW,
1326 		    BE_FLIGHT_ST_SWITCH);
1327 		sqlite_close(be->be_db);
1328 		be->be_db = new;
1329 	}
1330 
1331 	if (be->be_type == BACKEND_TYPE_NORMAL)
1332 		backend_check_upgrade(be, B_TRUE);
1333 
1334 	if (backend_create_backup_locked(be, REPOSITORY_BOOT_BACKUP) !=
1335 	    REP_PROTOCOL_SUCCESS) {
1336 		configd_critical(
1337 		    "unable to create \"%s\" backup of \"%s\"\n",
1338 		    REPOSITORY_BOOT_BACKUP, be->be_path);
1339 	}
1340 
1341 	return (REP_PROTOCOL_SUCCESS);
1342 }
1343 
1344 /*
1345  * If t is not BACKEND_TYPE_NORMAL, can fail with
1346  *   _BACKEND_ACCESS - backend does not exist
1347  *
1348  * If writing is nonzero, can also fail with
1349  *   _BACKEND_READONLY - backend is read-only
1350  */
1351 static int
1352 backend_lock(backend_type_t t, int writing, sqlite_backend_t **bep)
1353 {
1354 	sqlite_backend_t *be = NULL;
1355 	hrtime_t ts, vts;
1356 
1357 	*bep = NULL;
1358 
1359 	assert(t == BACKEND_TYPE_NORMAL ||
1360 	    t == BACKEND_TYPE_NONPERSIST);
1361 
1362 	be = bes[t];
1363 	if (t == BACKEND_TYPE_NORMAL)
1364 		assert(be != NULL);		/* should always be there */
1365 
1366 	if (be == NULL)
1367 		return (REP_PROTOCOL_FAIL_BACKEND_ACCESS);
1368 
1369 	if (backend_panic_thread != 0)
1370 		backend_panic(NULL);		/* don't proceed */
1371 
1372 	ts = gethrtime();
1373 	vts = gethrvtime();
1374 	(void) pthread_mutex_lock(&be->be_lock);
1375 	UPDATE_TOTALS_WR(be, writing, bt_lock, ts, vts);
1376 
1377 	if (backend_panic_thread != 0) {
1378 		(void) pthread_mutex_unlock(&be->be_lock);
1379 		backend_panic(NULL);		/* don't proceed */
1380 	}
1381 	be->be_thread = pthread_self();
1382 
1383 	if (be->be_readonly) {
1384 		int r;
1385 		assert(t == BACKEND_TYPE_NORMAL);
1386 
1387 		r = backend_check_readonly(be, writing, ts);
1388 		if (r != REP_PROTOCOL_SUCCESS) {
1389 			be->be_thread = 0;
1390 			(void) pthread_mutex_unlock(&be->be_lock);
1391 			return (r);
1392 		}
1393 	}
1394 
1395 	if (backend_do_trace)
1396 		(void) sqlite_trace(be->be_db, backend_trace_sql, be);
1397 	else
1398 		(void) sqlite_trace(be->be_db, NULL, NULL);
1399 
1400 	be->be_writing = writing;
1401 	*bep = be;
1402 	return (REP_PROTOCOL_SUCCESS);
1403 }
1404 
1405 static void
1406 backend_unlock(sqlite_backend_t *be)
1407 {
1408 	be->be_writing = 0;
1409 	be->be_thread = 0;
1410 	(void) pthread_mutex_unlock(&be->be_lock);
1411 }
1412 
1413 static void
1414 backend_destroy(sqlite_backend_t *be)
1415 {
1416 	if (be->be_db != NULL) {
1417 		sqlite_close(be->be_db);
1418 		be->be_db = NULL;
1419 	}
1420 	be->be_thread = 0;
1421 	(void) pthread_mutex_unlock(&be->be_lock);
1422 	(void) pthread_mutex_destroy(&be->be_lock);
1423 }
1424 
1425 static void
1426 backend_create_finish(backend_type_t backend_id, sqlite_backend_t *be)
1427 {
1428 	assert(MUTEX_HELD(&be->be_lock));
1429 	assert(be == &be_info[backend_id]);
1430 
1431 	bes[backend_id] = be;
1432 	(void) pthread_mutex_unlock(&be->be_lock);
1433 }
1434 
1435 static int
1436 backend_fd_write(int fd, const char *mess)
1437 {
1438 	int len = strlen(mess);
1439 	int written;
1440 
1441 	while (len > 0) {
1442 		if ((written = write(fd, mess, len)) < 0)
1443 			return (-1);
1444 		mess += written;
1445 		len -= written;
1446 	}
1447 	return (0);
1448 }
1449 
1450 /*
1451  * Can return:
1452  *	_BAD_REQUEST		name is not valid
1453  *	_TRUNCATED		name is too long for current repository path
1454  *	_UNKNOWN		failed for unknown reason (details written to
1455  *				console)
1456  *	_BACKEND_READONLY	backend is not writable
1457  *	_NO_RESOURCES		out of memory
1458  *	_SUCCESS		Backup completed successfully.
1459  */
1460 rep_protocol_responseid_t
1461 backend_create_backup(const char *name)
1462 {
1463 	rep_protocol_responseid_t result;
1464 	sqlite_backend_t *be;
1465 
1466 	flight_recorder_event(BE_FLIGHT_EV_BACKUP, BE_FLIGHT_ST_CLIENT);
1467 	result = backend_lock(BACKEND_TYPE_NORMAL, 0, &be);
1468 	assert(result == REP_PROTOCOL_SUCCESS);
1469 
1470 	result = backend_create_backup_locked(be, name);
1471 	backend_unlock(be);
1472 
1473 	return (result);
1474 }
1475 
1476 /*
1477  * This function makes a copy of the repository at src, placing the copy at
1478  * dst.  It is used to copy a repository on permanent storage to volatile
1479  * storage or vice versa.  If the source file is on volatile storage, it is
1480  * often times desirable to delete it after the copy has been made and
1481  * verified.  To remove the source repository, set remove_src to 1.
1482  *
1483  * Can return:
1484  *
1485  *	REP_PROTOCOL_SUCCESS		successful copy and rename
1486  *	REP_PROTOCOL_FAIL_UNKNOWN	file operation error
1487  *	REP_PROTOCOL_FAIL_NO_RESOURCES	out of memory
1488  */
1489 static rep_protocol_responseid_t
1490 backend_copy_repository(const char *src, const char *dst, int remove_src)
1491 {
1492 	int srcfd, dstfd;
1493 	char *tmppath = malloc(PATH_MAX);
1494 	rep_protocol_responseid_t res = REP_PROTOCOL_SUCCESS;
1495 	struct stat s_buf;
1496 	size_t cpsz, sz;
1497 
1498 	if (tmppath == NULL) {
1499 		res = REP_PROTOCOL_FAIL_NO_RESOURCES;
1500 		goto out;
1501 	}
1502 
1503 	/*
1504 	 * Create and open the related db files
1505 	 */
1506 	(void) strlcpy(tmppath, dst, PATH_MAX);
1507 	sz = strlcat(tmppath, "-XXXXXX", PATH_MAX);
1508 	assert(sz < PATH_MAX);
1509 	if (sz >= PATH_MAX) {
1510 		configd_critical(
1511 		    "Backend copy failed: strlcat %s: overflow\n", tmppath);
1512 		abort();
1513 	}
1514 
1515 	if ((dstfd = mkstemp(tmppath)) < 0) {
1516 		configd_critical("Backend copy failed: mkstemp %s: %s\n",
1517 		    tmppath, strerror(errno));
1518 		res = REP_PROTOCOL_FAIL_UNKNOWN;
1519 		goto out;
1520 	}
1521 
1522 	if ((srcfd = open(src, O_RDONLY)) < 0) {
1523 		configd_critical("Backend copy failed: opening %s: %s\n",
1524 		    src, strerror(errno));
1525 		res = REP_PROTOCOL_FAIL_UNKNOWN;
1526 		goto errexit;
1527 	}
1528 
1529 	/*
1530 	 * fstat the backend before copy for sanity check.
1531 	 */
1532 	if (fstat(srcfd, &s_buf) < 0) {
1533 		configd_critical("Backend copy failed: fstat %s: %s\n",
1534 		    src, strerror(errno));
1535 		res = REP_PROTOCOL_FAIL_UNKNOWN;
1536 		goto errexit;
1537 	}
1538 
1539 	if ((res = backend_do_copy(src, srcfd, dst, dstfd, &cpsz)) !=
1540 	    REP_PROTOCOL_SUCCESS)
1541 		goto errexit;
1542 
1543 	if (cpsz != s_buf.st_size) {
1544 		configd_critical("Backend copy failed: incomplete copy\n");
1545 		res = REP_PROTOCOL_FAIL_UNKNOWN;
1546 		goto errexit;
1547 	}
1548 
1549 	/*
1550 	 * Rename tmppath to dst
1551 	 */
1552 	if (rename(tmppath, dst) < 0) {
1553 		configd_critical(
1554 		    "Backend copy failed: rename %s to %s: %s\n",
1555 		    tmppath, dst, strerror(errno));
1556 		res = REP_PROTOCOL_FAIL_UNKNOWN;
1557 	}
1558 
1559 errexit:
1560 	if (res != REP_PROTOCOL_SUCCESS && unlink(tmppath) < 0)
1561 		configd_critical(
1562 		    "Backend copy failed: remove %s: %s\n",
1563 		    tmppath, strerror(errno));
1564 
1565 	(void) close(srcfd);
1566 	(void) close(dstfd);
1567 
1568 out:
1569 	free(tmppath);
1570 	if (remove_src) {
1571 		if (unlink(src) < 0)
1572 			configd_critical(
1573 			    "Backend copy failed: remove %s: %s\n",
1574 			    src, strerror(errno));
1575 	}
1576 
1577 	return (res);
1578 }
1579 
1580 /*
1581  * Perform sanity check on the repository.
1582  * Return 0 if check succeeds or -1 if fails.
1583  */
1584 static int
1585 backend_switch_check(struct sqlite *be_db, char **errp)
1586 {
1587 	struct run_single_int_info info;
1588 	uint32_t val = -1UL;
1589 	int r;
1590 
1591 	info.rs_out = &val;
1592 	info.rs_result = REP_PROTOCOL_FAIL_NOT_FOUND;
1593 
1594 	r = sqlite_exec(be_db,
1595 	    "SELECT schema_version FROM schema_version;",
1596 	    run_single_int_callback, &info, errp);
1597 
1598 	if (r == SQLITE_OK &&
1599 	    info.rs_result != REP_PROTOCOL_FAIL_NOT_FOUND &&
1600 	    val == BACKEND_SCHEMA_VERSION)
1601 		return (0);
1602 	else
1603 		return (-1);
1604 }
1605 
1606 /*
1607  * backend_switch() implements the REP_PROTOCOL_SWITCH request from
1608  * clients.  First, it blocks all other clients from accessing the
1609  * repository by calling backend_lock to lock the repository.  It either
1610  * copies the repository from it's permanent storage location
1611  * (REPOSITORY_DB) to its fast volatile location (FAST_REPOSITORY_DB), or
1612  * vice versa.  dir determines the direction of the copy.
1613  *
1614  *	dir = 0	Copy from permanent location to volatile location.
1615  *	dir = 1	Copy from volatile location to permanent location.
1616  *
1617  * Can return:
1618  *	REP_PROTOCOL_SUCCESS			successful switch
1619  *	REP_PROTOCOL_FAIL_BACKEND_ACCESS	backen access fails
1620  *	REP_PROTOCOL_FAIL_BACKEND_READONLY	backend is not writable
1621  *	REP_PROTOCOL_FAIL_UNKNOWN		file operation error
1622  *	REP_PROTOCOL_FAIL_NO_RESOURCES		out of memory
1623  */
1624 rep_protocol_responseid_t
1625 backend_switch(int dir)
1626 {
1627 	rep_protocol_responseid_t result;
1628 	sqlite_backend_t *be;
1629 	struct sqlite *new;
1630 	char *errp;
1631 	const char *dst;
1632 
1633 	flight_recorder_event(BE_FLIGHT_EV_SWITCH, BE_FLIGHT_ST_CLIENT);
1634 
1635 	/*
1636 	 * If switching back to the main repository, lock for writing.
1637 	 * Otherwise, lock for reading.
1638 	 */
1639 	result = backend_lock(BACKEND_TYPE_NORMAL, dir ? 1 : 0,
1640 	    &be);
1641 	if (result != REP_PROTOCOL_SUCCESS)
1642 		return (result);
1643 
1644 	if (dir) {
1645 		flight_recorder_event(BE_FLIGHT_EV_SWITCH,
1646 		    BE_FLIGHT_ST_PERMANENT);
1647 		dst = REPOSITORY_DB;
1648 	} else {
1649 		flight_recorder_event(BE_FLIGHT_EV_SWITCH,
1650 		    BE_FLIGHT_ST_FAST);
1651 		dst = FAST_REPOSITORY_DB;
1652 	}
1653 
1654 	/*
1655 	 * Do the actual copy and rename
1656 	 */
1657 	if (strcmp(be->be_path, dst) == 0) {
1658 		flight_recorder_event(BE_FLIGHT_EV_SWITCH,
1659 		    BE_FLIGHT_ST_DUPLICATE);
1660 		result = REP_PROTOCOL_SUCCESS;
1661 		goto errout;
1662 	}
1663 
1664 	result = backend_copy_repository(be->be_path, dst, dir);
1665 	if (result != REP_PROTOCOL_SUCCESS) {
1666 		goto errout;
1667 	}
1668 
1669 	/*
1670 	 * Do the backend sanity check and switch
1671 	 */
1672 	new = sqlite_open(dst, 0600, &errp);
1673 	if (new != NULL) {
1674 		/*
1675 		 * Sanity check
1676 		 */
1677 		if (backend_switch_check(new, &errp) == 0) {
1678 			free((char *)be->be_path);
1679 			be->be_path = strdup(dst);
1680 			if (be->be_path == NULL) {
1681 				configd_critical(
1682 				    "Backend switch failed: strdup %s: %s\n",
1683 				    dst, strerror(errno));
1684 				result = REP_PROTOCOL_FAIL_NO_RESOURCES;
1685 				sqlite_close(new);
1686 			} else {
1687 				sqlite_close(be->be_db);
1688 				be->be_db = new;
1689 				if (dir) {
1690 					/* We're back on permanent storage. */
1691 					be->be_ppath = NULL;
1692 				} else {
1693 					/*
1694 					 * Repository is now on volatile
1695 					 * storage.  Save the location of
1696 					 * the persistent repository.
1697 					 */
1698 					be->be_ppath = REPOSITORY_DB;
1699 				}
1700 			}
1701 		} else {
1702 			configd_critical(
1703 			    "Backend switch failed: integrity check %s: %s\n",
1704 			    dst, errp);
1705 			result = REP_PROTOCOL_FAIL_BACKEND_ACCESS;
1706 		}
1707 	} else {
1708 		configd_critical("Backend switch failed: sqlite_open %s: %s\n",
1709 		    dst, errp);
1710 		result = REP_PROTOCOL_FAIL_BACKEND_ACCESS;
1711 	}
1712 
1713 errout:
1714 	if (result == REP_PROTOCOL_SUCCESS) {
1715 		flight_recorder_event(BE_FLIGHT_EV_SWITCH,
1716 		    BE_FLIGHT_ST_SUCCESS);
1717 	} else {
1718 		flight_recorder_event(BE_FLIGHT_EV_SWITCH, BE_FLIGHT_ST_FAIL);
1719 	}
1720 	backend_unlock(be);
1721 	return (result);
1722 }
1723 
1724 /*
1725  * This routine is called to attempt the recovery of
1726  * the most recent valid repository if possible when configd
1727  * is restarted for some reasons or when system crashes
1728  * during the switch operation.  The repository databases
1729  * referenced here are indicators of successful switch
1730  * operations.
1731  */
1732 static backend_switch_results_t
1733 backend_switch_recovery(void)
1734 {
1735 	const char *fast_db = FAST_REPOSITORY_DB;
1736 	char *errp = NULL;
1737 	struct stat s_buf;
1738 	struct sqlite *be_db;
1739 	int r;
1740 	backend_switch_results_t res = BACKEND_SWITCH_OK;
1741 
1742 	/*
1743 	 * A good transient db containing most recent data can
1744 	 * exist if svc.configd crashes during the
1745 	 * switch operation.  If that is the case, check its
1746 	 * integrity and use it.
1747 	 */
1748 	if (stat(fast_db, &s_buf) < 0) {
1749 		return (BACKEND_SWITCH_OK);
1750 	}
1751 
1752 	/* Determine if persistent repository is read-only */
1753 	be_db = sqlite_open(REPOSITORY_DB, 0600, &errp);
1754 	if (be_db == NULL) {
1755 		configd_critical("Unable to open \"%s\".  %s\n",
1756 		    REPOSITORY_DB, errp == NULL ? "" : errp);
1757 		free(errp);
1758 		return (BACKEND_SWITCH_FATAL);
1759 	}
1760 	r = backend_is_readonly(be_db, REPOSITORY_DB);
1761 	sqlite_close(be_db);
1762 	if (r != SQLITE_OK) {
1763 		if (r == SQLITE_READONLY) {
1764 			return (BACKEND_SWITCH_RO);
1765 		}
1766 		return (BACKEND_SWITCH_FATAL);
1767 	}
1768 
1769 	/*
1770 	 * Do sanity check on the db
1771 	 */
1772 	be_db = sqlite_open(fast_db, 0600, &errp);
1773 
1774 	if (be_db != NULL) {
1775 		if (backend_switch_check(be_db, &errp) == 0) {
1776 			if (backend_copy_repository(fast_db,
1777 			    REPOSITORY_DB, 1) != REP_PROTOCOL_SUCCESS) {
1778 				res = BACKEND_SWITCH_FATAL;
1779 			}
1780 		}
1781 		sqlite_close(be_db);
1782 	}
1783 	free(errp);
1784 
1785 	/*
1786 	 * If we get to this point, the fast_db has either been copied or
1787 	 * it is useless.  Either way, get rid of it.
1788 	 */
1789 	(void) unlink(fast_db);
1790 
1791 	return (res);
1792 }
1793 
1794 /*ARGSUSED*/
1795 static int
1796 backend_integrity_callback(void *private, int narg, char **vals, char **cols)
1797 {
1798 	char **out = private;
1799 	char *old = *out;
1800 	char *new;
1801 	const char *info;
1802 	size_t len;
1803 	int x;
1804 
1805 	for (x = 0; x < narg; x++) {
1806 		if ((info = vals[x]) != NULL &&
1807 		    strcmp(info, "ok") != 0) {
1808 			len = (old == NULL)? 0 : strlen(old);
1809 			len += strlen(info) + 2;	/* '\n' + '\0' */
1810 
1811 			new = realloc(old, len);
1812 			if (new == NULL)
1813 				return (BACKEND_CALLBACK_ABORT);
1814 			if (old == NULL)
1815 				new[0] = 0;
1816 			old = *out = new;
1817 			(void) strlcat(new, info, len);
1818 			(void) strlcat(new, "\n", len);
1819 		}
1820 	}
1821 	return (BACKEND_CALLBACK_CONTINUE);
1822 }
1823 
1824 #define	BACKEND_CREATE_LOCKED		-2
1825 #define	BACKEND_CREATE_FAIL		-1
1826 #define	BACKEND_CREATE_SUCCESS		0
1827 #define	BACKEND_CREATE_READONLY		1
1828 #define	BACKEND_CREATE_NEED_INIT	2
1829 static int
1830 backend_create(backend_type_t backend_id, const char *db_file,
1831     sqlite_backend_t **bep)
1832 {
1833 	char *errp;
1834 	char *integrity_results = NULL;
1835 	sqlite_backend_t *be;
1836 	int r;
1837 	uint32_t val = -1UL;
1838 	struct run_single_int_info info;
1839 	int fd;
1840 
1841 	assert(backend_id >= 0 && backend_id < BACKEND_TYPE_TOTAL);
1842 
1843 	be = &be_info[backend_id];
1844 
1845 	assert(be->be_db == NULL);
1846 
1847 	(void) pthread_mutex_init(&be->be_lock, NULL);
1848 	(void) pthread_mutex_lock(&be->be_lock);
1849 
1850 	be->be_type = backend_id;
1851 	be->be_path = strdup(db_file);
1852 	if (be->be_path == NULL) {
1853 		perror("malloc");
1854 		goto fail;
1855 	}
1856 
1857 	be->be_db = sqlite_open(be->be_path, 0600, &errp);
1858 
1859 	if (be->be_db == NULL) {
1860 		if (strstr(errp, "out of memory") != NULL) {
1861 			configd_critical("%s: %s\n", db_file, errp);
1862 			free(errp);
1863 
1864 			goto fail;
1865 		}
1866 
1867 		/* report it as an integrity failure */
1868 		integrity_results = errp;
1869 		errp = NULL;
1870 		goto integrity_fail;
1871 	}
1872 
1873 	/*
1874 	 * check if we are inited and of the correct schema version
1875 	 *
1876 	 */
1877 	info.rs_out = &val;
1878 	info.rs_result = REP_PROTOCOL_FAIL_NOT_FOUND;
1879 
1880 	r = sqlite_exec(be->be_db, "SELECT schema_version FROM schema_version;",
1881 	    run_single_int_callback, &info, &errp);
1882 	if (r == SQLITE_ERROR &&
1883 	    strcmp("no such table: schema_version", errp) == 0) {
1884 		free(errp);
1885 		/*
1886 		 * Could be an empty repository, could be pre-schema_version
1887 		 * schema.  Check for id_tbl, which has always been there.
1888 		 */
1889 		r = sqlite_exec(be->be_db, "SELECT count() FROM id_tbl;",
1890 		    NULL, NULL, &errp);
1891 		if (r == SQLITE_ERROR &&
1892 		    strcmp("no such table: id_tbl", errp) == 0) {
1893 			free(errp);
1894 			*bep = be;
1895 			return (BACKEND_CREATE_NEED_INIT);
1896 		}
1897 
1898 		configd_critical("%s: schema version mismatch\n", db_file);
1899 		goto fail;
1900 	}
1901 	if (r == SQLITE_BUSY || r == SQLITE_LOCKED) {
1902 		free(errp);
1903 		*bep = NULL;
1904 		backend_destroy(be);
1905 		return (BACKEND_CREATE_LOCKED);
1906 	}
1907 	if (r == SQLITE_OK) {
1908 		if (info.rs_result == REP_PROTOCOL_FAIL_NOT_FOUND ||
1909 		    val != BACKEND_SCHEMA_VERSION) {
1910 			configd_critical("%s: schema version mismatch\n",
1911 			    db_file);
1912 			goto fail;
1913 		}
1914 	}
1915 
1916 	/*
1917 	 * pull in the whole database sequentially.
1918 	 */
1919 	if ((fd = open(db_file, O_RDONLY)) >= 0) {
1920 		size_t sz = 64 * 1024;
1921 		char *buffer = malloc(sz);
1922 		if (buffer != NULL) {
1923 			while (read(fd, buffer, sz) > 0)
1924 				;
1925 			free(buffer);
1926 		}
1927 		(void) close(fd);
1928 	}
1929 
1930 	/*
1931 	 * run an integrity check
1932 	 */
1933 	r = sqlite_exec(be->be_db, "PRAGMA integrity_check;",
1934 	    backend_integrity_callback, &integrity_results, &errp);
1935 
1936 	if (r == SQLITE_BUSY || r == SQLITE_LOCKED) {
1937 		free(errp);
1938 		*bep = NULL;
1939 		backend_destroy(be);
1940 		return (BACKEND_CREATE_LOCKED);
1941 	}
1942 	if (r == SQLITE_ABORT) {
1943 		free(errp);
1944 		errp = NULL;
1945 		integrity_results = "out of memory running integrity check\n";
1946 	} else if (r != SQLITE_OK && integrity_results == NULL) {
1947 		integrity_results = errp;
1948 		errp = NULL;
1949 	}
1950 
1951 integrity_fail:
1952 	if (integrity_results != NULL) {
1953 		const char *fname = "/etc/svc/volatile/db_errors";
1954 		if ((fd = open(fname, O_CREAT|O_WRONLY|O_APPEND, 0600)) < 0) {
1955 			fname = NULL;
1956 		} else {
1957 			if (backend_fd_write(fd, "\n\n") < 0 ||
1958 			    backend_fd_write(fd, db_file) < 0 ||
1959 			    backend_fd_write(fd,
1960 			    ": PRAGMA integrity_check; failed.  Results:\n") <
1961 			    0 || backend_fd_write(fd, integrity_results) < 0 ||
1962 			    backend_fd_write(fd, "\n\n") < 0) {
1963 				fname = NULL;
1964 			}
1965 			(void) close(fd);
1966 		}
1967 
1968 		if (!is_main_repository ||
1969 		    backend_id == BACKEND_TYPE_NONPERSIST) {
1970 			if (fname != NULL)
1971 				configd_critical(
1972 				    "%s: integrity check failed. Details in "
1973 				    "%s\n", db_file, fname);
1974 			else
1975 				configd_critical(
1976 				    "%s: integrity check failed.\n",
1977 				    db_file);
1978 		} else {
1979 			(void) fprintf(stderr,
1980 "\n"
1981 "svc.configd: smf(5) database integrity check of:\n"
1982 "\n"
1983 "    %s\n"
1984 "\n"
1985 "  failed. The database might be damaged or a media error might have\n"
1986 "  prevented it from being verified.  Additional information useful to\n"
1987 "  your service provider%s%s\n"
1988 "\n"
1989 "  The system will not be able to boot until you have restored a working\n"
1990 "  database.  svc.startd(1M) will provide a sulogin(1M) prompt for recovery\n"
1991 "  purposes.  The command:\n"
1992 "\n"
1993 "    /lib/svc/bin/restore_repository\n"
1994 "\n"
1995 "  can be run to restore a backup version of your repository.  See\n"
1996 "  http://illumos.org/msg/SMF-8000-MY for more information.\n"
1997 "\n",
1998 			    db_file,
1999 			    (fname == NULL)? ":\n\n" : " is in:\n\n    ",
2000 			    (fname == NULL)? integrity_results : fname);
2001 		}
2002 		free(errp);
2003 		goto fail;
2004 	}
2005 
2006 	/*
2007 	 * Simply do check if backend has been upgraded.  We do not wish
2008 	 * to actually carry out upgrade here - the main repository may
2009 	 * not be writable at this point.  Actual upgrade is carried out
2010 	 * via backend_check_readonly().  This check is done so that
2011 	 * we determine repository state - upgraded or not - and then
2012 	 * the appropriate SELECT statement (value-ordered or not)
2013 	 * can be used when retrieving property values early in boot.
2014 	 */
2015 	if (backend_id == BACKEND_TYPE_NORMAL)
2016 		backend_check_upgrade(be, B_FALSE);
2017 	/*
2018 	 * check if we are writable
2019 	 */
2020 	r = backend_is_readonly(be->be_db, be->be_path);
2021 
2022 	if (r == SQLITE_BUSY || r == SQLITE_LOCKED) {
2023 		free(errp);
2024 		*bep = NULL;
2025 		backend_destroy(be);
2026 		return (BACKEND_CREATE_LOCKED);
2027 	}
2028 	if (r != SQLITE_OK && r != SQLITE_FULL) {
2029 		free(errp);
2030 		be->be_readonly = 1;
2031 		*bep = be;
2032 		return (BACKEND_CREATE_READONLY);
2033 	}
2034 
2035 	*bep = be;
2036 	return (BACKEND_CREATE_SUCCESS);
2037 
2038 fail:
2039 	*bep = NULL;
2040 	backend_destroy(be);
2041 	return (BACKEND_CREATE_FAIL);
2042 }
2043 
2044 /*
2045  * (arg & -arg) is, through the magic of twos-complement arithmetic, the
2046  * lowest set bit in arg.
2047  */
2048 static size_t
2049 round_up_to_p2(size_t arg)
2050 {
2051 	/*
2052 	 * Don't allow a zero result.
2053 	 */
2054 	assert(arg > 0 && ((ssize_t)arg > 0));
2055 
2056 	while ((arg & (arg - 1)) != 0)
2057 		arg += (arg & -arg);
2058 
2059 	return (arg);
2060 }
2061 
2062 /*
2063  * Returns
2064  *   _NO_RESOURCES - out of memory
2065  *   _BACKEND_ACCESS - backend type t (other than _NORMAL) doesn't exist
2066  *   _DONE - callback aborted query
2067  *   _SUCCESS
2068  */
2069 int
2070 backend_run(backend_type_t t, backend_query_t *q,
2071     backend_run_callback_f *cb, void *data)
2072 {
2073 	char *errmsg = NULL;
2074 	int ret;
2075 	sqlite_backend_t *be;
2076 	hrtime_t ts, vts;
2077 
2078 	if (q == NULL || q->bq_buf == NULL)
2079 		return (REP_PROTOCOL_FAIL_NO_RESOURCES);
2080 
2081 	if ((ret = backend_lock(t, 0, &be)) != REP_PROTOCOL_SUCCESS)
2082 		return (ret);
2083 
2084 	ts = gethrtime();
2085 	vts = gethrvtime();
2086 	ret = sqlite_exec(be->be_db, q->bq_buf, cb, data, &errmsg);
2087 	UPDATE_TOTALS(be, bt_exec, ts, vts);
2088 	ret = backend_error(be, ret, errmsg);
2089 	backend_unlock(be);
2090 
2091 	return (ret);
2092 }
2093 
2094 /*
2095  * Starts a "read-only" transaction -- i.e., locks out writers as long
2096  * as it is active.
2097  *
2098  * Fails with
2099  *   _NO_RESOURCES - out of memory
2100  *
2101  * If t is not _NORMAL, can also fail with
2102  *   _BACKEND_ACCESS - backend does not exist
2103  *
2104  * If writable is true, can also fail with
2105  *   _BACKEND_READONLY
2106  */
2107 static int
2108 backend_tx_begin_common(backend_type_t t, backend_tx_t **txp, int writable)
2109 {
2110 	backend_tx_t *ret;
2111 	sqlite_backend_t *be;
2112 	int r;
2113 
2114 	*txp = NULL;
2115 
2116 	ret = uu_zalloc(sizeof (*ret));
2117 	if (ret == NULL)
2118 		return (REP_PROTOCOL_FAIL_NO_RESOURCES);
2119 
2120 	if ((r = backend_lock(t, writable, &be)) != REP_PROTOCOL_SUCCESS) {
2121 		uu_free(ret);
2122 		return (r);
2123 	}
2124 
2125 	ret->bt_be = be;
2126 	ret->bt_readonly = !writable;
2127 	ret->bt_type = t;
2128 	ret->bt_full = 0;
2129 
2130 	*txp = ret;
2131 	return (REP_PROTOCOL_SUCCESS);
2132 }
2133 
2134 int
2135 backend_tx_begin_ro(backend_type_t t, backend_tx_t **txp)
2136 {
2137 	return (backend_tx_begin_common(t, txp, 0));
2138 }
2139 
2140 static void
2141 backend_tx_end(backend_tx_t *tx)
2142 {
2143 	sqlite_backend_t *be;
2144 
2145 	be = tx->bt_be;
2146 
2147 	if (tx->bt_full) {
2148 		struct sqlite *new;
2149 
2150 		/*
2151 		 * sqlite tends to be sticky with SQLITE_FULL, so we try
2152 		 * to get a fresh database handle if we got a FULL warning
2153 		 * along the way.  If that fails, no harm done.
2154 		 */
2155 		new = sqlite_open(be->be_path, 0600, NULL);
2156 		if (new != NULL) {
2157 			sqlite_close(be->be_db);
2158 			be->be_db = new;
2159 		}
2160 	}
2161 	backend_unlock(be);
2162 	tx->bt_be = NULL;
2163 	uu_free(tx);
2164 }
2165 
2166 void
2167 backend_tx_end_ro(backend_tx_t *tx)
2168 {
2169 	assert(tx->bt_readonly);
2170 	backend_tx_end(tx);
2171 }
2172 
2173 /*
2174  * Fails with
2175  *   _NO_RESOURCES - out of memory
2176  *   _BACKEND_ACCESS
2177  *   _BACKEND_READONLY
2178  */
2179 int
2180 backend_tx_begin(backend_type_t t, backend_tx_t **txp)
2181 {
2182 	int r;
2183 	char *errmsg;
2184 	hrtime_t ts, vts;
2185 
2186 	r = backend_tx_begin_common(t, txp, 1);
2187 	if (r != REP_PROTOCOL_SUCCESS)
2188 		return (r);
2189 
2190 	ts = gethrtime();
2191 	vts = gethrvtime();
2192 	r = sqlite_exec((*txp)->bt_be->be_db, "BEGIN TRANSACTION", NULL, NULL,
2193 	    &errmsg);
2194 	UPDATE_TOTALS((*txp)->bt_be, bt_exec, ts, vts);
2195 	if (r == SQLITE_FULL)
2196 		(*txp)->bt_full = 1;
2197 	r = backend_error((*txp)->bt_be, r, errmsg);
2198 
2199 	if (r != REP_PROTOCOL_SUCCESS) {
2200 		assert(r != REP_PROTOCOL_DONE);
2201 		(void) sqlite_exec((*txp)->bt_be->be_db,
2202 		    "ROLLBACK TRANSACTION", NULL, NULL, NULL);
2203 		backend_tx_end(*txp);
2204 		*txp = NULL;
2205 		return (r);
2206 	}
2207 
2208 	(*txp)->bt_readonly = 0;
2209 
2210 	return (REP_PROTOCOL_SUCCESS);
2211 }
2212 
2213 void
2214 backend_tx_rollback(backend_tx_t *tx)
2215 {
2216 	int r;
2217 	char *errmsg;
2218 	sqlite_backend_t *be;
2219 	hrtime_t ts, vts;
2220 
2221 	assert(tx != NULL && tx->bt_be != NULL && !tx->bt_readonly);
2222 	be = tx->bt_be;
2223 
2224 	ts = gethrtime();
2225 	vts = gethrvtime();
2226 	r = sqlite_exec(be->be_db, "ROLLBACK TRANSACTION", NULL, NULL,
2227 	    &errmsg);
2228 	UPDATE_TOTALS(be, bt_exec, ts, vts);
2229 	if (r == SQLITE_FULL)
2230 		tx->bt_full = 1;
2231 	(void) backend_error(be, r, errmsg);
2232 
2233 	backend_tx_end(tx);
2234 }
2235 
2236 /*
2237  * Fails with
2238  *   _NO_RESOURCES - out of memory
2239  */
2240 int
2241 backend_tx_commit(backend_tx_t *tx)
2242 {
2243 	int r, r2;
2244 	char *errmsg;
2245 	sqlite_backend_t *be;
2246 	hrtime_t ts, vts;
2247 
2248 	assert(tx != NULL && tx->bt_be != NULL && !tx->bt_readonly);
2249 	be = tx->bt_be;
2250 	ts = gethrtime();
2251 	vts = gethrvtime();
2252 	r = sqlite_exec(be->be_db, "COMMIT TRANSACTION", NULL, NULL,
2253 	    &errmsg);
2254 	UPDATE_TOTALS(be, bt_exec, ts, vts);
2255 	if (r == SQLITE_FULL)
2256 		tx->bt_full = 1;
2257 
2258 	r = backend_error(be, r, errmsg);
2259 	assert(r != REP_PROTOCOL_DONE);
2260 
2261 	if (r != REP_PROTOCOL_SUCCESS) {
2262 		r2 = sqlite_exec(be->be_db, "ROLLBACK TRANSACTION", NULL, NULL,
2263 		    &errmsg);
2264 		r2 = backend_error(be, r2, errmsg);
2265 		if (r2 != REP_PROTOCOL_SUCCESS)
2266 			backend_panic("cannot rollback failed commit");
2267 
2268 		backend_tx_end(tx);
2269 		return (r);
2270 	}
2271 	backend_tx_end(tx);
2272 	return (REP_PROTOCOL_SUCCESS);
2273 }
2274 
2275 static const char *
2276 id_space_to_name(enum id_space id)
2277 {
2278 	switch (id) {
2279 	case BACKEND_ID_SERVICE_INSTANCE:
2280 		return ("SI");
2281 	case BACKEND_ID_PROPERTYGRP:
2282 		return ("PG");
2283 	case BACKEND_ID_GENERATION:
2284 		return ("GEN");
2285 	case BACKEND_ID_PROPERTY:
2286 		return ("PROP");
2287 	case BACKEND_ID_VALUE:
2288 		return ("VAL");
2289 	case BACKEND_ID_SNAPNAME:
2290 		return ("SNAME");
2291 	case BACKEND_ID_SNAPSHOT:
2292 		return ("SHOT");
2293 	case BACKEND_ID_SNAPLEVEL:
2294 		return ("SLVL");
2295 	default:
2296 		abort();
2297 		/*NOTREACHED*/
2298 	}
2299 }
2300 
2301 /*
2302  * Returns a new id or 0 if the id argument is invalid or the query fails.
2303  */
2304 uint32_t
2305 backend_new_id(backend_tx_t *tx, enum id_space id)
2306 {
2307 	struct run_single_int_info info;
2308 	uint32_t new_id = 0;
2309 	const char *name = id_space_to_name(id);
2310 	char *errmsg;
2311 	int ret;
2312 	sqlite_backend_t *be;
2313 	hrtime_t ts, vts;
2314 
2315 	assert(tx != NULL && tx->bt_be != NULL && !tx->bt_readonly);
2316 	be = tx->bt_be;
2317 
2318 	info.rs_out = &new_id;
2319 	info.rs_result = REP_PROTOCOL_FAIL_NOT_FOUND;
2320 
2321 	ts = gethrtime();
2322 	vts = gethrvtime();
2323 	ret = sqlite_exec_printf(be->be_db,
2324 	    "SELECT id_next FROM id_tbl WHERE (id_name = '%q');"
2325 	    "UPDATE id_tbl SET id_next = id_next + 1 WHERE (id_name = '%q');",
2326 	    run_single_int_callback, &info, &errmsg, name, name);
2327 	UPDATE_TOTALS(be, bt_exec, ts, vts);
2328 	if (ret == SQLITE_FULL)
2329 		tx->bt_full = 1;
2330 
2331 	ret = backend_error(be, ret, errmsg);
2332 
2333 	if (ret != REP_PROTOCOL_SUCCESS) {
2334 		return (0);
2335 	}
2336 
2337 	return (new_id);
2338 }
2339 
2340 /*
2341  * Returns
2342  *   _NO_RESOURCES - out of memory
2343  *   _DONE - callback aborted query
2344  *   _SUCCESS
2345  */
2346 int
2347 backend_tx_run(backend_tx_t *tx, backend_query_t *q,
2348     backend_run_callback_f *cb, void *data)
2349 {
2350 	char *errmsg = NULL;
2351 	int ret;
2352 	sqlite_backend_t *be;
2353 	hrtime_t ts, vts;
2354 
2355 	assert(tx != NULL && tx->bt_be != NULL);
2356 	be = tx->bt_be;
2357 
2358 	if (q == NULL || q->bq_buf == NULL)
2359 		return (REP_PROTOCOL_FAIL_NO_RESOURCES);
2360 
2361 	ts = gethrtime();
2362 	vts = gethrvtime();
2363 	ret = sqlite_exec(be->be_db, q->bq_buf, cb, data, &errmsg);
2364 	UPDATE_TOTALS(be, bt_exec, ts, vts);
2365 	if (ret == SQLITE_FULL)
2366 		tx->bt_full = 1;
2367 	ret = backend_error(be, ret, errmsg);
2368 
2369 	return (ret);
2370 }
2371 
2372 /*
2373  * Returns
2374  *   _NO_RESOURCES - out of memory
2375  *   _NOT_FOUND - the query returned no results
2376  *   _SUCCESS - the query returned a single integer
2377  */
2378 int
2379 backend_tx_run_single_int(backend_tx_t *tx, backend_query_t *q, uint32_t *buf)
2380 {
2381 	struct run_single_int_info info;
2382 	int ret;
2383 
2384 	info.rs_out = buf;
2385 	info.rs_result = REP_PROTOCOL_FAIL_NOT_FOUND;
2386 
2387 	ret = backend_tx_run(tx, q, run_single_int_callback, &info);
2388 	assert(ret != REP_PROTOCOL_DONE);
2389 
2390 	if (ret != REP_PROTOCOL_SUCCESS)
2391 		return (ret);
2392 
2393 	return (info.rs_result);
2394 }
2395 
2396 /*
2397  * Fails with
2398  *   _NO_RESOURCES - out of memory
2399  */
2400 int
2401 backend_tx_run_update(backend_tx_t *tx, const char *format, ...)
2402 {
2403 	va_list a;
2404 	char *errmsg;
2405 	int ret;
2406 	sqlite_backend_t *be;
2407 	hrtime_t ts, vts;
2408 
2409 	assert(tx != NULL && tx->bt_be != NULL && !tx->bt_readonly);
2410 	be = tx->bt_be;
2411 
2412 	va_start(a, format);
2413 	ts = gethrtime();
2414 	vts = gethrvtime();
2415 	ret = sqlite_exec_vprintf(be->be_db, format, NULL, NULL, &errmsg, a);
2416 	UPDATE_TOTALS(be, bt_exec, ts, vts);
2417 	if (ret == SQLITE_FULL)
2418 		tx->bt_full = 1;
2419 	va_end(a);
2420 	ret = backend_error(be, ret, errmsg);
2421 	assert(ret != REP_PROTOCOL_DONE);
2422 
2423 	return (ret);
2424 }
2425 
2426 /*
2427  * returns REP_PROTOCOL_FAIL_NOT_FOUND if no changes occured
2428  */
2429 int
2430 backend_tx_run_update_changed(backend_tx_t *tx, const char *format, ...)
2431 {
2432 	va_list a;
2433 	char *errmsg;
2434 	int ret;
2435 	sqlite_backend_t *be;
2436 	hrtime_t ts, vts;
2437 
2438 	assert(tx != NULL && tx->bt_be != NULL && !tx->bt_readonly);
2439 	be = tx->bt_be;
2440 
2441 	va_start(a, format);
2442 	ts = gethrtime();
2443 	vts = gethrvtime();
2444 	ret = sqlite_exec_vprintf(be->be_db, format, NULL, NULL, &errmsg, a);
2445 	UPDATE_TOTALS(be, bt_exec, ts, vts);
2446 	if (ret == SQLITE_FULL)
2447 		tx->bt_full = 1;
2448 	va_end(a);
2449 
2450 	ret = backend_error(be, ret, errmsg);
2451 
2452 	return (ret);
2453 }
2454 
2455 #define	BACKEND_ADD_SCHEMA(be, file, tbls, idxs) \
2456 	(backend_add_schema((be), (file), \
2457 	    (tbls), sizeof (tbls) / sizeof (*(tbls)), \
2458 	    (idxs), sizeof (idxs) / sizeof (*(idxs))))
2459 
2460 static int
2461 backend_add_schema(sqlite_backend_t *be, const char *file,
2462     struct backend_tbl_info *tbls, int tbl_count,
2463     struct backend_idx_info *idxs, int idx_count)
2464 {
2465 	int i;
2466 	char *errmsg;
2467 	int ret;
2468 
2469 	/*
2470 	 * Create the tables.
2471 	 */
2472 	for (i = 0; i < tbl_count; i++) {
2473 		if (tbls[i].bti_name == NULL) {
2474 			assert(i + 1 == tbl_count);
2475 			break;
2476 		}
2477 		ret = sqlite_exec_printf(be->be_db,
2478 		    "CREATE TABLE %s (%s);\n",
2479 		    NULL, NULL, &errmsg, tbls[i].bti_name, tbls[i].bti_cols);
2480 
2481 		if (ret != SQLITE_OK) {
2482 			configd_critical(
2483 			    "%s: %s table creation fails: %s\n", file,
2484 			    tbls[i].bti_name, errmsg);
2485 			free(errmsg);
2486 			return (-1);
2487 		}
2488 	}
2489 
2490 	/*
2491 	 * Make indices on key tables and columns.
2492 	 */
2493 	for (i = 0; i < idx_count; i++) {
2494 		if (idxs[i].bxi_tbl == NULL) {
2495 			assert(i + 1 == idx_count);
2496 			break;
2497 		}
2498 
2499 		ret = sqlite_exec_printf(be->be_db,
2500 		    "CREATE INDEX %s_%s ON %s (%s);\n",
2501 		    NULL, NULL, &errmsg, idxs[i].bxi_tbl, idxs[i].bxi_idx,
2502 		    idxs[i].bxi_tbl, idxs[i].bxi_cols);
2503 
2504 		if (ret != SQLITE_OK) {
2505 			configd_critical(
2506 			    "%s: %s_%s index creation fails: %s\n", file,
2507 			    idxs[i].bxi_tbl, idxs[i].bxi_idx, errmsg);
2508 			free(errmsg);
2509 			return (-1);
2510 		}
2511 	}
2512 	return (0);
2513 }
2514 
2515 static int
2516 backend_init_schema(sqlite_backend_t *be, const char *db_file, backend_type_t t)
2517 {
2518 	int i;
2519 	char *errmsg;
2520 	int ret;
2521 
2522 	assert(t == BACKEND_TYPE_NORMAL || t == BACKEND_TYPE_NONPERSIST);
2523 
2524 	if (t == BACKEND_TYPE_NORMAL) {
2525 		ret = BACKEND_ADD_SCHEMA(be, db_file, tbls_normal, idxs_normal);
2526 	} else if (t == BACKEND_TYPE_NONPERSIST) {
2527 		ret = BACKEND_ADD_SCHEMA(be, db_file, tbls_np, idxs_np);
2528 	} else {
2529 		abort();		/* can't happen */
2530 	}
2531 
2532 	if (ret < 0) {
2533 		return (ret);
2534 	}
2535 
2536 	ret = BACKEND_ADD_SCHEMA(be, db_file, tbls_common, idxs_common);
2537 	if (ret < 0) {
2538 		return (ret);
2539 	}
2540 
2541 	/*
2542 	 * Add the schema version to the table
2543 	 */
2544 	ret = sqlite_exec_printf(be->be_db,
2545 	    "INSERT INTO schema_version (schema_version) VALUES (%d)",
2546 	    NULL, NULL, &errmsg, BACKEND_SCHEMA_VERSION);
2547 	if (ret != SQLITE_OK) {
2548 		configd_critical(
2549 		    "setting schema version fails: %s\n", errmsg);
2550 		free(errmsg);
2551 	}
2552 
2553 	/*
2554 	 * Populate id_tbl with initial IDs.
2555 	 */
2556 	for (i = 0; i < BACKEND_ID_INVALID; i++) {
2557 		const char *name = id_space_to_name(i);
2558 
2559 		ret = sqlite_exec_printf(be->be_db,
2560 		    "INSERT INTO id_tbl (id_name, id_next) "
2561 		    "VALUES ('%q', %d);", NULL, NULL, &errmsg, name, 1);
2562 		if (ret != SQLITE_OK) {
2563 			configd_critical(
2564 			    "id insertion for %s fails: %s\n", name, errmsg);
2565 			free(errmsg);
2566 			return (-1);
2567 		}
2568 	}
2569 	/*
2570 	 * Set the persistance of the database.  The normal database is marked
2571 	 * "synchronous", so that all writes are synchronized to stable storage
2572 	 * before proceeding.
2573 	 */
2574 	ret = sqlite_exec_printf(be->be_db,
2575 	    "PRAGMA default_synchronous = %s; PRAGMA synchronous = %s;",
2576 	    NULL, NULL, &errmsg,
2577 	    (t == BACKEND_TYPE_NORMAL)? "ON" : "OFF",
2578 	    (t == BACKEND_TYPE_NORMAL)? "ON" : "OFF");
2579 	if (ret != SQLITE_OK) {
2580 		configd_critical("pragma setting fails: %s\n", errmsg);
2581 		free(errmsg);
2582 		return (-1);
2583 	}
2584 
2585 	return (0);
2586 }
2587 
2588 int
2589 backend_init(const char *db_file, const char *npdb_file, int have_np)
2590 {
2591 	sqlite_backend_t *be;
2592 	char *errp;
2593 	struct sqlite *fast_db;
2594 	int r;
2595 	backend_switch_results_t switch_result = BACKEND_SWITCH_OK;
2596 	int writable_persist = 1;
2597 
2598 	/* set up our temporary directory */
2599 	sqlite_temp_directory = "/etc/svc/volatile";
2600 
2601 	if (strcmp(SQLITE_VERSION, sqlite_version) != 0) {
2602 		configd_critical("Mismatched link!  (%s should be %s)\n",
2603 		    sqlite_version, SQLITE_VERSION);
2604 		return (CONFIGD_EXIT_DATABASE_INIT_FAILED);
2605 	}
2606 
2607 	if (db_file == NULL)
2608 		db_file = REPOSITORY_DB;
2609 	if (strcmp(db_file, REPOSITORY_DB) != 0) {
2610 		is_main_repository = 0;
2611 	}
2612 
2613 	/*
2614 	 * If the svc.configd crashed, there might be a leftover transient
2615 	 * database at FAST_REPOSITORY_DB,which contains useful
2616 	 * information.  Both early manifest import and late manifest
2617 	 * import use svcadm to copy the repository to FAST_REPOSITORY_DB.
2618 	 * One reason for doing this is that it improves the performance of
2619 	 * manifest import.  The other reason is that the repository may be
2620 	 * on read-only root in the case of early manifest import.
2621 	 *
2622 	 * If FAST_REPOSITORY_DB exists, it is an indication that
2623 	 * svc.configd has been restarted for some reason.  Since we have
2624 	 * no way of knowing where we are in the boot process, the safe
2625 	 * thing to do is to move the repository back to it's non-transient
2626 	 * location, REPOSITORY_DB.  This may slow manifest import
2627 	 * performance, but it avoids the problem of missing the command to
2628 	 * move the repository to permanent storage.
2629 	 *
2630 	 * There is a caveat, though.  If root is read-only, we'll need to
2631 	 * leave the repository at FAST_REPOSITORY_DB.  If root is
2632 	 * read-only, late manifest import has not yet run, so it will move
2633 	 * the repository back to permanent storage when it runs.
2634 	 */
2635 	if (is_main_repository)
2636 		switch_result = backend_switch_recovery();
2637 
2638 	r = backend_create(BACKEND_TYPE_NORMAL, db_file, &be);
2639 	switch (r) {
2640 	case BACKEND_CREATE_FAIL:
2641 		return (CONFIGD_EXIT_DATABASE_INIT_FAILED);
2642 	case BACKEND_CREATE_LOCKED:
2643 		return (CONFIGD_EXIT_DATABASE_LOCKED);
2644 	case BACKEND_CREATE_SUCCESS:
2645 		break;		/* success */
2646 	case BACKEND_CREATE_READONLY:
2647 		writable_persist = 0;
2648 		break;
2649 	case BACKEND_CREATE_NEED_INIT:
2650 		if (backend_init_schema(be, db_file, BACKEND_TYPE_NORMAL)) {
2651 			backend_destroy(be);
2652 			return (CONFIGD_EXIT_DATABASE_INIT_FAILED);
2653 		}
2654 		break;
2655 	default:
2656 		abort();
2657 		/*NOTREACHED*/
2658 	}
2659 	backend_create_finish(BACKEND_TYPE_NORMAL, be);
2660 	flight_recorder_event(BE_FLIGHT_EV_REPO_CREATE,
2661 	    writable_persist == 1 ? BE_FLIGHT_ST_RW : BE_FLIGHT_ST_RO);
2662 	/*
2663 	 * If there was a transient repository that could not be copied
2664 	 * back because the root file system was read-only, switch over to
2665 	 * using the transient repository.
2666 	 */
2667 	if (switch_result == BACKEND_SWITCH_RO) {
2668 		char *db_name_copy = NULL;
2669 
2670 		fast_db = sqlite_open(FAST_REPOSITORY_DB, 0600, &errp);
2671 		if (fast_db == NULL) {
2672 			/* Can't open fast repository.  Stick with permanent. */
2673 			configd_critical("Cannot open \"%s\".  %s\n",
2674 			    FAST_REPOSITORY_DB, errp == NULL ? "" : errp);
2675 			free(errp);
2676 		} else {
2677 			db_name_copy = strdup(FAST_REPOSITORY_DB);
2678 			if (db_name_copy == NULL) {
2679 				configd_critical("backend_init: out of "
2680 				    "memory.\n");
2681 				sqlite_close(fast_db);
2682 				return (CONFIGD_EXIT_INIT_FAILED);
2683 			} else {
2684 				flight_recorder_event(
2685 				    BE_FLIGHT_EV_LINGERING_FAST,
2686 				    BE_FLIGHT_ST_RO);
2687 				sqlite_close(be->be_db);
2688 				be->be_db = fast_db;
2689 				be->be_ppath = be->be_path;
2690 				be->be_path = db_name_copy;
2691 			}
2692 		}
2693 	}
2694 
2695 	if (have_np) {
2696 		if (npdb_file == NULL)
2697 			npdb_file = NONPERSIST_DB;
2698 
2699 		r = backend_create(BACKEND_TYPE_NONPERSIST, npdb_file, &be);
2700 		switch (r) {
2701 		case BACKEND_CREATE_SUCCESS:
2702 			break;		/* success */
2703 		case BACKEND_CREATE_FAIL:
2704 			return (CONFIGD_EXIT_DATABASE_INIT_FAILED);
2705 		case BACKEND_CREATE_LOCKED:
2706 			return (CONFIGD_EXIT_DATABASE_LOCKED);
2707 		case BACKEND_CREATE_READONLY:
2708 			configd_critical("%s: unable to write\n", npdb_file);
2709 			return (CONFIGD_EXIT_DATABASE_INIT_FAILED);
2710 		case BACKEND_CREATE_NEED_INIT:
2711 			if (backend_init_schema(be, db_file,
2712 			    BACKEND_TYPE_NONPERSIST)) {
2713 				backend_destroy(be);
2714 				return (CONFIGD_EXIT_DATABASE_INIT_FAILED);
2715 			}
2716 			break;
2717 		default:
2718 			abort();
2719 			/*NOTREACHED*/
2720 		}
2721 		backend_create_finish(BACKEND_TYPE_NONPERSIST, be);
2722 
2723 		if (r != BACKEND_CREATE_NEED_INIT) {
2724 			flight_recorder_event(BE_FLIGHT_EV_RESTART,
2725 			    BE_FLIGHT_ST_INFO);
2726 		}
2727 
2728 		/*
2729 		 * If we started up with a writable filesystem, but the
2730 		 * non-persistent database needed initialization, we are
2731 		 * booting a non-global zone or a system with a writable
2732 		 * root (ZFS), so do a backup.  Checking to see if the
2733 		 * non-persistent database needed initialization also keeps
2734 		 * us from making additional backups if configd gets
2735 		 * restarted.
2736 		 */
2737 		if (r == BACKEND_CREATE_NEED_INIT && writable_persist &&
2738 		    backend_lock(BACKEND_TYPE_NORMAL, 0, &be) ==
2739 		    REP_PROTOCOL_SUCCESS) {
2740 			if (backend_create_backup_locked(be,
2741 			    REPOSITORY_BOOT_BACKUP) != REP_PROTOCOL_SUCCESS) {
2742 				configd_critical(
2743 				    "unable to create \"%s\" backup of "
2744 				    "\"%s\"\n", REPOSITORY_BOOT_BACKUP,
2745 				    be->be_path);
2746 			}
2747 			backend_unlock(be);
2748 		}
2749 
2750 		/*
2751 		 * On the other hand if we started with a read-only file
2752 		 * system and the non-persistent database needed
2753 		 * initialization, then we need to take a checkpoint of the
2754 		 * repository.  We grab the checkpoint now before Early
2755 		 * Manifest Import starts modifying the repository.  Then
2756 		 * when the file system becomes writable, the checkpoint
2757 		 * can be used to create the boot time backup of the
2758 		 * repository.  Checking that the non-persistent database
2759 		 * needed initialization, keeps us from making additional
2760 		 * checkpoints if configd gets restarted.
2761 		 */
2762 		if (r == BACKEND_CREATE_NEED_INIT && writable_persist == 0 &&
2763 		    backend_lock(BACKEND_TYPE_NORMAL, 0, &be) ==
2764 		    REP_PROTOCOL_SUCCESS) {
2765 			r = backend_checkpoint_repository(be);
2766 			if (r != REP_PROTOCOL_SUCCESS) {
2767 				configd_critical("unable to create checkpoint "
2768 				    "of \"%s\"\n", be->be_path);
2769 			}
2770 			backend_unlock(be);
2771 		}
2772 
2773 		/*
2774 		 * If the non-persistent database did not need
2775 		 * initialization, svc.configd has been restarted.  See if
2776 		 * the boot time checkpoint exists.  If it does, use it to
2777 		 * make a backup if root is writable.
2778 		 */
2779 		if (r != BACKEND_CREATE_NEED_INIT &&
2780 		    backend_lock(BACKEND_TYPE_NORMAL, 0, &be) ==
2781 		    REP_PROTOCOL_SUCCESS) {
2782 			struct stat sb;
2783 
2784 			if ((stat(REPOSITORY_CHECKPOINT, &sb) == 0) &&
2785 			    (sb.st_size > 0) && (sb.st_mode & S_IFREG)) {
2786 				be->be_checkpoint = REPOSITORY_CHECKPOINT;
2787 				flight_recorder_event(
2788 				    BE_FLIGHT_EV_CHECKPOINT_EXISTS,
2789 				    BE_FLIGHT_ST_INFO);
2790 			}
2791 
2792 			/*
2793 			 * If we have a checkpoint and root is writable,
2794 			 * make the backup now.
2795 			 */
2796 			if (be->be_checkpoint && writable_persist) {
2797 				if (backend_create_backup_locked(be,
2798 				    REPOSITORY_BOOT_BACKUP) !=
2799 				    REP_PROTOCOL_SUCCESS) {
2800 					configd_critical(
2801 					    "unable to create \"%s\" backup of "
2802 					    "\"%s\"\n", REPOSITORY_BOOT_BACKUP,
2803 					    be->be_path);
2804 				}
2805 			}
2806 			backend_unlock(be);
2807 		}
2808 	}
2809 
2810 	/*
2811 	 * If the persistent backend is writable at this point, upgrade it.
2812 	 * This can occur in a few cases, most notably on UFS roots if
2813 	 * we are operating on the backend from another root, as is the case
2814 	 * during alternate-root BFU.
2815 	 *
2816 	 * Otherwise, upgrade will occur via backend_check_readonly() when
2817 	 * the repository is re-opened read-write.
2818 	 */
2819 	if (writable_persist) {
2820 		r = backend_lock(BACKEND_TYPE_NORMAL, 1, &be);
2821 		assert(r == REP_PROTOCOL_SUCCESS);
2822 		backend_check_upgrade(be, B_TRUE);
2823 		backend_unlock(be);
2824 	}
2825 
2826 	return (CONFIGD_EXIT_OKAY);
2827 }
2828 
2829 /*
2830  * quiesce all database activity prior to exiting
2831  */
2832 void
2833 backend_fini(void)
2834 {
2835 	sqlite_backend_t *be_normal, *be_np;
2836 
2837 	(void) backend_lock(BACKEND_TYPE_NORMAL, 1, &be_normal);
2838 	(void) backend_lock(BACKEND_TYPE_NONPERSIST, 1, &be_np);
2839 }
2840 
2841 #define	QUERY_BASE	128
2842 backend_query_t *
2843 backend_query_alloc(void)
2844 {
2845 	backend_query_t *q;
2846 	q = calloc(1, sizeof (backend_query_t));
2847 	if (q != NULL) {
2848 		q->bq_size = QUERY_BASE;
2849 		q->bq_buf = calloc(1, q->bq_size);
2850 		if (q->bq_buf == NULL) {
2851 			q->bq_size = 0;
2852 		}
2853 
2854 	}
2855 	return (q);
2856 }
2857 
2858 void
2859 backend_query_append(backend_query_t *q, const char *value)
2860 {
2861 	char *alloc;
2862 	int count;
2863 	size_t size, old_len;
2864 
2865 	if (q == NULL) {
2866 		/* We'll discover the error when we try to run the query. */
2867 		return;
2868 	}
2869 
2870 	while (q->bq_buf != NULL) {
2871 		old_len = strlen(q->bq_buf);
2872 		size = q->bq_size;
2873 		count = strlcat(q->bq_buf, value, size);
2874 
2875 		if (count < size)
2876 			break;				/* success */
2877 
2878 		q->bq_buf[old_len] = 0;
2879 		size = round_up_to_p2(count + 1);
2880 
2881 		assert(size > q->bq_size);
2882 		alloc = realloc(q->bq_buf, size);
2883 		if (alloc == NULL) {
2884 			free(q->bq_buf);
2885 			q->bq_buf = NULL;
2886 			break;				/* can't grow */
2887 		}
2888 
2889 		q->bq_buf = alloc;
2890 		q->bq_size = size;
2891 	}
2892 }
2893 
2894 void
2895 backend_query_add(backend_query_t *q, const char *format, ...)
2896 {
2897 	va_list args;
2898 	char *new;
2899 
2900 	if (q == NULL || q->bq_buf == NULL)
2901 		return;
2902 
2903 	va_start(args, format);
2904 	new = sqlite_vmprintf(format, args);
2905 	va_end(args);
2906 
2907 	if (new == NULL) {
2908 		free(q->bq_buf);
2909 		q->bq_buf = NULL;
2910 		return;
2911 	}
2912 
2913 	backend_query_append(q, new);
2914 
2915 	free(new);
2916 }
2917 
2918 void
2919 backend_query_free(backend_query_t *q)
2920 {
2921 	if (q != NULL) {
2922 		if (q->bq_buf != NULL) {
2923 			free(q->bq_buf);
2924 		}
2925 		free(q);
2926 	}
2927 }
2928