2010-05-25 11:14:06 +00:00
|
|
|
/*
|
2012-12-12 16:27:01 +00:00
|
|
|
* vircommand.c: Child command execution
|
2010-05-25 11:14:06 +00:00
|
|
|
*
|
2014-02-19 01:06:50 +00:00
|
|
|
* Copyright (C) 2010-2014 Red Hat, Inc.
|
2010-05-25 11:14:06 +00:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 22:30:55 +00:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 10:06:23 +00:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2010-05-25 11:14:06 +00:00
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include <poll.h>
|
2014-03-18 14:35:01 +00:00
|
|
|
#include <regex.h>
|
2011-05-13 04:49:07 +00:00
|
|
|
#include <signal.h>
|
2010-05-25 11:14:06 +00:00
|
|
|
#include <stdarg.h>
|
|
|
|
#include <stdlib.h>
|
2010-12-06 23:36:34 +00:00
|
|
|
#include <sys/stat.h>
|
2010-05-25 11:14:06 +00:00
|
|
|
#include <sys/wait.h>
|
2011-05-10 18:42:59 +00:00
|
|
|
#include <fcntl.h>
|
|
|
|
|
2012-09-20 14:17:56 +00:00
|
|
|
#if WITH_CAPNG
|
2011-05-10 18:42:59 +00:00
|
|
|
# include <cap-ng.h>
|
|
|
|
#endif
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2013-02-01 19:32:37 +00:00
|
|
|
#if defined(WITH_SECDRIVER_SELINUX)
|
|
|
|
# include <selinux/selinux.h>
|
|
|
|
#endif
|
|
|
|
#if defined(WITH_SECDRIVER_APPARMOR)
|
|
|
|
# include <sys/apparmor.h>
|
|
|
|
#endif
|
|
|
|
|
2014-03-11 10:59:58 +00:00
|
|
|
#define __VIR_COMMAND_PRIV_H_ALLOW__
|
|
|
|
#include "vircommandpriv.h"
|
2012-12-12 18:06:53 +00:00
|
|
|
#include "viralloc.h"
|
2012-12-13 18:21:53 +00:00
|
|
|
#include "virerror.h"
|
2012-12-13 17:44:57 +00:00
|
|
|
#include "virutil.h"
|
2012-12-12 17:59:27 +00:00
|
|
|
#include "virlog.h"
|
2011-07-19 18:32:58 +00:00
|
|
|
#include "virfile.h"
|
2011-08-05 13:13:12 +00:00
|
|
|
#include "virpidfile.h"
|
2012-09-24 17:10:37 +00:00
|
|
|
#include "virprocess.h"
|
2012-12-04 12:04:07 +00:00
|
|
|
#include "virbuffer.h"
|
2013-02-08 14:17:44 +00:00
|
|
|
#include "virthread.h"
|
2013-04-03 10:36:23 +00:00
|
|
|
#include "virstring.h"
|
2010-11-22 13:31:35 +00:00
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
#define VIR_FROM_THIS VIR_FROM_NONE
|
|
|
|
|
2014-02-28 12:16:17 +00:00
|
|
|
VIR_LOG_INIT("util.command");
|
|
|
|
|
2013-01-29 18:30:53 +00:00
|
|
|
/* Flags for virExec */
|
2011-03-23 23:42:27 +00:00
|
|
|
enum {
|
2013-01-16 10:33:17 +00:00
|
|
|
VIR_EXEC_NONE = 0,
|
|
|
|
VIR_EXEC_NONBLOCK = (1 << 0),
|
|
|
|
VIR_EXEC_DAEMON = (1 << 1),
|
2011-05-10 18:42:59 +00:00
|
|
|
VIR_EXEC_CLEAR_CAPS = (1 << 2),
|
2013-01-16 10:33:17 +00:00
|
|
|
VIR_EXEC_RUN_SYNC = (1 << 3),
|
|
|
|
VIR_EXEC_ASYNC_IO = (1 << 4),
|
2011-03-23 23:42:27 +00:00
|
|
|
};
|
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
typedef struct _virCommandFD virCommandFD;
|
|
|
|
typedef virCommandFD *virCommandFDPtr;
|
|
|
|
|
|
|
|
struct _virCommandFD {
|
|
|
|
int fd;
|
|
|
|
unsigned int flags;
|
|
|
|
};
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
struct _virCommand {
|
|
|
|
int has_error; /* ENOMEM on allocation failure, -1 for anything else. */
|
|
|
|
|
|
|
|
char **args;
|
|
|
|
size_t nargs;
|
|
|
|
size_t maxargs;
|
|
|
|
|
|
|
|
char **env;
|
|
|
|
size_t nenv;
|
|
|
|
size_t maxenv;
|
|
|
|
|
|
|
|
char *pwd;
|
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
size_t npassfd;
|
|
|
|
virCommandFDPtr passfd;
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
unsigned int flags;
|
|
|
|
|
|
|
|
char *inbuf;
|
|
|
|
char **outbuf;
|
|
|
|
char **errbuf;
|
|
|
|
|
|
|
|
int infd;
|
2013-02-08 14:17:44 +00:00
|
|
|
int inpipe;
|
2010-05-25 11:14:06 +00:00
|
|
|
int outfd;
|
|
|
|
int errfd;
|
|
|
|
int *outfdptr;
|
|
|
|
int *errfdptr;
|
|
|
|
|
2013-02-08 14:17:44 +00:00
|
|
|
virThreadPtr asyncioThread;
|
2013-01-16 10:33:17 +00:00
|
|
|
|
2010-11-22 13:31:35 +00:00
|
|
|
bool handshake;
|
|
|
|
int handshakeWait[2];
|
|
|
|
int handshakeNotify[2];
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
virExecHook hook;
|
|
|
|
void *opaque;
|
|
|
|
|
|
|
|
pid_t pid;
|
|
|
|
char *pidfile;
|
2011-03-22 22:22:37 +00:00
|
|
|
bool reap;
|
2014-02-20 00:32:19 +00:00
|
|
|
bool rawStatus;
|
2012-01-31 04:50:00 +00:00
|
|
|
|
2013-04-25 16:10:10 +00:00
|
|
|
unsigned long long maxMemLock;
|
|
|
|
unsigned int maxProcesses;
|
|
|
|
unsigned int maxFiles;
|
|
|
|
|
2013-01-30 19:47:56 +00:00
|
|
|
uid_t uid;
|
|
|
|
gid_t gid;
|
2012-01-31 04:50:00 +00:00
|
|
|
unsigned long long capabilities;
|
2013-02-01 19:32:37 +00:00
|
|
|
#if defined(WITH_SECDRIVER_SELINUX)
|
|
|
|
char *seLinuxLabel;
|
|
|
|
#endif
|
|
|
|
#if defined(WITH_SECDRIVER_APPARMOR)
|
|
|
|
char *appArmorProfile;
|
|
|
|
#endif
|
2010-05-25 11:14:06 +00:00
|
|
|
};
|
|
|
|
|
2014-01-28 18:18:43 +00:00
|
|
|
/* See virCommandSetDryRun for description for this variable */
|
|
|
|
static virBufferPtr dryRunBuffer;
|
2014-03-07 11:39:48 +00:00
|
|
|
static virCommandDryRunCallback dryRunCallback;
|
|
|
|
static void *dryRunOpaque;
|
|
|
|
static int dryRunStatus;
|
2014-01-28 18:18:43 +00:00
|
|
|
|
2012-01-03 10:29:07 +00:00
|
|
|
/*
|
|
|
|
* virCommandFDIsSet:
|
|
|
|
* @fd: FD to test
|
|
|
|
* @set: the set
|
|
|
|
* @set_size: actual size of @set
|
|
|
|
*
|
|
|
|
* Check if FD is already in @set or not.
|
|
|
|
*
|
|
|
|
* Returns true if @set contains @fd,
|
|
|
|
* false otherwise.
|
|
|
|
*/
|
|
|
|
static bool
|
2013-07-11 10:31:56 +00:00
|
|
|
virCommandFDIsSet(virCommandPtr cmd,
|
|
|
|
int fd)
|
2012-01-03 10:29:07 +00:00
|
|
|
{
|
Convert 'int i' to 'size_t i' in src/util/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
size_t i = 0;
|
2013-07-11 10:31:56 +00:00
|
|
|
if (!cmd)
|
|
|
|
return false;
|
2012-01-03 10:29:07 +00:00
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
while (i < cmd->npassfd)
|
|
|
|
if (cmd->passfd[i++].fd == fd)
|
2012-01-03 10:29:07 +00:00
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* virCommandFDSet:
|
|
|
|
* @fd: FD to be put into @set
|
|
|
|
* @set: the set
|
|
|
|
* @set_size: actual size of @set
|
|
|
|
*
|
|
|
|
* This is practically generalized implementation
|
|
|
|
* of FD_SET() as we do not want to be limited
|
|
|
|
* by FD_SETSIZE.
|
|
|
|
*
|
|
|
|
* Returns: 0 on success,
|
|
|
|
* -1 on usage error,
|
|
|
|
* ENOMEM on OOM
|
|
|
|
*/
|
|
|
|
static int
|
2013-07-11 10:31:56 +00:00
|
|
|
virCommandFDSet(virCommandPtr cmd,
|
|
|
|
int fd,
|
|
|
|
unsigned int flags)
|
2012-01-03 10:29:07 +00:00
|
|
|
{
|
2013-07-11 10:31:56 +00:00
|
|
|
if (!cmd || fd < 0)
|
2012-01-03 10:29:07 +00:00
|
|
|
return -1;
|
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
if (virCommandFDIsSet(cmd, fd))
|
2012-01-03 10:29:07 +00:00
|
|
|
return 0;
|
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
if (VIR_EXPAND_N(cmd->passfd, cmd->npassfd, 1) < 0)
|
2012-01-03 10:29:07 +00:00
|
|
|
return ENOMEM;
|
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
cmd->passfd[cmd->npassfd - 1].fd = fd;
|
|
|
|
cmd->passfd[cmd->npassfd - 1].flags = flags;
|
2012-01-03 10:29:07 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2011-05-10 18:42:59 +00:00
|
|
|
|
2012-01-07 00:32:39 +00:00
|
|
|
#ifndef WIN32
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virFork:
|
|
|
|
*
|
2014-02-19 01:06:50 +00:00
|
|
|
* Wrapper around fork() that avoids various race/deadlock conditions.
|
2011-07-14 19:47:25 +00:00
|
|
|
*
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
* Like fork(), there are several return possibilities:
|
|
|
|
* 1. No child was created: the return is -1, errno is set, and an error
|
|
|
|
* message has been reported. The semantics of virWaitProcess() recognize
|
|
|
|
* this to avoid clobbering the error message from here.
|
|
|
|
* 2. This is the parent: the return is > 0. The parent can now attempt
|
|
|
|
* to interact with the child (but be aware that unlike raw fork(), the
|
|
|
|
* child may not return - some failures in the child result in this
|
|
|
|
* function calling _exit(EXIT_CANCELED) if the child cannot be set up
|
|
|
|
* correctly).
|
|
|
|
* 3. This is the child: the return is 0. If this happens, the parent
|
|
|
|
* is also guaranteed to return.
|
2011-05-10 18:42:59 +00:00
|
|
|
*/
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
pid_t
|
|
|
|
virFork(void)
|
2011-07-14 19:47:25 +00:00
|
|
|
{
|
2011-05-10 18:42:59 +00:00
|
|
|
sigset_t oldmask, newmask;
|
|
|
|
struct sigaction sig_action;
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
int saved_errno;
|
|
|
|
pid_t pid;
|
2011-05-10 18:42:59 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Need to block signals now, so that child process can safely
|
|
|
|
* kill off caller's signal handlers without a race.
|
|
|
|
*/
|
|
|
|
sigfillset(&newmask);
|
|
|
|
if (pthread_sigmask(SIG_SETMASK, &newmask, &oldmask) != 0) {
|
|
|
|
virReportSystemError(errno,
|
|
|
|
"%s", _("cannot block signals"));
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
return -1;
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Ensure we hold the logging lock, to protect child processes
|
|
|
|
* from deadlocking on another thread's inherited mutex state */
|
|
|
|
virLogLock();
|
|
|
|
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
pid = fork();
|
2011-05-10 18:42:59 +00:00
|
|
|
saved_errno = errno; /* save for caller */
|
|
|
|
|
|
|
|
/* Unlock for both parent and child process */
|
|
|
|
virLogUnlock();
|
|
|
|
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
if (pid < 0) {
|
2011-05-10 18:42:59 +00:00
|
|
|
/* attempt to restore signal mask, but ignore failure, to
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
* avoid obscuring the fork failure */
|
2012-10-17 09:23:12 +00:00
|
|
|
ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL));
|
2011-05-10 18:42:59 +00:00
|
|
|
virReportSystemError(saved_errno,
|
|
|
|
"%s", _("cannot fork child process"));
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
errno = saved_errno;
|
2011-05-10 18:42:59 +00:00
|
|
|
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
} else if (pid) {
|
2011-05-10 18:42:59 +00:00
|
|
|
/* parent process */
|
|
|
|
|
|
|
|
/* Restore our original signal mask now that the child is
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
* safely running. Only documented failures are EFAULT (not
|
|
|
|
* possible, since we are using just-grabbed mask) or EINVAL
|
|
|
|
* (not possible, since we are using correct arguments). */
|
|
|
|
ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL));
|
2011-05-10 18:42:59 +00:00
|
|
|
|
|
|
|
} else {
|
|
|
|
/* child process */
|
|
|
|
|
|
|
|
int logprio;
|
Convert 'int i' to 'size_t i' in src/util/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
size_t i;
|
2011-05-10 18:42:59 +00:00
|
|
|
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
/* Remove any error callback so errors in child now get sent
|
|
|
|
* to stderr where they stand a fighting chance of being seen
|
|
|
|
* and logged */
|
2011-05-10 18:42:59 +00:00
|
|
|
virSetErrorFunc(NULL, NULL);
|
|
|
|
virSetErrorLogPriorityFunc(NULL);
|
|
|
|
|
|
|
|
/* Make sure any hook logging is sent to stderr, since child
|
|
|
|
* process may close the logfile FDs */
|
|
|
|
logprio = virLogGetDefaultPriority();
|
|
|
|
virLogReset();
|
|
|
|
virLogSetDefaultPriority(logprio);
|
|
|
|
|
|
|
|
/* Clear out all signal handlers from parent so nothing
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
* unexpected can happen in our child once we unblock
|
|
|
|
* signals */
|
2011-05-10 18:42:59 +00:00
|
|
|
sig_action.sa_handler = SIG_DFL;
|
|
|
|
sig_action.sa_flags = 0;
|
|
|
|
sigemptyset(&sig_action.sa_mask);
|
|
|
|
|
|
|
|
for (i = 1; i < NSIG; i++) {
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
/* Only possible errors are EFAULT or EINVAL The former
|
|
|
|
* won't happen, the latter we expect, so no need to check
|
|
|
|
* return value */
|
|
|
|
ignore_value(sigaction(i, &sig_action, NULL));
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
/* Unmask all signals in child, since we've no idea what the
|
|
|
|
* caller's done with their signal mask and don't want to
|
|
|
|
* propagate that to children */
|
2011-05-10 18:42:59 +00:00
|
|
|
sigemptyset(&newmask);
|
|
|
|
if (pthread_sigmask(SIG_SETMASK, &newmask, NULL) != 0) {
|
|
|
|
virReportSystemError(errno, "%s", _("cannot unblock signals"));
|
2014-02-19 01:06:50 +00:00
|
|
|
virDispatchError(NULL);
|
|
|
|
_exit(EXIT_CANCELED);
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
}
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
return pid;
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
|
2011-06-13 21:47:45 +00:00
|
|
|
/*
|
|
|
|
* Ensure that *null is an fd visiting /dev/null. Return 0 on
|
|
|
|
* success, -1 on failure. Allows for lazy opening of shared
|
|
|
|
* /dev/null fd only as required.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
getDevNull(int *null)
|
|
|
|
{
|
2011-07-12 20:56:03 +00:00
|
|
|
if (*null == -1 && (*null = open("/dev/null", O_RDWR|O_CLOEXEC)) < 0) {
|
2011-06-13 21:47:45 +00:00
|
|
|
virReportSystemError(errno,
|
|
|
|
_("cannot open %s"),
|
|
|
|
"/dev/null");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-07-12 20:56:03 +00:00
|
|
|
/* Ensure that STD is an inheritable copy of FD. Return 0 on success,
|
|
|
|
* -1 on failure. */
|
|
|
|
static int
|
|
|
|
prepareStdFd(int fd, int std)
|
|
|
|
{
|
|
|
|
if (fd == std)
|
|
|
|
return virSetInherit(fd, true);
|
|
|
|
if (dup2(fd, std) != std)
|
|
|
|
return -1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-02-15 20:13:47 +00:00
|
|
|
/* virCommandHandshakeChild:
|
|
|
|
*
|
|
|
|
* child side of handshake - called by child process in virExec() to
|
|
|
|
* indicate to parent that the child process has successfully
|
|
|
|
* completed its pre-exec initialization.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
virCommandHandshakeChild(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
char c = '1';
|
|
|
|
int rv;
|
|
|
|
|
|
|
|
if (!cmd->handshake)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
VIR_DEBUG("Notifying parent for handshake start on %d",
|
|
|
|
cmd->handshakeWait[1]);
|
|
|
|
if (safewrite(cmd->handshakeWait[1], &c, sizeof(c)) != sizeof(c)) {
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("Unable to notify parent process"));
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
VIR_DEBUG("Waiting on parent for handshake complete on %d",
|
|
|
|
cmd->handshakeNotify[0]);
|
|
|
|
if ((rv = saferead(cmd->handshakeNotify[0], &c,
|
|
|
|
sizeof(c))) != sizeof(c)) {
|
|
|
|
if (rv < 0)
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("Unable to wait on parent process"));
|
|
|
|
else
|
|
|
|
virReportSystemError(EIO, "%s",
|
|
|
|
_("libvirtd quit during handshake"));
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
if (c != '1') {
|
|
|
|
virReportSystemError(EINVAL,
|
|
|
|
_("Unexpected confirm code '%c' from parent"),
|
|
|
|
c);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeWait[1]);
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeNotify[0]);
|
|
|
|
|
|
|
|
VIR_DEBUG("Handshake with parent is done");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-05-10 18:42:59 +00:00
|
|
|
/*
|
2013-01-29 18:47:18 +00:00
|
|
|
* virExec:
|
|
|
|
* @cmd virCommandPtr containing all information about the program to
|
|
|
|
* exec.
|
2011-05-10 18:42:59 +00:00
|
|
|
*/
|
|
|
|
static int
|
2013-01-29 18:47:18 +00:00
|
|
|
virExec(virCommandPtr cmd)
|
2011-05-10 18:42:59 +00:00
|
|
|
{
|
|
|
|
pid_t pid;
|
Convert 'int i' to 'size_t i' in src/util/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
int null = -1, fd, openmax;
|
2013-11-19 23:00:32 +00:00
|
|
|
int pipeout[2] = {-1, -1};
|
|
|
|
int pipeerr[2] = {-1, -1};
|
2013-01-29 18:47:18 +00:00
|
|
|
int childin = cmd->infd;
|
2011-05-10 18:42:59 +00:00
|
|
|
int childout = -1;
|
|
|
|
int childerr = -1;
|
|
|
|
int tmpfd;
|
2013-09-03 11:36:22 +00:00
|
|
|
char *binarystr = NULL;
|
2011-05-10 18:42:59 +00:00
|
|
|
const char *binary = NULL;
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
int ret;
|
2013-01-29 18:30:53 +00:00
|
|
|
struct sigaction waxon, waxoff;
|
util: make virSetUIDGID async-signal-safe
https://bugzilla.redhat.com/show_bug.cgi?id=964358
POSIX states that multi-threaded apps should not use functions
that are not async-signal-safe between fork and exec, yet we
were using getpwuid_r and initgroups. Although rare, it is
possible to hit deadlock in the child, when it tries to grab
a mutex that was already held by another thread in the parent.
I actually hit this deadlock when testing multiple domains
being started in parallel with a command hook, with the following
backtrace in the child:
Thread 1 (Thread 0x7fd56bbf2700 (LWP 3212)):
#0 __lll_lock_wait ()
at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
#1 0x00007fd5761e7388 in _L_lock_854 () from /lib64/libpthread.so.0
#2 0x00007fd5761e7257 in __pthread_mutex_lock (mutex=0x7fd56be00360)
at pthread_mutex_lock.c:61
#3 0x00007fd56bbf9fc5 in _nss_files_getpwuid_r (uid=0, result=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, errnop=0x7fd56bbf25b8)
at nss_files/files-pwd.c:40
#4 0x00007fd575aeff1d in __getpwuid_r (uid=0, resbuf=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, result=0x7fd56bbf0cb0)
at ../nss/getXXbyYY_r.c:253
#5 0x00007fd578aebafc in virSetUIDGID (uid=0, gid=0) at util/virutil.c:1031
#6 0x00007fd578aebf43 in virSetUIDGIDWithCaps (uid=0, gid=0, capBits=0,
clearExistingCaps=true) at util/virutil.c:1388
#7 0x00007fd578a9a20b in virExec (cmd=0x7fd55c231f10) at util/vircommand.c:654
#8 0x00007fd578a9dfa2 in virCommandRunAsync (cmd=0x7fd55c231f10, pid=0x0)
at util/vircommand.c:2247
#9 0x00007fd578a9d74e in virCommandRun (cmd=0x7fd55c231f10, exitstatus=0x0)
at util/vircommand.c:2100
#10 0x00007fd56326fde5 in qemuProcessStart (conn=0x7fd53c000df0,
driver=0x7fd55c0dc4f0, vm=0x7fd54800b100, migrateFrom=0x0, stdin_fd=-1,
stdin_path=0x0, snapshot=0x0, vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
flags=1) at qemu/qemu_process.c:3694
...
The solution is to split the work of getpwuid_r/initgroups into the
unsafe portions (getgrouplist, called pre-fork) and safe portions
(setgroups, called post-fork).
* src/util/virutil.h (virSetUIDGID, virSetUIDGIDWithCaps): Adjust
signature.
* src/util/virutil.c (virSetUIDGID): Add parameters.
(virSetUIDGIDWithCaps): Adjust clients.
* src/util/vircommand.c (virExec): Likewise.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* src/security/security_dac.c (virSecurityDACSetProcessLabel):
Likewise.
* src/lxc/lxc_container.c (lxcContainerSetID): Likewise.
* configure.ac (AC_CHECK_FUNCS_ONCE): Check for setgroups, not
initgroups.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-05-22 02:59:10 +00:00
|
|
|
gid_t *groups = NULL;
|
|
|
|
int ngroups;
|
2011-05-10 18:42:59 +00:00
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
if (cmd->args[0][0] != '/') {
|
2013-09-03 11:36:22 +00:00
|
|
|
if (!(binary = binarystr = virFindFileInPath(cmd->args[0]))) {
|
2011-05-10 18:42:59 +00:00
|
|
|
virReportSystemError(ENOENT,
|
|
|
|
_("Cannot find '%s' in path"),
|
2013-01-29 18:47:18 +00:00
|
|
|
cmd->args[0]);
|
2011-05-10 18:42:59 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
} else {
|
2013-01-29 18:47:18 +00:00
|
|
|
binary = cmd->args[0];
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
if (childin < 0) {
|
2011-06-13 21:47:45 +00:00
|
|
|
if (getDevNull(&null) < 0)
|
|
|
|
goto cleanup;
|
2013-01-29 18:47:18 +00:00
|
|
|
childin = null;
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
if (cmd->outfdptr != NULL) {
|
|
|
|
if (*cmd->outfdptr == -1) {
|
2011-07-12 20:56:03 +00:00
|
|
|
if (pipe2(pipeout, O_CLOEXEC) < 0) {
|
2011-05-10 18:42:59 +00:00
|
|
|
virReportSystemError(errno,
|
|
|
|
"%s", _("cannot create pipe"));
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
if ((cmd->flags & VIR_EXEC_NONBLOCK) &&
|
2011-05-10 18:42:59 +00:00
|
|
|
virSetNonBlock(pipeout[0]) == -1) {
|
2013-01-29 18:47:18 +00:00
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("Failed to set non-blocking file descriptor flag"));
|
2011-05-10 18:42:59 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
childout = pipeout[1];
|
|
|
|
} else {
|
2013-01-29 18:47:18 +00:00
|
|
|
childout = *cmd->outfdptr;
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
} else {
|
2011-06-13 21:47:45 +00:00
|
|
|
if (getDevNull(&null) < 0)
|
|
|
|
goto cleanup;
|
2011-05-10 18:42:59 +00:00
|
|
|
childout = null;
|
|
|
|
}
|
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
if (cmd->errfdptr != NULL) {
|
|
|
|
if (cmd->errfdptr == cmd->outfdptr) {
|
2012-01-27 22:40:20 +00:00
|
|
|
childerr = childout;
|
2013-01-29 18:47:18 +00:00
|
|
|
} else if (*cmd->errfdptr == -1) {
|
2011-07-12 20:56:03 +00:00
|
|
|
if (pipe2(pipeerr, O_CLOEXEC) < 0) {
|
2011-05-10 18:42:59 +00:00
|
|
|
virReportSystemError(errno,
|
|
|
|
"%s", _("Failed to create pipe"));
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
if ((cmd->flags & VIR_EXEC_NONBLOCK) &&
|
2011-05-10 18:42:59 +00:00
|
|
|
virSetNonBlock(pipeerr[0]) == -1) {
|
2013-01-29 18:47:18 +00:00
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("Failed to set non-blocking file descriptor flag"));
|
2011-05-10 18:42:59 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
childerr = pipeerr[1];
|
|
|
|
} else {
|
2013-01-29 18:47:18 +00:00
|
|
|
childerr = *cmd->errfdptr;
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
} else {
|
2011-06-13 21:47:45 +00:00
|
|
|
if (getDevNull(&null) < 0)
|
|
|
|
goto cleanup;
|
2011-05-10 18:42:59 +00:00
|
|
|
childerr = null;
|
|
|
|
}
|
|
|
|
|
util: make virSetUIDGID async-signal-safe
https://bugzilla.redhat.com/show_bug.cgi?id=964358
POSIX states that multi-threaded apps should not use functions
that are not async-signal-safe between fork and exec, yet we
were using getpwuid_r and initgroups. Although rare, it is
possible to hit deadlock in the child, when it tries to grab
a mutex that was already held by another thread in the parent.
I actually hit this deadlock when testing multiple domains
being started in parallel with a command hook, with the following
backtrace in the child:
Thread 1 (Thread 0x7fd56bbf2700 (LWP 3212)):
#0 __lll_lock_wait ()
at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
#1 0x00007fd5761e7388 in _L_lock_854 () from /lib64/libpthread.so.0
#2 0x00007fd5761e7257 in __pthread_mutex_lock (mutex=0x7fd56be00360)
at pthread_mutex_lock.c:61
#3 0x00007fd56bbf9fc5 in _nss_files_getpwuid_r (uid=0, result=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, errnop=0x7fd56bbf25b8)
at nss_files/files-pwd.c:40
#4 0x00007fd575aeff1d in __getpwuid_r (uid=0, resbuf=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, result=0x7fd56bbf0cb0)
at ../nss/getXXbyYY_r.c:253
#5 0x00007fd578aebafc in virSetUIDGID (uid=0, gid=0) at util/virutil.c:1031
#6 0x00007fd578aebf43 in virSetUIDGIDWithCaps (uid=0, gid=0, capBits=0,
clearExistingCaps=true) at util/virutil.c:1388
#7 0x00007fd578a9a20b in virExec (cmd=0x7fd55c231f10) at util/vircommand.c:654
#8 0x00007fd578a9dfa2 in virCommandRunAsync (cmd=0x7fd55c231f10, pid=0x0)
at util/vircommand.c:2247
#9 0x00007fd578a9d74e in virCommandRun (cmd=0x7fd55c231f10, exitstatus=0x0)
at util/vircommand.c:2100
#10 0x00007fd56326fde5 in qemuProcessStart (conn=0x7fd53c000df0,
driver=0x7fd55c0dc4f0, vm=0x7fd54800b100, migrateFrom=0x0, stdin_fd=-1,
stdin_path=0x0, snapshot=0x0, vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
flags=1) at qemu/qemu_process.c:3694
...
The solution is to split the work of getpwuid_r/initgroups into the
unsafe portions (getgrouplist, called pre-fork) and safe portions
(setgroups, called post-fork).
* src/util/virutil.h (virSetUIDGID, virSetUIDGIDWithCaps): Adjust
signature.
* src/util/virutil.c (virSetUIDGID): Add parameters.
(virSetUIDGIDWithCaps): Adjust clients.
* src/util/vircommand.c (virExec): Likewise.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* src/security/security_dac.c (virSecurityDACSetProcessLabel):
Likewise.
* src/lxc/lxc_container.c (lxcContainerSetID): Likewise.
* configure.ac (AC_CHECK_FUNCS_ONCE): Check for setgroups, not
initgroups.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-05-22 02:59:10 +00:00
|
|
|
if ((ngroups = virGetGroupList(cmd->uid, cmd->gid, &groups)) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
pid = virFork();
|
2011-05-10 18:42:59 +00:00
|
|
|
|
|
|
|
if (pid < 0) {
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pid) { /* parent */
|
|
|
|
VIR_FORCE_CLOSE(null);
|
2013-01-29 18:47:18 +00:00
|
|
|
if (cmd->outfdptr && *cmd->outfdptr == -1) {
|
2011-05-10 18:42:59 +00:00
|
|
|
VIR_FORCE_CLOSE(pipeout[1]);
|
2013-01-29 18:47:18 +00:00
|
|
|
*cmd->outfdptr = pipeout[0];
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
2013-01-29 18:47:18 +00:00
|
|
|
if (cmd->errfdptr && *cmd->errfdptr == -1) {
|
2011-05-10 18:42:59 +00:00
|
|
|
VIR_FORCE_CLOSE(pipeerr[1]);
|
2013-01-29 18:47:18 +00:00
|
|
|
*cmd->errfdptr = pipeerr[0];
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
cmd->pid = pid;
|
2011-05-10 18:42:59 +00:00
|
|
|
|
2013-09-03 11:36:22 +00:00
|
|
|
VIR_FREE(binarystr);
|
util: make virSetUIDGID async-signal-safe
https://bugzilla.redhat.com/show_bug.cgi?id=964358
POSIX states that multi-threaded apps should not use functions
that are not async-signal-safe between fork and exec, yet we
were using getpwuid_r and initgroups. Although rare, it is
possible to hit deadlock in the child, when it tries to grab
a mutex that was already held by another thread in the parent.
I actually hit this deadlock when testing multiple domains
being started in parallel with a command hook, with the following
backtrace in the child:
Thread 1 (Thread 0x7fd56bbf2700 (LWP 3212)):
#0 __lll_lock_wait ()
at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
#1 0x00007fd5761e7388 in _L_lock_854 () from /lib64/libpthread.so.0
#2 0x00007fd5761e7257 in __pthread_mutex_lock (mutex=0x7fd56be00360)
at pthread_mutex_lock.c:61
#3 0x00007fd56bbf9fc5 in _nss_files_getpwuid_r (uid=0, result=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, errnop=0x7fd56bbf25b8)
at nss_files/files-pwd.c:40
#4 0x00007fd575aeff1d in __getpwuid_r (uid=0, resbuf=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, result=0x7fd56bbf0cb0)
at ../nss/getXXbyYY_r.c:253
#5 0x00007fd578aebafc in virSetUIDGID (uid=0, gid=0) at util/virutil.c:1031
#6 0x00007fd578aebf43 in virSetUIDGIDWithCaps (uid=0, gid=0, capBits=0,
clearExistingCaps=true) at util/virutil.c:1388
#7 0x00007fd578a9a20b in virExec (cmd=0x7fd55c231f10) at util/vircommand.c:654
#8 0x00007fd578a9dfa2 in virCommandRunAsync (cmd=0x7fd55c231f10, pid=0x0)
at util/vircommand.c:2247
#9 0x00007fd578a9d74e in virCommandRun (cmd=0x7fd55c231f10, exitstatus=0x0)
at util/vircommand.c:2100
#10 0x00007fd56326fde5 in qemuProcessStart (conn=0x7fd53c000df0,
driver=0x7fd55c0dc4f0, vm=0x7fd54800b100, migrateFrom=0x0, stdin_fd=-1,
stdin_path=0x0, snapshot=0x0, vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
flags=1) at qemu/qemu_process.c:3694
...
The solution is to split the work of getpwuid_r/initgroups into the
unsafe portions (getgrouplist, called pre-fork) and safe portions
(setgroups, called post-fork).
* src/util/virutil.h (virSetUIDGID, virSetUIDGIDWithCaps): Adjust
signature.
* src/util/virutil.c (virSetUIDGID): Add parameters.
(virSetUIDGIDWithCaps): Adjust clients.
* src/util/vircommand.c (virExec): Likewise.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* src/security/security_dac.c (virSecurityDACSetProcessLabel):
Likewise.
* src/lxc/lxc_container.c (lxcContainerSetID): Likewise.
* configure.ac (AC_CHECK_FUNCS_ONCE): Check for setgroups, not
initgroups.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-05-22 02:59:10 +00:00
|
|
|
VIR_FREE(groups);
|
2011-05-10 18:42:59 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* child */
|
|
|
|
|
2014-02-19 01:06:50 +00:00
|
|
|
ret = EXIT_CANCELED;
|
2011-05-10 18:42:59 +00:00
|
|
|
openmax = sysconf(_SC_OPEN_MAX);
|
2013-07-11 11:22:20 +00:00
|
|
|
if (openmax < 0) {
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("sysconf(_SC_OPEN_MAX) failed"));
|
|
|
|
goto fork_error;
|
|
|
|
}
|
Convert 'int i' to 'size_t i' in src/util/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
for (fd = 3; fd < openmax; fd++) {
|
|
|
|
if (fd == childin || fd == childout || fd == childerr)
|
2011-07-12 20:56:03 +00:00
|
|
|
continue;
|
2013-07-11 10:31:56 +00:00
|
|
|
if (!virCommandFDIsSet(cmd, fd)) {
|
Convert 'int i' to 'size_t i' in src/util/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
tmpfd = fd;
|
2012-05-30 13:54:18 +00:00
|
|
|
VIR_MASS_CLOSE(tmpfd);
|
Convert 'int i' to 'size_t i' in src/util/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
} else if (virSetInherit(fd, true) < 0) {
|
|
|
|
virReportSystemError(errno, _("failed to preserve fd %d"), fd);
|
2011-07-12 20:56:03 +00:00
|
|
|
goto fork_error;
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
2011-07-12 20:56:03 +00:00
|
|
|
}
|
2011-05-10 18:42:59 +00:00
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
if (prepareStdFd(childin, STDIN_FILENO) < 0) {
|
2011-05-10 18:42:59 +00:00
|
|
|
virReportSystemError(errno,
|
|
|
|
"%s", _("failed to setup stdin file handle"));
|
|
|
|
goto fork_error;
|
|
|
|
}
|
2011-07-12 20:56:03 +00:00
|
|
|
if (childout > 0 && prepareStdFd(childout, STDOUT_FILENO) < 0) {
|
2011-05-10 18:42:59 +00:00
|
|
|
virReportSystemError(errno,
|
|
|
|
"%s", _("failed to setup stdout file handle"));
|
|
|
|
goto fork_error;
|
|
|
|
}
|
2011-07-12 20:56:03 +00:00
|
|
|
if (childerr > 0 && prepareStdFd(childerr, STDERR_FILENO) < 0) {
|
2011-05-10 18:42:59 +00:00
|
|
|
virReportSystemError(errno,
|
|
|
|
"%s", _("failed to setup stderr file handle"));
|
|
|
|
goto fork_error;
|
|
|
|
}
|
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
if (childin != STDIN_FILENO && childin != null &&
|
|
|
|
childin != childerr && childin != childout)
|
|
|
|
VIR_FORCE_CLOSE(childin);
|
2012-08-21 09:01:44 +00:00
|
|
|
if (childout > STDERR_FILENO && childout != null && childout != childerr)
|
|
|
|
VIR_FORCE_CLOSE(childout);
|
|
|
|
if (childerr > STDERR_FILENO && childerr != null)
|
2011-05-10 18:42:59 +00:00
|
|
|
VIR_FORCE_CLOSE(childerr);
|
2011-06-13 21:47:45 +00:00
|
|
|
VIR_FORCE_CLOSE(null);
|
2011-05-10 18:42:59 +00:00
|
|
|
|
|
|
|
/* Initialize full logging for a while */
|
|
|
|
virLogSetFromEnv();
|
|
|
|
|
|
|
|
/* Daemonize as late as possible, so the parent process can detect
|
|
|
|
* the above errors with wait* */
|
2013-01-29 18:47:18 +00:00
|
|
|
if (cmd->flags & VIR_EXEC_DAEMON) {
|
2011-05-10 18:42:59 +00:00
|
|
|
if (setsid() < 0) {
|
|
|
|
virReportSystemError(errno,
|
|
|
|
"%s", _("cannot become session leader"));
|
|
|
|
goto fork_error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (chdir("/") < 0) {
|
|
|
|
virReportSystemError(errno,
|
|
|
|
"%s", _("cannot change to root directory"));
|
|
|
|
goto fork_error;
|
|
|
|
}
|
|
|
|
|
|
|
|
pid = fork();
|
|
|
|
if (pid < 0) {
|
|
|
|
virReportSystemError(errno,
|
|
|
|
"%s", _("cannot fork child process"));
|
|
|
|
goto fork_error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pid > 0) {
|
2013-01-29 18:47:18 +00:00
|
|
|
if (cmd->pidfile && (virPidFileWritePath(cmd->pidfile, pid) < 0)) {
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
if (virProcessKillPainfully(pid, true) >= 0)
|
|
|
|
virReportSystemError(errno,
|
|
|
|
_("could not write pidfile %s for %d"),
|
|
|
|
cmd->pidfile, pid);
|
2011-05-10 18:42:59 +00:00
|
|
|
goto fork_error;
|
|
|
|
}
|
2014-02-19 01:06:50 +00:00
|
|
|
_exit(EXIT_SUCCESS);
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-01-29 18:30:53 +00:00
|
|
|
/* virFork reset all signal handlers to the defaults.
|
|
|
|
* This is good for the child process, but our hook
|
|
|
|
* risks running something that generates SIGPIPE,
|
|
|
|
* so we need to temporarily block that again
|
|
|
|
*/
|
|
|
|
memset(&waxoff, 0, sizeof(waxoff));
|
|
|
|
waxoff.sa_handler = SIG_IGN;
|
|
|
|
sigemptyset(&waxoff.sa_mask);
|
|
|
|
memset(&waxon, 0, sizeof(waxon));
|
|
|
|
if (sigaction(SIGPIPE, &waxoff, &waxon) < 0) {
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("Could not disable SIGPIPE"));
|
|
|
|
goto fork_error;
|
|
|
|
}
|
2011-05-10 18:42:59 +00:00
|
|
|
|
2013-04-25 16:10:10 +00:00
|
|
|
if (virProcessSetMaxMemLock(0, cmd->maxMemLock) < 0)
|
|
|
|
goto fork_error;
|
|
|
|
if (virProcessSetMaxProcesses(0, cmd->maxProcesses) < 0)
|
|
|
|
goto fork_error;
|
|
|
|
if (virProcessSetMaxFiles(0, cmd->maxFiles) < 0)
|
|
|
|
goto fork_error;
|
|
|
|
|
2013-01-30 03:04:49 +00:00
|
|
|
if (cmd->hook) {
|
|
|
|
VIR_DEBUG("Run hook %p %p", cmd->hook, cmd->opaque);
|
|
|
|
ret = cmd->hook(cmd->opaque);
|
|
|
|
VIR_DEBUG("Done hook %d", ret);
|
|
|
|
if (ret < 0)
|
|
|
|
goto fork_error;
|
2013-01-29 18:30:53 +00:00
|
|
|
}
|
2011-05-10 18:42:59 +00:00
|
|
|
|
2013-02-01 19:32:37 +00:00
|
|
|
# if defined(WITH_SECDRIVER_SELINUX)
|
|
|
|
if (cmd->seLinuxLabel) {
|
|
|
|
VIR_DEBUG("Setting child security label to %s", cmd->seLinuxLabel);
|
|
|
|
if (setexeccon_raw(cmd->seLinuxLabel) == -1) {
|
|
|
|
virReportSystemError(errno,
|
|
|
|
_("unable to set SELinux security context "
|
|
|
|
"'%s' for '%s'"),
|
|
|
|
cmd->seLinuxLabel, cmd->args[0]);
|
|
|
|
if (security_getenforce() == 1)
|
|
|
|
goto fork_error;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
# endif
|
|
|
|
# if defined(WITH_SECDRIVER_APPARMOR)
|
|
|
|
if (cmd->appArmorProfile) {
|
|
|
|
VIR_DEBUG("Setting child AppArmor profile to %s", cmd->appArmorProfile);
|
|
|
|
if (aa_change_profile(cmd->appArmorProfile) < 0) {
|
|
|
|
virReportSystemError(errno,
|
|
|
|
_("unable to set AppArmor profile '%s' "
|
|
|
|
"for '%s'"),
|
|
|
|
cmd->appArmorProfile, cmd->args[0]);
|
|
|
|
goto fork_error;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
# endif
|
|
|
|
|
util: maintain caps when running command with uid != 0
virCommand was previously calling virSetUIDGID() to change the uid and
gid of the child process, then separately calling
virSetCapabilities(). This did not work if the desired uid was != 0,
since a setuid to anything other than 0 normally clears all
capabilities bits.
The solution is to use the new virSetUIDGIDWithCaps(), sending it the
uid, gid, and capabilities bits. This will get the new process setup
properly.
Since the static functions virSetCapabilities() and
virClearCapabilities are no longer called, they have been removed.
NOTE: When combined with "filecap $path-to-qemu sys_rawio", this patch
will make CAP_SYS_RAWIO (which is required for passthrough of generic
scsi commands to a guest - see commits e8daeeb, 177db08, 397e6a7, and
74e0349) be retained by qemu when necessary. Apparently that
capability has been broken for non-root qemu ever since it was
originally added.
2013-02-07 16:45:27 +00:00
|
|
|
/* The steps above may need to do something privileged, so we delay
|
|
|
|
* setuid and clearing capabilities until the last minute.
|
|
|
|
*/
|
|
|
|
if (cmd->uid != (uid_t)-1 || cmd->gid != (gid_t)-1 ||
|
|
|
|
cmd->capabilities || (cmd->flags & VIR_EXEC_CLEAR_CAPS)) {
|
|
|
|
VIR_DEBUG("Setting child uid:gid to %d:%d with caps %llx",
|
|
|
|
(int)cmd->uid, (int)cmd->gid, cmd->capabilities);
|
util: make virSetUIDGID async-signal-safe
https://bugzilla.redhat.com/show_bug.cgi?id=964358
POSIX states that multi-threaded apps should not use functions
that are not async-signal-safe between fork and exec, yet we
were using getpwuid_r and initgroups. Although rare, it is
possible to hit deadlock in the child, when it tries to grab
a mutex that was already held by another thread in the parent.
I actually hit this deadlock when testing multiple domains
being started in parallel with a command hook, with the following
backtrace in the child:
Thread 1 (Thread 0x7fd56bbf2700 (LWP 3212)):
#0 __lll_lock_wait ()
at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
#1 0x00007fd5761e7388 in _L_lock_854 () from /lib64/libpthread.so.0
#2 0x00007fd5761e7257 in __pthread_mutex_lock (mutex=0x7fd56be00360)
at pthread_mutex_lock.c:61
#3 0x00007fd56bbf9fc5 in _nss_files_getpwuid_r (uid=0, result=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, errnop=0x7fd56bbf25b8)
at nss_files/files-pwd.c:40
#4 0x00007fd575aeff1d in __getpwuid_r (uid=0, resbuf=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, result=0x7fd56bbf0cb0)
at ../nss/getXXbyYY_r.c:253
#5 0x00007fd578aebafc in virSetUIDGID (uid=0, gid=0) at util/virutil.c:1031
#6 0x00007fd578aebf43 in virSetUIDGIDWithCaps (uid=0, gid=0, capBits=0,
clearExistingCaps=true) at util/virutil.c:1388
#7 0x00007fd578a9a20b in virExec (cmd=0x7fd55c231f10) at util/vircommand.c:654
#8 0x00007fd578a9dfa2 in virCommandRunAsync (cmd=0x7fd55c231f10, pid=0x0)
at util/vircommand.c:2247
#9 0x00007fd578a9d74e in virCommandRun (cmd=0x7fd55c231f10, exitstatus=0x0)
at util/vircommand.c:2100
#10 0x00007fd56326fde5 in qemuProcessStart (conn=0x7fd53c000df0,
driver=0x7fd55c0dc4f0, vm=0x7fd54800b100, migrateFrom=0x0, stdin_fd=-1,
stdin_path=0x0, snapshot=0x0, vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
flags=1) at qemu/qemu_process.c:3694
...
The solution is to split the work of getpwuid_r/initgroups into the
unsafe portions (getgrouplist, called pre-fork) and safe portions
(setgroups, called post-fork).
* src/util/virutil.h (virSetUIDGID, virSetUIDGIDWithCaps): Adjust
signature.
* src/util/virutil.c (virSetUIDGID): Add parameters.
(virSetUIDGIDWithCaps): Adjust clients.
* src/util/vircommand.c (virExec): Likewise.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* src/security/security_dac.c (virSecurityDACSetProcessLabel):
Likewise.
* src/lxc/lxc_container.c (lxcContainerSetID): Likewise.
* configure.ac (AC_CHECK_FUNCS_ONCE): Check for setgroups, not
initgroups.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-05-22 02:59:10 +00:00
|
|
|
if (virSetUIDGIDWithCaps(cmd->uid, cmd->gid, groups, ngroups,
|
|
|
|
cmd->capabilities,
|
2013-03-13 19:26:35 +00:00
|
|
|
!!(cmd->flags & VIR_EXEC_CLEAR_CAPS)) < 0) {
|
2013-01-30 19:47:56 +00:00
|
|
|
goto fork_error;
|
2013-03-13 19:26:35 +00:00
|
|
|
}
|
2013-01-30 19:47:56 +00:00
|
|
|
}
|
|
|
|
|
2013-01-30 03:04:49 +00:00
|
|
|
if (cmd->pwd) {
|
|
|
|
VIR_DEBUG("Running child in %s", cmd->pwd);
|
|
|
|
if (chdir(cmd->pwd) < 0) {
|
|
|
|
virReportSystemError(errno,
|
|
|
|
_("Unable to change to %s"), cmd->pwd);
|
|
|
|
goto fork_error;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (virCommandHandshakeChild(cmd) < 0)
|
|
|
|
goto fork_error;
|
|
|
|
|
2013-01-29 18:30:53 +00:00
|
|
|
if (sigaction(SIGPIPE, &waxon, NULL) < 0) {
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("Could not re-enable SIGPIPE"));
|
|
|
|
goto fork_error;
|
2011-05-10 18:42:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Close logging again to ensure no FDs leak to child */
|
|
|
|
virLogReset();
|
|
|
|
|
2013-01-29 18:47:18 +00:00
|
|
|
if (cmd->env)
|
|
|
|
execve(binary, cmd->args, cmd->env);
|
2011-05-10 18:42:59 +00:00
|
|
|
else
|
2013-01-29 18:47:18 +00:00
|
|
|
execv(binary, cmd->args);
|
2011-05-10 18:42:59 +00:00
|
|
|
|
2014-02-19 01:06:50 +00:00
|
|
|
ret = errno == ENOENT ? EXIT_ENOENT : EXIT_CANNOT_INVOKE;
|
2011-05-10 18:42:59 +00:00
|
|
|
virReportSystemError(errno,
|
|
|
|
_("cannot execute binary %s"),
|
2013-01-29 18:47:18 +00:00
|
|
|
cmd->args[0]);
|
2011-05-10 18:42:59 +00:00
|
|
|
|
|
|
|
fork_error:
|
|
|
|
virDispatchError(NULL);
|
2014-02-19 01:06:50 +00:00
|
|
|
_exit(ret);
|
2011-05-10 18:42:59 +00:00
|
|
|
|
|
|
|
cleanup:
|
|
|
|
/* This is cleanup of parent process only - child
|
|
|
|
should never jump here on error */
|
|
|
|
|
util: make virSetUIDGID async-signal-safe
https://bugzilla.redhat.com/show_bug.cgi?id=964358
POSIX states that multi-threaded apps should not use functions
that are not async-signal-safe between fork and exec, yet we
were using getpwuid_r and initgroups. Although rare, it is
possible to hit deadlock in the child, when it tries to grab
a mutex that was already held by another thread in the parent.
I actually hit this deadlock when testing multiple domains
being started in parallel with a command hook, with the following
backtrace in the child:
Thread 1 (Thread 0x7fd56bbf2700 (LWP 3212)):
#0 __lll_lock_wait ()
at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
#1 0x00007fd5761e7388 in _L_lock_854 () from /lib64/libpthread.so.0
#2 0x00007fd5761e7257 in __pthread_mutex_lock (mutex=0x7fd56be00360)
at pthread_mutex_lock.c:61
#3 0x00007fd56bbf9fc5 in _nss_files_getpwuid_r (uid=0, result=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, errnop=0x7fd56bbf25b8)
at nss_files/files-pwd.c:40
#4 0x00007fd575aeff1d in __getpwuid_r (uid=0, resbuf=0x7fd56bbf0c70,
buffer=0x7fd55c2a65f0 "", buflen=1024, result=0x7fd56bbf0cb0)
at ../nss/getXXbyYY_r.c:253
#5 0x00007fd578aebafc in virSetUIDGID (uid=0, gid=0) at util/virutil.c:1031
#6 0x00007fd578aebf43 in virSetUIDGIDWithCaps (uid=0, gid=0, capBits=0,
clearExistingCaps=true) at util/virutil.c:1388
#7 0x00007fd578a9a20b in virExec (cmd=0x7fd55c231f10) at util/vircommand.c:654
#8 0x00007fd578a9dfa2 in virCommandRunAsync (cmd=0x7fd55c231f10, pid=0x0)
at util/vircommand.c:2247
#9 0x00007fd578a9d74e in virCommandRun (cmd=0x7fd55c231f10, exitstatus=0x0)
at util/vircommand.c:2100
#10 0x00007fd56326fde5 in qemuProcessStart (conn=0x7fd53c000df0,
driver=0x7fd55c0dc4f0, vm=0x7fd54800b100, migrateFrom=0x0, stdin_fd=-1,
stdin_path=0x0, snapshot=0x0, vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
flags=1) at qemu/qemu_process.c:3694
...
The solution is to split the work of getpwuid_r/initgroups into the
unsafe portions (getgrouplist, called pre-fork) and safe portions
(setgroups, called post-fork).
* src/util/virutil.h (virSetUIDGID, virSetUIDGIDWithCaps): Adjust
signature.
* src/util/virutil.c (virSetUIDGID): Add parameters.
(virSetUIDGIDWithCaps): Adjust clients.
* src/util/vircommand.c (virExec): Likewise.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* src/security/security_dac.c (virSecurityDACSetProcessLabel):
Likewise.
* src/lxc/lxc_container.c (lxcContainerSetID): Likewise.
* configure.ac (AC_CHECK_FUNCS_ONCE): Check for setgroups, not
initgroups.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-05-22 02:59:10 +00:00
|
|
|
VIR_FREE(groups);
|
2013-09-03 11:36:22 +00:00
|
|
|
VIR_FREE(binarystr);
|
2011-05-10 18:42:59 +00:00
|
|
|
|
2012-07-18 10:26:24 +00:00
|
|
|
/* NB we don't virReportError() on any failures here
|
|
|
|
because the code which jumped here already raised
|
2011-05-10 18:42:59 +00:00
|
|
|
an error condition which we must not overwrite */
|
|
|
|
VIR_FORCE_CLOSE(pipeerr[0]);
|
|
|
|
VIR_FORCE_CLOSE(pipeerr[1]);
|
|
|
|
VIR_FORCE_CLOSE(pipeout[0]);
|
|
|
|
VIR_FORCE_CLOSE(pipeout[1]);
|
|
|
|
VIR_FORCE_CLOSE(null);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2011-07-14 19:47:25 +00:00
|
|
|
* virRun:
|
2011-05-10 18:42:59 +00:00
|
|
|
* @argv NULL terminated argv to run
|
|
|
|
* @status optional variable to return exit status in
|
|
|
|
*
|
|
|
|
* Run a command without using the shell.
|
|
|
|
*
|
|
|
|
* If status is NULL, then return 0 if the command run and
|
|
|
|
* exited with 0 status; Otherwise return -1
|
|
|
|
*
|
|
|
|
* If status is not-NULL, then return 0 if the command ran.
|
|
|
|
* The status variable is filled with the command exit status
|
|
|
|
* and should be checked by caller for success. Return -1
|
|
|
|
* only if the command could not be run.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
virRun(const char *const*argv, int *status)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
virCommandPtr cmd = virCommandNewArgs(argv);
|
|
|
|
|
|
|
|
ret = virCommandRun(cmd, status);
|
|
|
|
virCommandFree(cmd);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
#else /* WIN32 */
|
|
|
|
|
|
|
|
int
|
|
|
|
virRun(const char *const *argv ATTRIBUTE_UNUSED,
|
|
|
|
int *status)
|
|
|
|
{
|
|
|
|
if (status)
|
|
|
|
*status = ENOTSUP;
|
|
|
|
else
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
"%s", _("virRun is not implemented for WIN32"));
|
2011-05-10 18:42:59 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2013-01-29 18:47:18 +00:00
|
|
|
virExec(virCommandPtr cmd ATTRIBUTE_UNUSED)
|
2011-05-10 18:42:59 +00:00
|
|
|
{
|
|
|
|
/* XXX: Some day we can implement pieces of virCommand/virExec on
|
|
|
|
* top of _spawn() or CreateProcess(), but we can't implement
|
|
|
|
* everything, since mingw completely lacks fork(), so we cannot
|
2013-01-29 18:30:53 +00:00
|
|
|
* run our own code in the child process. */
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
"%s", _("virExec is not implemented for WIN32"));
|
2011-05-10 18:42:59 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
virFork: simplify semantics
The old semantics of virFork() violates the priciple of good
usability: it requires the caller to check the pid argument
after use, *even when virFork returned -1*, in order to properly
abort a child process that failed setup done immediately after
fork() - that is, the caller must call _exit() in the child.
While uses in virfile.c did this correctly, uses in 'virsh
lxc-enter-namespace' and 'virt-login-shell' would happily return
from the calling function in both the child and the parent,
leading to very confusing results. [Thankfully, I found the
problem by inspection, and can't actually trigger the double
return on error without an LD_PRELOAD library.]
It is much better if the semantics of virFork are impossible
to abuse. Looking at virFork(), the parent could only ever
return -1 with a non-negative pid if it misused pthread_sigmask,
but this never happens. Up until this patch series, the child
could return -1 with non-negative pid if it fails to set up
signals correctly, but we recently fixed that to make the child
call _exit() at that point instead of forcing the caller to do
it. Thus, the return value and contents of the pid argument are
now redundant (a -1 return now happens only for failure to fork,
a child 0 return only happens for a successful 0 pid, and a
parent 0 return only happens for a successful non-zero pid),
so we might as well return the pid directly rather than an
integer of whether it succeeded or failed; this is also good
from the interface design perspective as users are already
familiar with fork() semantics.
One last change in this patch: before returning the pid directly,
I found cases where using virProcessWait unconditionally on a
cleanup path of a virFork's -1 pid return would be nicer if there
were a way to avoid it overwriting an earlier message. While
such paths are a bit harder to come by with my change to a direct
pid return, I decided to keep the virProcessWait change in this
patch.
* src/util/vircommand.h (virFork): Change signature.
* src/util/vircommand.c (virFork): Guarantee that child will only
return on success, to simplify callers. Return pid rather than
status, now that the situations are always the same.
(virExec): Adjust caller, also avoid open-coding process death.
* src/util/virprocess.c (virProcessWait): Tweak semantics when pid
is -1.
(virProcessRunInMountNamespace): Adjust caller.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* tools/virt-login-shell.c (main): Likewise.
* tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
* tests/commandtest.c (test23): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2013-12-22 00:54:33 +00:00
|
|
|
pid_t
|
|
|
|
virFork(void)
|
2011-05-10 18:42:59 +00:00
|
|
|
{
|
|
|
|
errno = ENOTSUP;
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* WIN32 */
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandNew:
|
|
|
|
* @binary: program to run
|
|
|
|
*
|
|
|
|
* Create a new command for named binary. If @binary is relative,
|
|
|
|
* it will be found via a PATH search of the parent's PATH (and not
|
|
|
|
* any altered PATH set by virCommandAddEnv* commands).
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
virCommandPtr
|
|
|
|
virCommandNew(const char *binary)
|
|
|
|
{
|
|
|
|
const char *const args[] = { binary, NULL };
|
|
|
|
|
|
|
|
return virCommandNewArgs(args);
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandNewArgs:
|
|
|
|
* @args: array of arguments
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Create a new command with a NULL terminated
|
2011-07-14 19:47:25 +00:00
|
|
|
* set of args, taking binary from args[0]. More arguments can
|
|
|
|
* be added later. @args[0] is handled like @binary of virCommandNew.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
virCommandPtr
|
|
|
|
virCommandNewArgs(const char *const*args)
|
|
|
|
{
|
|
|
|
virCommandPtr cmd;
|
|
|
|
|
|
|
|
if (VIR_ALLOC(cmd) < 0)
|
|
|
|
return NULL;
|
|
|
|
|
2010-11-22 13:31:35 +00:00
|
|
|
cmd->handshakeWait[0] = -1;
|
|
|
|
cmd->handshakeWait[1] = -1;
|
|
|
|
cmd->handshakeNotify[0] = -1;
|
|
|
|
cmd->handshakeNotify[1] = -1;
|
|
|
|
|
2013-02-08 14:17:44 +00:00
|
|
|
cmd->infd = cmd->inpipe = cmd->outfd = cmd->errfd = -1;
|
2010-05-25 11:14:06 +00:00
|
|
|
cmd->pid = -1;
|
2013-01-30 19:47:56 +00:00
|
|
|
cmd->uid = -1;
|
|
|
|
cmd->gid = -1;
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
virCommandAddArgSet(cmd, args);
|
|
|
|
|
|
|
|
return cmd;
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandNewArgList:
|
|
|
|
* @binary: program to run
|
|
|
|
* @...: additional arguments
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Create a new command with a NULL terminated
|
2011-07-14 19:47:25 +00:00
|
|
|
* list of args, starting with the binary to run. More arguments can
|
|
|
|
* be added later. @binary is handled as in virCommandNew.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
virCommandPtr
|
|
|
|
virCommandNewArgList(const char *binary, ...)
|
|
|
|
{
|
|
|
|
virCommandPtr cmd = virCommandNew(binary);
|
|
|
|
va_list list;
|
|
|
|
const char *arg;
|
|
|
|
|
|
|
|
if (!cmd || cmd->has_error)
|
2011-06-02 21:50:11 +00:00
|
|
|
return cmd;
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
va_start(list, binary);
|
|
|
|
while ((arg = va_arg(list, const char *)) != NULL)
|
|
|
|
virCommandAddArg(cmd, arg);
|
|
|
|
va_end(list);
|
|
|
|
return cmd;
|
|
|
|
}
|
|
|
|
|
2012-07-31 18:56:06 +00:00
|
|
|
/**
|
|
|
|
* virCommandNewVAList:
|
|
|
|
* @binary: program to run
|
|
|
|
* @va_list: additional arguments
|
|
|
|
*
|
|
|
|
* Create a new command with a NULL terminated
|
|
|
|
* variable argument list. @binary is handled as in virCommandNew.
|
|
|
|
*/
|
|
|
|
virCommandPtr
|
|
|
|
virCommandNewVAList(const char *binary, va_list list)
|
|
|
|
{
|
|
|
|
virCommandPtr cmd = virCommandNew(binary);
|
|
|
|
const char *arg;
|
|
|
|
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return cmd;
|
|
|
|
|
|
|
|
while ((arg = va_arg(list, const char *)) != NULL)
|
|
|
|
virCommandAddArg(cmd, arg);
|
|
|
|
return cmd;
|
|
|
|
}
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
#define VIR_COMMAND_MAYBE_CLOSE_FD(fd, flags) \
|
|
|
|
if ((fd > STDERR_FILENO) && \
|
|
|
|
(flags & VIR_COMMAND_PASS_FD_CLOSE_PARENT)) \
|
|
|
|
VIR_FORCE_CLOSE(fd)
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
2013-07-11 10:31:56 +00:00
|
|
|
* virCommandPassFD:
|
2011-07-14 19:47:25 +00:00
|
|
|
* @cmd: the command to modify
|
|
|
|
* @fd: fd to reassign to the child
|
2013-07-11 10:31:56 +00:00
|
|
|
* @flags: the flags
|
2011-07-14 19:47:25 +00:00
|
|
|
*
|
2013-07-11 10:31:56 +00:00
|
|
|
* Transfer the specified file descriptor to the child, instead
|
|
|
|
* of closing it on exec. @fd must not be one of the three
|
|
|
|
* standard streams.
|
|
|
|
*
|
|
|
|
* If the flag VIR_COMMAND_PASS_FD_CLOSE_PARENT is set then fd will
|
|
|
|
* be closed in the parent no later than Run/RunAsync/Free. The parent
|
|
|
|
* should cease using the @fd when this call completes
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
2013-07-11 10:31:56 +00:00
|
|
|
virCommandPassFD(virCommandPtr cmd, int fd, unsigned int flags)
|
2010-05-25 11:14:06 +00:00
|
|
|
{
|
2013-07-11 10:31:56 +00:00
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
if (!cmd) {
|
|
|
|
VIR_COMMAND_MAYBE_CLOSE_FD(fd, flags);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (fd <= STDERR_FILENO) {
|
|
|
|
VIR_DEBUG("invalid fd %d", fd);
|
|
|
|
VIR_COMMAND_MAYBE_CLOSE_FD(fd, flags);
|
|
|
|
if (!cmd->has_error)
|
|
|
|
cmd->has_error = -1;
|
|
|
|
return;
|
|
|
|
}
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
if ((ret = virCommandFDSet(cmd, fd, flags)) != 0) {
|
|
|
|
if (!cmd->has_error)
|
|
|
|
cmd->has_error = ret;
|
|
|
|
VIR_DEBUG("cannot preserve %d", fd);
|
|
|
|
VIR_COMMAND_MAYBE_CLOSE_FD(fd, flags);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetPidFile:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @pidfile: filename to use
|
|
|
|
*
|
|
|
|
* Save the child PID in a pidfile. The pidfile will be populated
|
|
|
|
* before the exec of the child.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetPidFile(virCommandPtr cmd, const char *pidfile)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
VIR_FREE(cmd->pidfile);
|
2013-05-24 07:19:51 +00:00
|
|
|
if (VIR_STRDUP_QUIET(cmd->pidfile, pidfile) < 0)
|
2010-05-25 11:14:06 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-01-30 19:47:56 +00:00
|
|
|
void
|
|
|
|
virCommandSetGID(virCommandPtr cmd, gid_t gid)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->gid = gid;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
virCommandSetUID(virCommandPtr cmd, uid_t uid)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->uid = uid;
|
|
|
|
}
|
|
|
|
|
2013-04-25 16:10:10 +00:00
|
|
|
void
|
|
|
|
virCommandSetMaxMemLock(virCommandPtr cmd, unsigned long long bytes)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->maxMemLock = bytes;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
virCommandSetMaxProcesses(virCommandPtr cmd, unsigned int procs)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->maxProcesses = procs;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
virCommandSetMaxFiles(virCommandPtr cmd, unsigned int files)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->maxFiles = files;
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandClearCaps:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
*
|
|
|
|
* Remove all capabilities from the child, after any hooks have been run.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandClearCaps(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->flags |= VIR_EXEC_CLEAR_CAPS;
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAllowCap:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @capability: what to allow
|
|
|
|
*
|
2012-01-31 04:50:00 +00:00
|
|
|
* Allow specific capabilities
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAllowCap(virCommandPtr cmd,
|
2012-01-31 04:50:00 +00:00
|
|
|
int capability)
|
2010-05-25 11:14:06 +00:00
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
2012-01-31 04:50:00 +00:00
|
|
|
cmd->capabilities |= (1ULL << capability);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-02-01 19:32:37 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetSELinuxLabel:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @label: the SELinux label to use for the child process
|
|
|
|
*
|
|
|
|
* Saves a copy of @label to use when setting the SELinux context
|
|
|
|
* label (with setexeccon_raw()) after the child process has been
|
|
|
|
* started. If SELinux isn't compiled into libvirt, or if label is
|
|
|
|
* NULL, nothing will be done.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetSELinuxLabel(virCommandPtr cmd,
|
|
|
|
const char *label ATTRIBUTE_UNUSED)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
#if defined(WITH_SECDRIVER_SELINUX)
|
|
|
|
VIR_FREE(cmd->seLinuxLabel);
|
2013-05-24 07:19:51 +00:00
|
|
|
if (VIR_STRDUP_QUIET(cmd->seLinuxLabel, label) < 0)
|
2013-02-01 19:32:37 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
#endif
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* virCommandSetAppArmorProfile:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @profile: the AppArmor profile to use
|
|
|
|
*
|
|
|
|
* Saves a copy of @profile to use when aa_change_profile() after the
|
|
|
|
* child process has been started. If AppArmor support isn't
|
|
|
|
* configured into libvirt, or if profile is NULL, nothing will be done.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetAppArmorProfile(virCommandPtr cmd,
|
|
|
|
const char *profile ATTRIBUTE_UNUSED)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
#if defined(WITH_SECDRIVER_APPARMOR)
|
|
|
|
VIR_FREE(cmd->appArmorProfile);
|
2013-05-24 07:19:51 +00:00
|
|
|
if (VIR_STRDUP_QUIET(cmd->appArmorProfile, profile) < 0)
|
2013-02-01 19:32:37 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
#endif
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandDaemonize:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
*
|
|
|
|
* Daemonize the child process. The child will have a current working
|
|
|
|
* directory of /, and must be started with virCommandRun, which will
|
|
|
|
* complete as soon as the daemon grandchild has started.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandDaemonize(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->flags |= VIR_EXEC_DAEMON;
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandNonblockingFDs:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Set FDs created by virCommandSetOutputFD and virCommandSetErrorFD
|
|
|
|
* as non-blocking in the parent.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandNonblockingFDs(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->flags |= VIR_EXEC_NONBLOCK;
|
|
|
|
}
|
|
|
|
|
2014-02-20 00:32:19 +00:00
|
|
|
/**
|
|
|
|
* virCommandRawStatus:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
*
|
|
|
|
* Mark this command as returning raw exit status via virCommandRun() or
|
|
|
|
* virCommandWait() (caller must use WIFEXITED() and friends, and can
|
|
|
|
* detect death from signals) instead of the default of only allowing
|
|
|
|
* normal exit status (caller must not use WEXITSTATUS(), and death from
|
|
|
|
* signals returns -1).
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandRawStatus(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->rawStatus = true;
|
|
|
|
}
|
|
|
|
|
2012-09-24 16:30:18 +00:00
|
|
|
/* Add an environment variable to the cmd->env list. 'env' is a
|
2012-09-24 16:35:47 +00:00
|
|
|
* string like "name=value". If the named environment variable is
|
|
|
|
* already set, then it is replaced in the list.
|
2012-09-24 16:30:18 +00:00
|
|
|
*/
|
|
|
|
static inline void
|
|
|
|
virCommandAddEnv(virCommandPtr cmd, char *env)
|
|
|
|
{
|
2012-09-24 16:35:47 +00:00
|
|
|
size_t namelen;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
/* Search for the name in the existing environment. */
|
|
|
|
namelen = strcspn(env, "=");
|
|
|
|
for (i = 0; i < cmd->nenv; ++i) {
|
|
|
|
/* + 1 because we want to match the '=' character too. */
|
|
|
|
if (STREQLEN(cmd->env[i], env, namelen + 1)) {
|
|
|
|
VIR_FREE(cmd->env[i]);
|
|
|
|
cmd->env[i] = env;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-09-24 16:30:18 +00:00
|
|
|
/* Arg plus trailing NULL. */
|
|
|
|
if (VIR_RESIZE_N(cmd->env, cmd->maxenv, cmd->nenv, 1 + 1) < 0) {
|
|
|
|
VIR_FREE(env);
|
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd->env[cmd->nenv++] = env;
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddEnvFormat:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @format: format of arguments, end result must be in name=value format
|
|
|
|
* @...: arguments to be formatted
|
|
|
|
*
|
|
|
|
* Add an environment variable to the child created by a printf-style format.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
2011-05-05 20:32:52 +00:00
|
|
|
virCommandAddEnvFormat(virCommandPtr cmd, const char *format, ...)
|
2010-05-25 11:14:06 +00:00
|
|
|
{
|
|
|
|
char *env;
|
2011-05-05 20:32:52 +00:00
|
|
|
va_list list;
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
2011-05-05 20:32:52 +00:00
|
|
|
va_start(list, format);
|
|
|
|
if (virVasprintf(&env, format, list) < 0) {
|
2010-05-25 11:14:06 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
2011-05-05 20:32:52 +00:00
|
|
|
va_end(list);
|
2010-05-25 11:14:06 +00:00
|
|
|
return;
|
|
|
|
}
|
2011-05-05 20:32:52 +00:00
|
|
|
va_end(list);
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2012-09-24 16:30:18 +00:00
|
|
|
virCommandAddEnv(cmd, env);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddEnvPair:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @name: variable name, must not contain =
|
|
|
|
* @value: value to assign to name
|
|
|
|
*
|
2011-05-05 20:32:52 +00:00
|
|
|
* Add an environment variable to the child
|
|
|
|
* using separate name & value strings
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddEnvPair(virCommandPtr cmd, const char *name, const char *value)
|
|
|
|
{
|
|
|
|
virCommandAddEnvFormat(cmd, "%s=%s", name, value);
|
|
|
|
}
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddEnvString:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @str: name=value format
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Add an environment variable to the child
|
|
|
|
* using a preformatted env string FOO=BAR
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddEnvString(virCommandPtr cmd, const char *str)
|
|
|
|
{
|
|
|
|
char *env;
|
|
|
|
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
2013-05-24 07:19:51 +00:00
|
|
|
if (VIR_STRDUP_QUIET(env, str) < 0) {
|
2010-05-25 11:14:06 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2012-09-24 16:30:18 +00:00
|
|
|
virCommandAddEnv(cmd, env);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddEnvBuffer:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @buf: buffer that contains name=value string, which will be reset on return
|
|
|
|
*
|
2010-12-10 18:33:53 +00:00
|
|
|
* Convert a buffer containing preformatted name=value into an
|
|
|
|
* environment variable of the child.
|
|
|
|
* Correctly transfers memory errors or contents from buf to cmd.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddEnvBuffer(virCommandPtr cmd, virBufferPtr buf)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error) {
|
|
|
|
virBufferFreeAndReset(buf);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2012-09-24 16:30:18 +00:00
|
|
|
if (virBufferError(buf)) {
|
2010-12-10 18:33:53 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
virBufferFreeAndReset(buf);
|
|
|
|
return;
|
|
|
|
}
|
2011-11-10 00:19:33 +00:00
|
|
|
if (!virBufferUse(buf)) {
|
|
|
|
cmd->has_error = EINVAL;
|
|
|
|
return;
|
|
|
|
}
|
2010-12-10 18:33:53 +00:00
|
|
|
|
2012-09-24 16:30:18 +00:00
|
|
|
virCommandAddEnv(cmd, virBufferContentAndReset(buf));
|
2010-12-10 18:33:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
2013-10-09 10:03:02 +00:00
|
|
|
* virCommandAddEnvPassAllowSUID:
|
2011-07-14 19:47:25 +00:00
|
|
|
* @cmd: the command to modify
|
|
|
|
* @name: the name to look up in current environment
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Pass an environment variable to the child
|
|
|
|
* using current process' value
|
2013-10-09 10:03:02 +00:00
|
|
|
*
|
|
|
|
* Allow to be passed even if setuid
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddEnvPassAllowSUID(virCommandPtr cmd, const char *name)
|
|
|
|
{
|
|
|
|
const char *value;
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
value = virGetEnvAllowSUID(name);
|
|
|
|
if (value)
|
|
|
|
virCommandAddEnvPair(cmd, name, value);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* virCommandAddEnvPassBlockSUID:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @name: the name to look up in current environment
|
|
|
|
* @defvalue: value to return if running setuid, may be NULL
|
|
|
|
*
|
|
|
|
* Pass an environment variable to the child
|
|
|
|
* using current process' value.
|
|
|
|
*
|
|
|
|
* Do not pass if running setuid
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
2013-10-09 10:03:02 +00:00
|
|
|
virCommandAddEnvPassBlockSUID(virCommandPtr cmd, const char *name, const char *defvalue)
|
2010-05-25 11:14:06 +00:00
|
|
|
{
|
2013-10-09 10:03:02 +00:00
|
|
|
const char *value;
|
2010-05-25 11:14:06 +00:00
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
2013-10-09 10:03:02 +00:00
|
|
|
value = virGetEnvBlockSUID(name);
|
|
|
|
if (!value)
|
|
|
|
value = defvalue;
|
2010-05-25 11:14:06 +00:00
|
|
|
if (value)
|
|
|
|
virCommandAddEnvPair(cmd, name, value);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddEnvPassCommon:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Set LC_ALL to C, and propagate other essential environment
|
2011-07-14 19:47:25 +00:00
|
|
|
* variables (such as PATH) from the parent process.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddEnvPassCommon(virCommandPtr cmd)
|
|
|
|
{
|
2011-03-08 18:06:09 +00:00
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
2013-09-23 13:20:37 +00:00
|
|
|
if (VIR_RESIZE_N(cmd->env, cmd->maxenv, cmd->nenv, 9) < 0) {
|
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
virCommandAddEnvPair(cmd, "LC_ALL", "C");
|
|
|
|
|
2013-10-09 10:03:02 +00:00
|
|
|
virCommandAddEnvPassBlockSUID(cmd, "LD_PRELOAD", NULL);
|
|
|
|
virCommandAddEnvPassBlockSUID(cmd, "LD_LIBRARY_PATH", NULL);
|
|
|
|
virCommandAddEnvPassBlockSUID(cmd, "PATH", "/bin:/usr/bin");
|
|
|
|
virCommandAddEnvPassBlockSUID(cmd, "HOME", NULL);
|
|
|
|
virCommandAddEnvPassAllowSUID(cmd, "USER");
|
|
|
|
virCommandAddEnvPassAllowSUID(cmd, "LOGNAME");
|
|
|
|
virCommandAddEnvPassBlockSUID(cmd, "TMPDIR", NULL);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddArg:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @val: the argument to add
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Add a command line argument to the child
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddArg(virCommandPtr cmd, const char *val)
|
|
|
|
{
|
|
|
|
char *arg;
|
|
|
|
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
2013-05-24 07:19:51 +00:00
|
|
|
if (VIR_STRDUP_QUIET(arg, val) < 0) {
|
2010-05-25 11:14:06 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Arg plus trailing NULL. */
|
|
|
|
if (VIR_RESIZE_N(cmd->args, cmd->maxargs, cmd->nargs, 1 + 1) < 0) {
|
|
|
|
VIR_FREE(arg);
|
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd->args[cmd->nargs++] = arg;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddArgBuffer:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @buf: buffer that contains argument string, which will be reset on return
|
|
|
|
*
|
2010-12-10 18:33:53 +00:00
|
|
|
* Convert a buffer into a command line argument to the child.
|
|
|
|
* Correctly transfers memory errors or contents from buf to cmd.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddArgBuffer(virCommandPtr cmd, virBufferPtr buf)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error) {
|
|
|
|
virBufferFreeAndReset(buf);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Arg plus trailing NULL. */
|
|
|
|
if (virBufferError(buf) ||
|
|
|
|
VIR_RESIZE_N(cmd->args, cmd->maxargs, cmd->nargs, 1 + 1) < 0) {
|
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
virBufferFreeAndReset(buf);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2011-11-10 00:19:33 +00:00
|
|
|
cmd->args[cmd->nargs] = virBufferContentAndReset(buf);
|
|
|
|
if (!cmd->args[cmd->nargs]) {
|
2013-05-24 07:19:51 +00:00
|
|
|
if (VIR_STRDUP_QUIET(cmd->args[cmd->nargs], "") < 0) {
|
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
2011-11-10 00:19:33 +00:00
|
|
|
}
|
|
|
|
cmd->nargs++;
|
2010-12-10 18:33:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddArgFormat:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @format: format of arguments, end result must be in name=value format
|
|
|
|
* @...: arguments to be formatted
|
|
|
|
*
|
|
|
|
* Add a command line argument created by a printf-style format.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddArgFormat(virCommandPtr cmd, const char *format, ...)
|
|
|
|
{
|
|
|
|
char *arg;
|
|
|
|
va_list list;
|
|
|
|
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
va_start(list, format);
|
|
|
|
if (virVasprintf(&arg, format, list) < 0) {
|
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
va_end(list);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
va_end(list);
|
|
|
|
|
|
|
|
/* Arg plus trailing NULL. */
|
|
|
|
if (VIR_RESIZE_N(cmd->args, cmd->maxargs, cmd->nargs, 1 + 1) < 0) {
|
|
|
|
VIR_FREE(arg);
|
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd->args[cmd->nargs++] = arg;
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddArgPair:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @name: left half of argument
|
|
|
|
* @value: right half of argument
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Add "NAME=VAL" as a single command line argument to the child
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddArgPair(virCommandPtr cmd, const char *name, const char *val)
|
|
|
|
{
|
|
|
|
virCommandAddArgFormat(cmd, "%s=%s", name, val);
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddArgSet:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @vals: array of arguments to add
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Add a NULL terminated list of args
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddArgSet(virCommandPtr cmd, const char *const*vals)
|
|
|
|
{
|
|
|
|
int narg = 0;
|
|
|
|
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
2011-03-08 18:06:09 +00:00
|
|
|
if (vals[0] == NULL) {
|
|
|
|
cmd->has_error = EINVAL;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
while (vals[narg] != NULL)
|
|
|
|
narg++;
|
|
|
|
|
|
|
|
/* narg plus trailing NULL. */
|
|
|
|
if (VIR_RESIZE_N(cmd->args, cmd->maxargs, cmd->nargs, narg + 1) < 0) {
|
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
narg = 0;
|
|
|
|
while (vals[narg] != NULL) {
|
2013-05-24 07:19:51 +00:00
|
|
|
char *arg;
|
|
|
|
|
|
|
|
if (VIR_STRDUP_QUIET(arg, vals[narg++]) < 0) {
|
2010-05-25 11:14:06 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
cmd->args[cmd->nargs++] = arg;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAddArgList:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @...: list of arguments to add
|
|
|
|
*
|
|
|
|
* Add a NULL terminated list of args.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAddArgList(virCommandPtr cmd, ...)
|
|
|
|
{
|
|
|
|
va_list list;
|
|
|
|
int narg = 0;
|
|
|
|
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
va_start(list, cmd);
|
|
|
|
while (va_arg(list, const char *) != NULL)
|
|
|
|
narg++;
|
|
|
|
va_end(list);
|
|
|
|
|
|
|
|
/* narg plus trailing NULL. */
|
|
|
|
if (VIR_RESIZE_N(cmd->args, cmd->maxargs, cmd->nargs, narg + 1) < 0) {
|
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
va_start(list, cmd);
|
|
|
|
while (1) {
|
|
|
|
char *arg = va_arg(list, char *);
|
|
|
|
if (!arg)
|
|
|
|
break;
|
2013-05-24 07:19:51 +00:00
|
|
|
if (VIR_STRDUP_QUIET(arg, arg) < 0) {
|
2010-05-25 11:14:06 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
va_end(list);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
cmd->args[cmd->nargs++] = arg;
|
|
|
|
}
|
|
|
|
va_end(list);
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetWorkingDirectory:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @pwd: directory to use
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Set the working directory of a non-daemon child process, rather
|
|
|
|
* than the parent's working directory. Daemons automatically get /
|
|
|
|
* without using this call.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetWorkingDirectory(virCommandPtr cmd, const char *pwd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (cmd->pwd) {
|
|
|
|
cmd->has_error = -1;
|
2011-05-09 09:24:09 +00:00
|
|
|
VIR_DEBUG("cannot set directory twice");
|
2010-05-25 11:14:06 +00:00
|
|
|
} else {
|
2013-05-24 07:19:51 +00:00
|
|
|
if (VIR_STRDUP_QUIET(cmd->pwd, pwd) < 0)
|
2010-05-25 11:14:06 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetInputBuffer:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @inbuf: string to feed to stdin
|
|
|
|
*
|
2013-01-16 10:33:17 +00:00
|
|
|
* Feed the child's stdin from a string buffer. This requires the
|
|
|
|
* use of virCommandRun() or combination of virCommandDoAsyncIO and
|
|
|
|
* virCommandRunAsync. The buffer is forgotten after each @cmd run.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetInputBuffer(virCommandPtr cmd, const char *inbuf)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (cmd->infd != -1 || cmd->inbuf) {
|
|
|
|
cmd->has_error = -1;
|
2011-05-09 09:24:09 +00:00
|
|
|
VIR_DEBUG("cannot specify input twice");
|
2010-05-25 11:14:06 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2013-05-24 07:19:51 +00:00
|
|
|
if (VIR_STRDUP_QUIET(cmd->inbuf, inbuf) < 0)
|
2010-05-25 11:14:06 +00:00
|
|
|
cmd->has_error = ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetOutputBuffer:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @outbuf: address of variable to store malloced result buffer
|
|
|
|
*
|
2010-12-03 21:14:16 +00:00
|
|
|
* Capture the child's stdout to a string buffer. *outbuf is
|
|
|
|
* guaranteed to be allocated after successful virCommandRun or
|
|
|
|
* virCommandWait, and is best-effort allocated after failed
|
2013-01-16 10:33:17 +00:00
|
|
|
* virCommandRun or virCommandRunAsync; caller is responsible for
|
|
|
|
* freeing *outbuf. This requires the use of virCommandRun() or
|
|
|
|
* combination of virCommandDoAsyncIO and virCommandRunAsync. The
|
|
|
|
* buffer is forgotten after each @cmd run.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetOutputBuffer(virCommandPtr cmd, char **outbuf)
|
|
|
|
{
|
2010-12-03 21:14:16 +00:00
|
|
|
*outbuf = NULL;
|
2010-05-25 11:14:06 +00:00
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (cmd->outfdptr) {
|
|
|
|
cmd->has_error = -1;
|
2011-05-09 09:24:09 +00:00
|
|
|
VIR_DEBUG("cannot specify output twice");
|
2010-05-25 11:14:06 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd->outbuf = outbuf;
|
|
|
|
cmd->outfdptr = &cmd->outfd;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetErrorBuffer:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @errbuf: address of variable to store malloced result buffer
|
|
|
|
*
|
2010-12-03 21:14:16 +00:00
|
|
|
* Capture the child's stderr to a string buffer. *errbuf is
|
|
|
|
* guaranteed to be allocated after successful virCommandRun or
|
|
|
|
* virCommandWait, and is best-effort allocated after failed
|
2013-01-16 10:33:17 +00:00
|
|
|
* virCommandRun or virCommandRunAsync; caller is responsible for
|
|
|
|
* freeing *errbuf. It is possible to pass the same pointer as
|
|
|
|
* for virCommandSetOutputBuffer(), in which case the child
|
|
|
|
* process will interleave all output into a single string. This
|
|
|
|
* requires the use of virCommandRun() or combination of
|
|
|
|
* virCommandDoAsyncIO and virCommandRunAsync.The buffer is
|
|
|
|
* forgotten after each @cmd run.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetErrorBuffer(virCommandPtr cmd, char **errbuf)
|
|
|
|
{
|
2010-12-03 21:14:16 +00:00
|
|
|
*errbuf = NULL;
|
2010-05-25 11:14:06 +00:00
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (cmd->errfdptr) {
|
|
|
|
cmd->has_error = -1;
|
2011-05-09 09:24:09 +00:00
|
|
|
VIR_DEBUG("cannot specify stderr twice");
|
2010-05-25 11:14:06 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd->errbuf = errbuf;
|
|
|
|
cmd->errfdptr = &cmd->errfd;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetInputFD:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @infd: the descriptor to use
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Attach a file descriptor to the child's stdin
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetInputFD(virCommandPtr cmd, int infd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (cmd->infd != -1 || cmd->inbuf) {
|
|
|
|
cmd->has_error = -1;
|
2011-05-09 09:24:09 +00:00
|
|
|
VIR_DEBUG("cannot specify input twice");
|
2010-05-25 11:14:06 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
if (infd < 0) {
|
|
|
|
cmd->has_error = -1;
|
2011-05-09 09:24:09 +00:00
|
|
|
VIR_DEBUG("cannot specify invalid input fd");
|
2010-05-25 11:14:06 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd->infd = infd;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetOutputFD:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @outfd: location of output fd
|
|
|
|
*
|
|
|
|
* Attach a file descriptor to the child's stdout. If *@outfd is -1 on
|
|
|
|
* entry, then a pipe will be created and returned in this variable when
|
|
|
|
* the child is run. Otherwise, *@outfd is used as the output.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetOutputFD(virCommandPtr cmd, int *outfd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (cmd->outfdptr) {
|
|
|
|
cmd->has_error = -1;
|
2011-05-09 09:24:09 +00:00
|
|
|
VIR_DEBUG("cannot specify output twice");
|
2010-05-25 11:14:06 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd->outfdptr = outfd;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetErrorFD:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @errfd: location of error fd
|
|
|
|
*
|
|
|
|
* Attach a file descriptor to the child's stderr. If *@errfd is -1 on
|
|
|
|
* entry, then a pipe will be created and returned in this variable when
|
|
|
|
* the child is run. Otherwise, *@errfd is used for error collection,
|
|
|
|
* and may be the same as outfd given to virCommandSetOutputFD().
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetErrorFD(virCommandPtr cmd, int *errfd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (cmd->errfdptr) {
|
|
|
|
cmd->has_error = -1;
|
2011-05-09 09:24:09 +00:00
|
|
|
VIR_DEBUG("cannot specify stderr twice");
|
2010-05-25 11:14:06 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
cmd->errfdptr = errfd;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandSetPreExecHook:
|
|
|
|
* @cmd: the command to modify
|
|
|
|
* @hook: the hook to run
|
|
|
|
* @opaque: argument to pass to the hook
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Run HOOK(OPAQUE) in the child as the last thing before changing
|
|
|
|
* directories, dropping capabilities, and executing the new process.
|
|
|
|
* Force the child to fail if HOOK does not return zero.
|
2011-07-14 19:47:25 +00:00
|
|
|
*
|
|
|
|
* Since @hook runs in the child, it should be careful to avoid
|
|
|
|
* any functions that are not async-signal-safe.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandSetPreExecHook(virCommandPtr cmd, virExecHook hook, void *opaque)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (cmd->hook) {
|
|
|
|
cmd->has_error = -1;
|
2011-05-09 09:24:09 +00:00
|
|
|
VIR_DEBUG("cannot specify hook twice");
|
2010-05-25 11:14:06 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
cmd->hook = hook;
|
|
|
|
cmd->opaque = opaque;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandWriteArgLog:
|
|
|
|
* @cmd: the command to log
|
|
|
|
* @logfd: where to log the results
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Call after adding all arguments and environment settings, but before
|
|
|
|
* Run/RunAsync, to immediately output the environment and arguments of
|
|
|
|
* cmd to logfd. If virCommandRun cannot succeed (because of an
|
|
|
|
* out-of-memory condition while building cmd), nothing will be logged.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandWriteArgLog(virCommandPtr cmd, int logfd)
|
|
|
|
{
|
|
|
|
int ioError = 0;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
/* Any errors will be reported later by virCommandRun, which means
|
|
|
|
* no command will be run, so there is nothing to log. */
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
2013-05-21 07:58:16 +00:00
|
|
|
for (i = 0; i < cmd->nenv; i++) {
|
2010-05-25 11:14:06 +00:00
|
|
|
if (safewrite(logfd, cmd->env[i], strlen(cmd->env[i])) < 0)
|
|
|
|
ioError = errno;
|
|
|
|
if (safewrite(logfd, " ", 1) < 0)
|
|
|
|
ioError = errno;
|
|
|
|
}
|
2013-05-21 07:58:16 +00:00
|
|
|
for (i = 0; i < cmd->nargs; i++) {
|
2010-05-25 11:14:06 +00:00
|
|
|
if (safewrite(logfd, cmd->args[i], strlen(cmd->args[i])) < 0)
|
|
|
|
ioError = errno;
|
|
|
|
if (safewrite(logfd, i == cmd->nargs - 1 ? "\n" : " ", 1) < 0)
|
|
|
|
ioError = errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ioError) {
|
|
|
|
char ebuf[1024];
|
|
|
|
VIR_WARN("Unable to write command %s args to logfile: %s",
|
2012-03-29 09:52:04 +00:00
|
|
|
cmd->args[0], virStrerror(ioError, ebuf, sizeof(ebuf)));
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandToString:
|
|
|
|
* @cmd: the command to convert
|
|
|
|
*
|
2012-08-28 18:11:45 +00:00
|
|
|
* Call after adding all arguments and environment settings, but
|
|
|
|
* before Run/RunAsync, to return a string representation of the
|
|
|
|
* environment and arguments of cmd, suitably quoted for pasting into
|
|
|
|
* a shell. If virCommandRun cannot succeed (because of an
|
2010-05-25 11:14:06 +00:00
|
|
|
* out-of-memory condition while building cmd), NULL will be returned.
|
|
|
|
* Caller is responsible for freeing the resulting string.
|
|
|
|
*/
|
|
|
|
char *
|
|
|
|
virCommandToString(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
|
|
|
|
|
|
|
/* Cannot assume virCommandRun will be called; so report the error
|
|
|
|
* now. If virCommandRun is called, it will report the same error. */
|
2010-12-06 20:58:52 +00:00
|
|
|
if (!cmd ||cmd->has_error == ENOMEM) {
|
|
|
|
virReportOOMError();
|
2010-05-25 11:14:06 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
2010-12-06 20:58:52 +00:00
|
|
|
if (cmd->has_error) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("invalid use of command API"));
|
2010-05-25 11:14:06 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < cmd->nenv; i++) {
|
2012-08-28 18:11:45 +00:00
|
|
|
/* In shell, a='b c' has a different meaning than 'a=b c', so
|
|
|
|
* we must determine where the '=' lives. */
|
|
|
|
char *eq = strchr(cmd->env[i], '=');
|
|
|
|
|
|
|
|
if (!eq) {
|
|
|
|
virBufferFreeAndReset(&buf);
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("invalid use of command API"));
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
eq++;
|
|
|
|
virBufferAdd(&buf, cmd->env[i], eq - cmd->env[i]);
|
|
|
|
virBufferEscapeShell(&buf, eq);
|
2010-05-25 11:14:06 +00:00
|
|
|
virBufferAddChar(&buf, ' ');
|
|
|
|
}
|
2012-08-28 18:11:45 +00:00
|
|
|
virBufferEscapeShell(&buf, cmd->args[0]);
|
2010-05-25 11:14:06 +00:00
|
|
|
for (i = 1; i < cmd->nargs; i++) {
|
|
|
|
virBufferAddChar(&buf, ' ');
|
2012-08-28 18:11:45 +00:00
|
|
|
virBufferEscapeShell(&buf, cmd->args[i]);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
2014-06-27 08:40:15 +00:00
|
|
|
if (virBufferCheckError(&buf) < 0)
|
2010-05-25 11:14:06 +00:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return virBufferContentAndReset(&buf);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Manage input and output to the child process.
|
|
|
|
*/
|
|
|
|
static int
|
2013-02-08 14:17:44 +00:00
|
|
|
virCommandProcessIO(virCommandPtr cmd)
|
2010-05-25 11:14:06 +00:00
|
|
|
{
|
2013-02-08 14:17:44 +00:00
|
|
|
int outfd = -1, errfd = -1;
|
2010-05-25 11:14:06 +00:00
|
|
|
size_t inlen = 0, outlen = 0, errlen = 0;
|
|
|
|
size_t inoff = 0;
|
2010-12-03 21:14:16 +00:00
|
|
|
int ret = 0;
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2014-03-07 11:39:48 +00:00
|
|
|
if (dryRunBuffer || dryRunCallback) {
|
|
|
|
VIR_DEBUG("Dry run requested, skipping I/O processing");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
/* With an input buffer, feed data to child
|
|
|
|
* via pipe */
|
2013-02-08 14:17:44 +00:00
|
|
|
if (cmd->inbuf)
|
2010-05-25 11:14:06 +00:00
|
|
|
inlen = strlen(cmd->inbuf);
|
|
|
|
|
2010-12-03 21:14:16 +00:00
|
|
|
/* With out/err buffer, the outfd/errfd have been filled with an
|
|
|
|
* FD for us. Guarantee an allocated string with partial results
|
|
|
|
* even if we encounter a later failure, as well as freeing any
|
|
|
|
* results accumulated over a prior run of the same command. */
|
|
|
|
if (cmd->outbuf) {
|
2010-05-25 11:14:06 +00:00
|
|
|
outfd = cmd->outfd;
|
2013-07-04 10:17:18 +00:00
|
|
|
if (VIR_REALLOC_N(*cmd->outbuf, 1) < 0)
|
2010-12-03 21:14:16 +00:00
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
if (cmd->errbuf) {
|
2010-05-25 11:14:06 +00:00
|
|
|
errfd = cmd->errfd;
|
2013-07-04 10:17:18 +00:00
|
|
|
if (VIR_REALLOC_N(*cmd->errbuf, 1) < 0)
|
2010-12-03 21:14:16 +00:00
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
if (ret == -1)
|
|
|
|
goto cleanup;
|
|
|
|
ret = -1;
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
for (;;) {
|
Convert 'int i' to 'size_t i' in src/util/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
size_t i;
|
2010-05-25 11:14:06 +00:00
|
|
|
struct pollfd fds[3];
|
|
|
|
int nfds = 0;
|
|
|
|
|
2013-02-08 14:17:44 +00:00
|
|
|
if (cmd->inpipe != -1) {
|
|
|
|
fds[nfds].fd = cmd->inpipe;
|
2010-05-25 11:14:06 +00:00
|
|
|
fds[nfds].events = POLLOUT;
|
2012-01-03 17:40:55 +00:00
|
|
|
fds[nfds].revents = 0;
|
2010-05-25 11:14:06 +00:00
|
|
|
nfds++;
|
|
|
|
}
|
|
|
|
if (outfd != -1) {
|
|
|
|
fds[nfds].fd = outfd;
|
|
|
|
fds[nfds].events = POLLIN;
|
2012-01-03 17:40:55 +00:00
|
|
|
fds[nfds].revents = 0;
|
2010-05-25 11:14:06 +00:00
|
|
|
nfds++;
|
|
|
|
}
|
|
|
|
if (errfd != -1) {
|
|
|
|
fds[nfds].fd = errfd;
|
|
|
|
fds[nfds].events = POLLIN;
|
2012-01-03 17:40:55 +00:00
|
|
|
fds[nfds].revents = 0;
|
2010-05-25 11:14:06 +00:00
|
|
|
nfds++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nfds == 0)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (poll(fds, nfds, -1) < 0) {
|
2012-05-31 21:50:07 +00:00
|
|
|
if (errno == EAGAIN || errno == EINTR)
|
2010-05-25 11:14:06 +00:00
|
|
|
continue;
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("unable to poll on child"));
|
2010-12-03 21:14:16 +00:00
|
|
|
goto cleanup;
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
2013-05-21 07:58:16 +00:00
|
|
|
for (i = 0; i < nfds; i++) {
|
virCommandProcessIO(): make poll() usage more robust
POLLIN and POLLHUP are not mutually exclusive. Currently the following
seems possible: the child writes 3K to its stdout or stderr pipe, and
immediately closes it. We get POLLIN|POLLHUP (I'm not sure that's possible
on Linux, but SUSv4 seems to allow it). We read 1K and throw away the
rest.
When poll() returns and we're about to check the /revents/ member in a
given array element, let's map all the revents bits to two (independent)
ideas: "let's attempt to read()", and "let's attempt to write()". This
should cover all errors, EOFs, and normal conditions; the read()/write()
call should report any pending error.
Under this approach, both POLLHUP and POLLERR are mapped to "needs read()"
if we're otherwise prepared for POLLIN. POLLERR also maps to "needs
write()" if we're otherwise prepared for POLLOUT. The rest of the mappings
(POLLPRI etc.) would be easy, but probably useless for pipes.
Additionally, SUSv4 doesn't appear to forbid POLLIN|POLLERR (or
POLLOUT|POLLERR) set simultaneously. One could argue that the read() or
write() call would return without blocking in these cases (with an error),
so POLLIN / POLLOUT would be justified beside POLLERR.
The code now penalizes POLLIN|POLLERR differently from plain POLLERR. The
former (ie. read() returning -1) is terminal and we jump to cleanup, while
plain POLLERR masks only the affected file descriptor for the future.
Let's unify those.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
2012-01-24 14:55:19 +00:00
|
|
|
if (fds[i].revents & (POLLIN | POLLHUP | POLLERR) &&
|
2012-01-03 17:40:55 +00:00
|
|
|
(fds[i].fd == errfd || fds[i].fd == outfd)) {
|
2010-05-25 11:14:06 +00:00
|
|
|
char data[1024];
|
|
|
|
char **buf;
|
|
|
|
size_t *len;
|
|
|
|
int done;
|
|
|
|
if (fds[i].fd == outfd) {
|
|
|
|
buf = cmd->outbuf;
|
|
|
|
len = &outlen;
|
|
|
|
} else {
|
|
|
|
buf = cmd->errbuf;
|
|
|
|
len = &errlen;
|
|
|
|
}
|
2011-02-14 22:24:08 +00:00
|
|
|
/* Silence a false positive from clang. */
|
|
|
|
sa_assert(buf);
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
done = read(fds[i].fd, data, sizeof(data));
|
|
|
|
if (done < 0) {
|
|
|
|
if (errno != EINTR &&
|
|
|
|
errno != EAGAIN) {
|
|
|
|
virReportSystemError(errno, "%s",
|
2011-06-22 11:33:24 +00:00
|
|
|
(fds[i].fd == outfd) ?
|
|
|
|
_("unable to read child stdout") :
|
|
|
|
_("unable to read child stderr"));
|
2010-12-03 21:14:16 +00:00
|
|
|
goto cleanup;
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
} else if (done == 0) {
|
|
|
|
if (fds[i].fd == outfd)
|
|
|
|
outfd = -1;
|
|
|
|
else
|
|
|
|
errfd = -1;
|
|
|
|
} else {
|
2013-07-04 10:17:18 +00:00
|
|
|
if (VIR_REALLOC_N(*buf, *len + done + 1) < 0)
|
2010-12-03 21:14:16 +00:00
|
|
|
goto cleanup;
|
2010-05-25 11:14:06 +00:00
|
|
|
memcpy(*buf + *len, data, done);
|
|
|
|
*len += done;
|
|
|
|
}
|
2012-01-03 17:40:55 +00:00
|
|
|
}
|
|
|
|
|
virCommandProcessIO(): make poll() usage more robust
POLLIN and POLLHUP are not mutually exclusive. Currently the following
seems possible: the child writes 3K to its stdout or stderr pipe, and
immediately closes it. We get POLLIN|POLLHUP (I'm not sure that's possible
on Linux, but SUSv4 seems to allow it). We read 1K and throw away the
rest.
When poll() returns and we're about to check the /revents/ member in a
given array element, let's map all the revents bits to two (independent)
ideas: "let's attempt to read()", and "let's attempt to write()". This
should cover all errors, EOFs, and normal conditions; the read()/write()
call should report any pending error.
Under this approach, both POLLHUP and POLLERR are mapped to "needs read()"
if we're otherwise prepared for POLLIN. POLLERR also maps to "needs
write()" if we're otherwise prepared for POLLOUT. The rest of the mappings
(POLLPRI etc.) would be easy, but probably useless for pipes.
Additionally, SUSv4 doesn't appear to forbid POLLIN|POLLERR (or
POLLOUT|POLLERR) set simultaneously. One could argue that the read() or
write() call would return without blocking in these cases (with an error),
so POLLIN / POLLOUT would be justified beside POLLERR.
The code now penalizes POLLIN|POLLERR differently from plain POLLERR. The
former (ie. read() returning -1) is terminal and we jump to cleanup, while
plain POLLERR masks only the affected file descriptor for the future.
Let's unify those.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
2012-01-24 14:55:19 +00:00
|
|
|
if (fds[i].revents & (POLLOUT | POLLERR) &&
|
2013-02-08 14:17:44 +00:00
|
|
|
fds[i].fd == cmd->inpipe) {
|
2010-05-25 11:14:06 +00:00
|
|
|
int done;
|
|
|
|
|
2013-02-08 14:17:44 +00:00
|
|
|
done = write(cmd->inpipe, cmd->inbuf + inoff,
|
2010-05-25 11:14:06 +00:00
|
|
|
inlen - inoff);
|
|
|
|
if (done < 0) {
|
2012-05-31 21:50:07 +00:00
|
|
|
if (errno == EPIPE) {
|
|
|
|
VIR_DEBUG("child closed stdin early, ignoring EPIPE "
|
2013-02-08 14:17:44 +00:00
|
|
|
"on fd %d", cmd->inpipe);
|
|
|
|
VIR_FORCE_CLOSE(cmd->inpipe);
|
2012-06-04 22:32:43 +00:00
|
|
|
} else if (errno != EINTR && errno != EAGAIN) {
|
2010-05-25 11:14:06 +00:00
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("unable to write to child input"));
|
2010-12-03 21:14:16 +00:00
|
|
|
goto cleanup;
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
inoff += done;
|
2013-02-08 14:17:44 +00:00
|
|
|
if (inoff == inlen)
|
|
|
|
VIR_FORCE_CLOSE(cmd->inpipe);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-12-03 21:14:16 +00:00
|
|
|
ret = 0;
|
2014-03-25 06:53:22 +00:00
|
|
|
cleanup:
|
2011-02-14 22:24:08 +00:00
|
|
|
if (cmd->outbuf && *cmd->outbuf)
|
2010-12-03 21:14:16 +00:00
|
|
|
(*cmd->outbuf)[outlen] = '\0';
|
2011-02-14 22:24:08 +00:00
|
|
|
if (cmd->errbuf && *cmd->errbuf)
|
2010-12-03 21:14:16 +00:00
|
|
|
(*cmd->errbuf)[errlen] = '\0';
|
|
|
|
return ret;
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandExec:
|
|
|
|
* @cmd: command to run
|
|
|
|
*
|
2011-05-06 14:37:36 +00:00
|
|
|
* Exec the command, replacing the current process. Meant to be called
|
2011-07-14 19:47:25 +00:00
|
|
|
* in the hook after already forking / cloning, so does not attempt to
|
|
|
|
* daemonize or preserve any FDs.
|
2011-05-06 14:37:36 +00:00
|
|
|
*
|
|
|
|
* Returns -1 on any error executing the command.
|
|
|
|
* Will not return on success.
|
|
|
|
*/
|
2011-05-12 09:33:31 +00:00
|
|
|
#ifndef WIN32
|
2011-05-06 14:37:36 +00:00
|
|
|
int virCommandExec(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
if (!cmd ||cmd->has_error == ENOMEM) {
|
|
|
|
virReportOOMError();
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
if (cmd->has_error) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("invalid use of command API"));
|
2011-05-06 14:37:36 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return execve(cmd->args[0], cmd->args, cmd->env);
|
|
|
|
}
|
2011-05-12 09:33:31 +00:00
|
|
|
#else
|
|
|
|
int virCommandExec(virCommandPtr cmd ATTRIBUTE_UNUSED)
|
|
|
|
{
|
|
|
|
/* Mingw execve() has a broken signature. Disable this
|
|
|
|
* function until gnulib fixes the signature, since we
|
|
|
|
* don't really need this on Win32 anyway.
|
|
|
|
*/
|
|
|
|
virReportSystemError(ENOSYS, "%s",
|
|
|
|
_("Executing new processes is not supported on Win32 platform"));
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
#endif
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandRun:
|
|
|
|
* @cmd: command to run
|
|
|
|
* @exitstatus: optional status collection
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Run the command and wait for completion.
|
|
|
|
* Returns -1 on any error executing the
|
|
|
|
* command. Returns 0 if the command executed,
|
2011-07-14 19:47:25 +00:00
|
|
|
* with the exit status set. If @exitstatus is NULL, then the
|
2014-02-20 00:32:19 +00:00
|
|
|
* child must exit with status 0 for this to succeed. By default,
|
|
|
|
* a non-NULL @exitstatus contains the normal exit status of the child
|
|
|
|
* (death from a signal is treated as execution error); but if
|
|
|
|
* virCommandRawStatus() was used, it instead contains the raw exit
|
|
|
|
* status that the caller must then decipher using WIFEXITED() and friends.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
virCommandRun(virCommandPtr cmd, int *exitstatus)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
char *outbuf = NULL;
|
|
|
|
char *errbuf = NULL;
|
2010-12-06 23:36:34 +00:00
|
|
|
struct stat st;
|
|
|
|
bool string_io;
|
|
|
|
bool async_io = false;
|
2011-03-22 17:55:45 +00:00
|
|
|
char *str;
|
2012-05-31 21:50:07 +00:00
|
|
|
int tmpfd;
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2010-12-06 20:58:52 +00:00
|
|
|
if (!cmd ||cmd->has_error == ENOMEM) {
|
|
|
|
virReportOOMError();
|
2010-05-25 11:14:06 +00:00
|
|
|
return -1;
|
|
|
|
}
|
2010-12-06 20:58:52 +00:00
|
|
|
if (cmd->has_error) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("invalid use of command API"));
|
2010-05-25 11:14:06 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2010-12-06 23:36:34 +00:00
|
|
|
/* Avoid deadlock, by requiring that any open fd not under our
|
|
|
|
* control must be visiting a regular file, or that we are
|
|
|
|
* daemonized and no string io is required. */
|
|
|
|
string_io = cmd->inbuf || cmd->outbuf || cmd->errbuf;
|
|
|
|
if (cmd->infd != -1 &&
|
|
|
|
(fstat(cmd->infd, &st) < 0 || !S_ISREG(st.st_mode)))
|
|
|
|
async_io = true;
|
|
|
|
if (cmd->outfdptr && cmd->outfdptr != &cmd->outfd &&
|
|
|
|
(*cmd->outfdptr == -1 ||
|
|
|
|
fstat(*cmd->outfdptr, &st) < 0 || !S_ISREG(st.st_mode)))
|
|
|
|
async_io = true;
|
|
|
|
if (cmd->errfdptr && cmd->errfdptr != &cmd->errfd &&
|
|
|
|
(*cmd->errfdptr == -1 ||
|
|
|
|
fstat(*cmd->errfdptr, &st) < 0 || !S_ISREG(st.st_mode)))
|
|
|
|
async_io = true;
|
|
|
|
if (async_io) {
|
|
|
|
if (!(cmd->flags & VIR_EXEC_DAEMON) || string_io) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("cannot mix caller fds with blocking execution"));
|
2010-12-06 23:36:34 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if ((cmd->flags & VIR_EXEC_DAEMON) && string_io) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("cannot mix string I/O with daemon"));
|
2010-12-06 23:36:34 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-01-27 22:40:20 +00:00
|
|
|
/* If caller requested the same string for stdout and stderr, then
|
|
|
|
* merge those into one string. */
|
|
|
|
if (cmd->outbuf && cmd->outbuf == cmd->errbuf) {
|
|
|
|
cmd->errfdptr = &cmd->outfd;
|
|
|
|
cmd->errbuf = NULL;
|
|
|
|
}
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
/* If caller hasn't requested capture of stdout/err, then capture
|
2010-12-21 18:49:49 +00:00
|
|
|
* it ourselves so we can log it. But the intermediate child for
|
|
|
|
* a daemon has no expected output, and we don't want our
|
|
|
|
* capturing pipes passed on to the daemon grandchild.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
2010-12-21 18:49:49 +00:00
|
|
|
if (!(cmd->flags & VIR_EXEC_DAEMON)) {
|
|
|
|
if (!cmd->outfdptr) {
|
|
|
|
cmd->outfdptr = &cmd->outfd;
|
|
|
|
cmd->outbuf = &outbuf;
|
|
|
|
string_io = true;
|
|
|
|
}
|
|
|
|
if (!cmd->errfdptr) {
|
|
|
|
cmd->errfdptr = &cmd->errfd;
|
|
|
|
cmd->errbuf = &errbuf;
|
|
|
|
string_io = true;
|
|
|
|
}
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
2011-03-23 23:42:27 +00:00
|
|
|
cmd->flags |= VIR_EXEC_RUN_SYNC;
|
2010-05-25 11:14:06 +00:00
|
|
|
if (virCommandRunAsync(cmd, NULL) < 0) {
|
|
|
|
cmd->has_error = -1;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2013-02-08 14:17:44 +00:00
|
|
|
if (string_io) {
|
|
|
|
VIR_FORCE_CLOSE(cmd->infd);
|
|
|
|
ret = virCommandProcessIO(cmd);
|
|
|
|
}
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
if (virCommandWait(cmd, exitstatus) < 0)
|
|
|
|
ret = -1;
|
|
|
|
|
2012-09-24 17:01:26 +00:00
|
|
|
str = (exitstatus ? virProcessTranslateStatus(*exitstatus)
|
2011-03-22 17:55:45 +00:00
|
|
|
: (char *) "status 0");
|
|
|
|
VIR_DEBUG("Result %s, stdout: '%s' stderr: '%s'",
|
|
|
|
NULLSTR(str),
|
2010-12-06 09:41:10 +00:00
|
|
|
cmd->outbuf ? NULLSTR(*cmd->outbuf) : "(null)",
|
|
|
|
cmd->errbuf ? NULLSTR(*cmd->errbuf) : "(null)");
|
2011-03-22 17:55:45 +00:00
|
|
|
if (exitstatus)
|
|
|
|
VIR_FREE(str);
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
/* Reset any capturing, in case caller runs
|
|
|
|
* this identical command again */
|
2013-02-08 14:17:44 +00:00
|
|
|
VIR_FORCE_CLOSE(cmd->inpipe);
|
2010-05-25 11:14:06 +00:00
|
|
|
if (cmd->outbuf == &outbuf) {
|
2011-09-26 16:51:47 +00:00
|
|
|
tmpfd = cmd->outfd;
|
2010-05-25 11:14:06 +00:00
|
|
|
if (VIR_CLOSE(cmd->outfd) < 0)
|
|
|
|
VIR_DEBUG("ignoring failed close on fd %d", tmpfd);
|
|
|
|
cmd->outfdptr = NULL;
|
|
|
|
cmd->outbuf = NULL;
|
2010-12-08 15:03:29 +00:00
|
|
|
VIR_FREE(outbuf);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
if (cmd->errbuf == &errbuf) {
|
2011-09-26 16:51:47 +00:00
|
|
|
tmpfd = cmd->errfd;
|
2010-05-25 11:14:06 +00:00
|
|
|
if (VIR_CLOSE(cmd->errfd) < 0)
|
|
|
|
VIR_DEBUG("ignoring failed close on fd %d", tmpfd);
|
|
|
|
cmd->errfdptr = NULL;
|
|
|
|
cmd->errbuf = NULL;
|
2010-12-08 15:03:29 +00:00
|
|
|
VIR_FREE(errbuf);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-01-16 10:33:17 +00:00
|
|
|
static void
|
2013-02-08 14:17:44 +00:00
|
|
|
virCommandDoAsyncIOHelper(void *opaque)
|
2013-01-16 10:33:17 +00:00
|
|
|
{
|
2013-02-08 14:17:44 +00:00
|
|
|
virCommandPtr cmd = opaque;
|
|
|
|
if (virCommandProcessIO(cmd) < 0) {
|
|
|
|
/* If something went wrong, save errno or -1*/
|
|
|
|
cmd->has_error = errno ? errno : -1;
|
2013-01-16 10:33:17 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandRunAsync:
|
|
|
|
* @cmd: command to start
|
|
|
|
* @pid: optional variable to track child pid
|
|
|
|
*
|
2010-05-25 11:14:06 +00:00
|
|
|
* Run the command asynchronously
|
|
|
|
* Returns -1 on any error executing the
|
|
|
|
* command. Returns 0 if the command executed.
|
2011-07-12 16:42:41 +00:00
|
|
|
*
|
|
|
|
* There are two approaches to child process cleanup.
|
|
|
|
* 1. Use auto-cleanup, by passing NULL for pid. The child will be
|
|
|
|
* auto-reaped by virCommandFree, unless you reap it earlier via
|
|
|
|
* virCommandWait or virCommandAbort. Good for where cmd is in
|
|
|
|
* scope for the duration of the child process.
|
|
|
|
* 2. Use manual cleanup, by passing the address of a pid_t variable
|
|
|
|
* for pid. While cmd is still in scope, you may reap the child via
|
|
|
|
* virCommandWait or virCommandAbort. But after virCommandFree, if
|
|
|
|
* you have not yet reaped the child, then it continues to run until
|
2012-09-24 16:59:31 +00:00
|
|
|
* you call virProcessWait or virProcessAbort.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
virCommandRunAsync(virCommandPtr cmd, pid_t *pid)
|
|
|
|
{
|
2013-02-08 14:17:44 +00:00
|
|
|
int ret = -1;
|
2014-01-28 18:18:43 +00:00
|
|
|
char *str = NULL;
|
Convert 'int i' to 'size_t i' in src/util/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
size_t i;
|
2011-03-23 23:42:27 +00:00
|
|
|
bool synchronous = false;
|
2013-01-16 10:33:17 +00:00
|
|
|
int infd[2] = {-1, -1};
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2010-12-06 20:58:52 +00:00
|
|
|
if (!cmd || cmd->has_error == ENOMEM) {
|
|
|
|
virReportOOMError();
|
2010-05-25 11:14:06 +00:00
|
|
|
return -1;
|
|
|
|
}
|
2010-12-06 20:58:52 +00:00
|
|
|
if (cmd->has_error) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("invalid use of command API"));
|
2010-05-25 11:14:06 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2011-03-23 23:42:27 +00:00
|
|
|
synchronous = cmd->flags & VIR_EXEC_RUN_SYNC;
|
|
|
|
cmd->flags &= ~VIR_EXEC_RUN_SYNC;
|
|
|
|
|
2013-02-08 14:17:44 +00:00
|
|
|
/* Buffer management can only be requested via virCommandRun or
|
|
|
|
* virCommandDoAsyncIO. */
|
|
|
|
if (cmd->inbuf && cmd->infd == -1 &&
|
|
|
|
(synchronous || cmd->flags & VIR_EXEC_ASYNC_IO)) {
|
|
|
|
if (pipe2(infd, O_CLOEXEC) < 0) {
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("unable to open pipe"));
|
|
|
|
cmd->has_error = -1;
|
|
|
|
return -1;
|
2013-01-16 10:33:17 +00:00
|
|
|
}
|
2013-02-08 14:17:44 +00:00
|
|
|
cmd->infd = infd[0];
|
|
|
|
cmd->inpipe = infd[1];
|
2013-01-16 10:33:17 +00:00
|
|
|
} else if ((cmd->inbuf && cmd->infd == -1) ||
|
2013-02-08 14:17:44 +00:00
|
|
|
(cmd->outbuf && cmd->outfdptr != &cmd->outfd) ||
|
|
|
|
(cmd->errbuf && cmd->errfdptr != &cmd->errfd)) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("cannot mix string I/O with asynchronous command"));
|
2010-12-06 23:36:34 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
if (cmd->pid != -1) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
_("command is already running as pid %lld"),
|
|
|
|
(long long) cmd->pid);
|
2013-02-08 14:17:44 +00:00
|
|
|
goto cleanup;
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
2011-03-23 23:42:27 +00:00
|
|
|
if (!synchronous && (cmd->flags & VIR_EXEC_DAEMON)) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("daemonized command cannot use virCommandRunAsync"));
|
2013-02-08 14:17:44 +00:00
|
|
|
goto cleanup;
|
2011-03-23 23:42:27 +00:00
|
|
|
}
|
2010-05-25 11:14:06 +00:00
|
|
|
if (cmd->pwd && (cmd->flags & VIR_EXEC_DAEMON)) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
_("daemonized command cannot set working directory %s"),
|
|
|
|
cmd->pwd);
|
2013-02-08 14:17:44 +00:00
|
|
|
goto cleanup;
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
2011-03-22 22:39:01 +00:00
|
|
|
if (cmd->pidfile && !(cmd->flags & VIR_EXEC_DAEMON)) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("creation of pid file requires daemonized command"));
|
2013-02-08 14:17:44 +00:00
|
|
|
goto cleanup;
|
2011-03-22 22:39:01 +00:00
|
|
|
}
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
str = virCommandToString(cmd);
|
2014-03-07 11:39:48 +00:00
|
|
|
if (dryRunBuffer || dryRunCallback) {
|
|
|
|
dryRunStatus = 0;
|
2014-01-28 18:18:43 +00:00
|
|
|
if (!str) {
|
|
|
|
/* error already reported by virCommandToString */
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
2014-03-07 11:39:48 +00:00
|
|
|
if (dryRunBuffer) {
|
|
|
|
VIR_DEBUG("Dry run requested, appending stringified "
|
|
|
|
"command to dryRunBuffer=%p", dryRunBuffer);
|
|
|
|
virBufferAdd(dryRunBuffer, str, -1);
|
|
|
|
virBufferAddChar(dryRunBuffer, '\n');
|
|
|
|
}
|
|
|
|
if (dryRunCallback) {
|
|
|
|
dryRunCallback((const char *const*)cmd->args,
|
|
|
|
(const char *const*)cmd->env,
|
|
|
|
cmd->inbuf, cmd->outbuf, cmd->errbuf,
|
|
|
|
&dryRunStatus, dryRunOpaque);
|
|
|
|
}
|
2014-01-28 18:18:43 +00:00
|
|
|
ret = 0;
|
|
|
|
goto cleanup;
|
|
|
|
}
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2014-01-28 18:18:43 +00:00
|
|
|
VIR_DEBUG("About to run %s", str ? str : cmd->args[0]);
|
2013-01-29 18:47:18 +00:00
|
|
|
ret = virExec(cmd);
|
2010-05-25 11:14:06 +00:00
|
|
|
VIR_DEBUG("Command result %d, with PID %d",
|
|
|
|
ret, (int)cmd->pid);
|
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
for (i = 0; i < cmd->npassfd; i++) {
|
|
|
|
if (cmd->passfd[i].flags & VIR_COMMAND_PASS_FD_CLOSE_PARENT)
|
|
|
|
VIR_FORCE_CLOSE(cmd->passfd[i].fd);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
2013-07-11 10:31:56 +00:00
|
|
|
cmd->npassfd = 0;
|
|
|
|
VIR_FREE(cmd->passfd);
|
2010-05-25 11:14:06 +00:00
|
|
|
|
|
|
|
if (ret == 0 && pid)
|
|
|
|
*pid = cmd->pid;
|
2011-03-22 22:22:37 +00:00
|
|
|
else
|
|
|
|
cmd->reap = true;
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2013-01-16 10:33:17 +00:00
|
|
|
if (ret == 0 && cmd->flags & VIR_EXEC_ASYNC_IO) {
|
2013-02-08 14:17:44 +00:00
|
|
|
if (cmd->inbuf)
|
2013-01-16 10:33:17 +00:00
|
|
|
VIR_FORCE_CLOSE(cmd->infd);
|
2013-02-08 14:17:44 +00:00
|
|
|
/* clear any error so we can catch if the helper thread reports one */
|
|
|
|
cmd->has_error = 0;
|
|
|
|
if (VIR_ALLOC(cmd->asyncioThread) < 0 ||
|
|
|
|
virThreadCreate(cmd->asyncioThread, true,
|
|
|
|
virCommandDoAsyncIOHelper, cmd) < 0) {
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("Unable to create thread "
|
|
|
|
"to process command's IO"));
|
|
|
|
VIR_FREE(cmd->asyncioThread);
|
|
|
|
virCommandAbort(cmd);
|
|
|
|
ret = -1;
|
2013-01-16 10:33:17 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-03-25 06:53:22 +00:00
|
|
|
cleanup:
|
2013-02-08 14:17:44 +00:00
|
|
|
if (ret < 0) {
|
|
|
|
VIR_FORCE_CLOSE(cmd->infd);
|
|
|
|
VIR_FORCE_CLOSE(cmd->inpipe);
|
|
|
|
}
|
2014-01-28 18:18:43 +00:00
|
|
|
VIR_FREE(str);
|
2010-05-25 11:14:06 +00:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandWait:
|
|
|
|
* @cmd: command to wait on
|
|
|
|
* @exitstatus: optional status collection
|
|
|
|
*
|
|
|
|
* Wait for the command previously started with virCommandRunAsync()
|
|
|
|
* to complete. Return -1 on any error waiting for
|
2010-05-25 11:14:06 +00:00
|
|
|
* completion. Returns 0 if the command
|
2011-07-14 19:47:25 +00:00
|
|
|
* finished with the exit status set. If @exitstatus is NULL, then the
|
2014-02-20 00:32:19 +00:00
|
|
|
* child must exit with status 0 for this to succeed. By default,
|
|
|
|
* a non-NULL @exitstatus contains the normal exit status of the child
|
|
|
|
* (death from a signal is treated as execution error); but if
|
|
|
|
* virCommandRawStatus() was used, it instead contains the raw exit
|
|
|
|
* status that the caller must then decipher using WIFEXITED() and friends.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
virCommandWait(virCommandPtr cmd, int *exitstatus)
|
|
|
|
{
|
|
|
|
int ret;
|
2011-07-12 16:42:41 +00:00
|
|
|
int status = 0;
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2010-12-06 20:58:52 +00:00
|
|
|
if (!cmd ||cmd->has_error == ENOMEM) {
|
|
|
|
virReportOOMError();
|
2010-05-25 11:14:06 +00:00
|
|
|
return -1;
|
|
|
|
}
|
2010-12-06 20:58:52 +00:00
|
|
|
if (cmd->has_error) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("invalid use of command API"));
|
2010-05-25 11:14:06 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2014-03-07 11:39:48 +00:00
|
|
|
if (dryRunBuffer || dryRunCallback) {
|
|
|
|
VIR_DEBUG("Dry run requested, returning status %d",
|
|
|
|
dryRunStatus);
|
2014-01-28 18:18:43 +00:00
|
|
|
if (exitstatus)
|
2014-03-07 11:39:48 +00:00
|
|
|
*exitstatus = dryRunStatus;
|
2014-01-28 18:18:43 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
if (cmd->pid == -1) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("command is not yet running"));
|
2010-05-25 11:14:06 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2012-09-24 16:59:31 +00:00
|
|
|
/* If virProcessWait reaps pid but then returns failure because
|
2011-07-12 16:42:41 +00:00
|
|
|
* exitstatus was NULL, then a second virCommandWait would risk
|
|
|
|
* calling waitpid on an unrelated process. Besides, that error
|
|
|
|
* message is not as detailed as what we can provide. So, we
|
2012-09-24 16:59:31 +00:00
|
|
|
* guarantee that virProcessWait only fails due to failure to wait,
|
2011-07-12 16:42:41 +00:00
|
|
|
* and repeat the exitstatus check code ourselves. */
|
2014-02-20 00:32:19 +00:00
|
|
|
ret = virProcessWait(cmd->pid, &status, true);
|
2013-02-08 14:17:44 +00:00
|
|
|
if (cmd->flags & VIR_EXEC_ASYNC_IO) {
|
|
|
|
cmd->flags &= ~VIR_EXEC_ASYNC_IO;
|
|
|
|
virThreadJoin(cmd->asyncioThread);
|
|
|
|
VIR_FREE(cmd->asyncioThread);
|
|
|
|
VIR_FORCE_CLOSE(cmd->inpipe);
|
|
|
|
if (cmd->has_error) {
|
|
|
|
const char *msg = _("Error while processing command's IO");
|
|
|
|
if (cmd->has_error < 0)
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", msg);
|
|
|
|
else
|
|
|
|
virReportSystemError(cmd->has_error, "%s", msg);
|
|
|
|
ret = -1;
|
|
|
|
}
|
2013-01-16 10:33:17 +00:00
|
|
|
}
|
2011-07-12 16:42:41 +00:00
|
|
|
if (ret == 0) {
|
|
|
|
cmd->pid = -1;
|
|
|
|
cmd->reap = false;
|
2014-02-20 00:32:19 +00:00
|
|
|
if (exitstatus && (cmd->rawStatus || WIFEXITED(status))) {
|
|
|
|
*exitstatus = cmd->rawStatus ? status : WEXITSTATUS(status);
|
|
|
|
} else if (status) {
|
2011-02-15 10:46:16 +00:00
|
|
|
char *str = virCommandToString(cmd);
|
2012-09-24 17:01:26 +00:00
|
|
|
char *st = virProcessTranslateStatus(status);
|
2012-08-06 15:40:06 +00:00
|
|
|
bool haveErrMsg = cmd->errbuf && *cmd->errbuf && (*cmd->errbuf)[0];
|
|
|
|
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
2012-08-06 15:40:06 +00:00
|
|
|
_("Child process (%s) unexpected %s%s%s"),
|
|
|
|
str ? str : cmd->args[0], NULLSTR(st),
|
|
|
|
haveErrMsg ? ": " : "",
|
|
|
|
haveErrMsg ? *cmd->errbuf : "");
|
2011-02-15 10:46:16 +00:00
|
|
|
VIR_FREE(str);
|
2011-03-22 17:55:45 +00:00
|
|
|
VIR_FREE(st);
|
2010-05-25 11:14:06 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-07-12 16:42:41 +00:00
|
|
|
return ret;
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-03-28 20:12:15 +00:00
|
|
|
#ifndef WIN32
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandAbort:
|
|
|
|
* @cmd: command to abort
|
|
|
|
*
|
2011-07-12 16:42:41 +00:00
|
|
|
* Abort an async command if it is running, without issuing
|
|
|
|
* any errors or affecting errno. Designed for error paths
|
|
|
|
* where some but not all paths to the cleanup code might
|
|
|
|
* have started the child process.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandAbort(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->pid == -1)
|
|
|
|
return;
|
2012-09-24 16:59:31 +00:00
|
|
|
virProcessAbort(cmd->pid);
|
2011-03-22 22:22:37 +00:00
|
|
|
cmd->pid = -1;
|
|
|
|
cmd->reap = false;
|
|
|
|
}
|
2011-03-28 20:12:15 +00:00
|
|
|
#else /* WIN32 */
|
|
|
|
void
|
|
|
|
virCommandAbort(virCommandPtr cmd ATTRIBUTE_UNUSED)
|
|
|
|
{
|
|
|
|
/* Mingw lacks WNOHANG and kill(). But since we haven't ported
|
2013-01-29 18:30:53 +00:00
|
|
|
* virExec to mingw yet, there's no process to be killed,
|
2011-03-28 20:12:15 +00:00
|
|
|
* making this implementation trivially correct for now :) */
|
|
|
|
}
|
|
|
|
#endif
|
2011-03-22 22:22:37 +00:00
|
|
|
|
2010-11-22 13:31:35 +00:00
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandRequireHandshake:
|
|
|
|
* @cmd: command to modify
|
|
|
|
*
|
|
|
|
* Request that the child perform a handshake with
|
|
|
|
* the parent when the hook function has completed
|
|
|
|
* execution. The child will not exec() until the
|
|
|
|
* parent has notified
|
|
|
|
*/
|
2010-11-22 13:31:35 +00:00
|
|
|
void virCommandRequireHandshake(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (cmd->handshake) {
|
|
|
|
cmd->has_error = -1;
|
|
|
|
VIR_DEBUG("Cannot require handshake twice");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2011-07-12 20:56:03 +00:00
|
|
|
if (pipe2(cmd->handshakeWait, O_CLOEXEC) < 0) {
|
2010-11-22 13:31:35 +00:00
|
|
|
cmd->has_error = errno;
|
|
|
|
return;
|
|
|
|
}
|
2011-07-12 20:56:03 +00:00
|
|
|
if (pipe2(cmd->handshakeNotify, O_CLOEXEC) < 0) {
|
2010-11-22 13:31:35 +00:00
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeWait[0]);
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeWait[1]);
|
|
|
|
cmd->has_error = errno;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2012-05-30 12:17:26 +00:00
|
|
|
VIR_DEBUG("Transfer handshake wait=%d notify=%d, "
|
|
|
|
"keep handshake wait=%d notify=%d",
|
|
|
|
cmd->handshakeWait[1], cmd->handshakeNotify[0],
|
|
|
|
cmd->handshakeWait[0], cmd->handshakeNotify[1]);
|
2013-07-11 10:31:56 +00:00
|
|
|
virCommandPassFD(cmd, cmd->handshakeWait[1],
|
|
|
|
VIR_COMMAND_PASS_FD_CLOSE_PARENT);
|
|
|
|
virCommandPassFD(cmd, cmd->handshakeNotify[0],
|
|
|
|
VIR_COMMAND_PASS_FD_CLOSE_PARENT);
|
2010-11-22 13:31:35 +00:00
|
|
|
cmd->handshake = true;
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandHandshakeWait:
|
|
|
|
* @cmd: command to wait on
|
|
|
|
*
|
|
|
|
* Wait for the child to complete execution of its
|
|
|
|
* hook function. To be called in the parent.
|
|
|
|
*/
|
2010-11-22 13:31:35 +00:00
|
|
|
int virCommandHandshakeWait(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
char c;
|
|
|
|
int rv;
|
|
|
|
if (!cmd ||cmd->has_error == ENOMEM) {
|
|
|
|
virReportOOMError();
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
if (cmd->has_error || !cmd->handshake) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("invalid use of command API"));
|
2010-11-22 13:31:35 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (cmd->handshakeWait[0] == -1) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("Handshake is already complete"));
|
2010-11-22 13:31:35 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
VIR_DEBUG("Wait for handshake on %d", cmd->handshakeWait[0]);
|
|
|
|
if ((rv = saferead(cmd->handshakeWait[0], &c, sizeof(c))) != sizeof(c)) {
|
|
|
|
if (rv < 0)
|
2012-06-04 22:32:43 +00:00
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("Unable to wait for child process"));
|
2010-11-22 13:31:35 +00:00
|
|
|
else
|
2012-06-04 22:32:43 +00:00
|
|
|
virReportSystemError(EIO, "%s",
|
|
|
|
_("Child quit during startup handshake"));
|
2010-11-22 13:31:35 +00:00
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeWait[0]);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
if (c != '1') {
|
|
|
|
char *msg;
|
|
|
|
ssize_t len;
|
|
|
|
if (VIR_ALLOC_N(msg, 1024) < 0) {
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeWait[0]);
|
|
|
|
return -1;
|
|
|
|
}
|
2012-05-26 02:17:01 +00:00
|
|
|
/* Close the handshakeNotify fd before trying to read anything
|
|
|
|
* further on the handshakeWait pipe; so that a child waiting
|
|
|
|
* on our acknowledgment will die rather than deadlock. */
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeNotify[1]);
|
|
|
|
|
2010-11-22 13:31:35 +00:00
|
|
|
if ((len = saferead(cmd->handshakeWait[0], msg, 1024)) < 0) {
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeWait[0]);
|
|
|
|
VIR_FREE(msg);
|
2012-06-04 22:32:43 +00:00
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("No error message from child failure"));
|
2010-11-22 13:31:35 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeWait[0]);
|
|
|
|
msg[len-1] = '\0';
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", msg);
|
2010-11-22 13:31:35 +00:00
|
|
|
VIR_FREE(msg);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeWait[0]);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandHandshakeNotify:
|
|
|
|
* @cmd: command to resume
|
|
|
|
*
|
|
|
|
* Notify the child that it is OK to exec() the
|
|
|
|
* real binary now. To be called in the parent.
|
|
|
|
*/
|
2010-11-22 13:31:35 +00:00
|
|
|
int virCommandHandshakeNotify(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
char c = '1';
|
|
|
|
if (!cmd ||cmd->has_error == ENOMEM) {
|
|
|
|
virReportOOMError();
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
if (cmd->has_error || !cmd->handshake) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("invalid use of command API"));
|
2010-11-22 13:31:35 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (cmd->handshakeNotify[1] == -1) {
|
2012-07-18 10:26:24 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("Handshake is already complete"));
|
2010-11-22 13:31:35 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2012-05-30 13:36:12 +00:00
|
|
|
VIR_DEBUG("Notify handshake on %d", cmd->handshakeNotify[1]);
|
2010-11-22 13:31:35 +00:00
|
|
|
if (safewrite(cmd->handshakeNotify[1], &c, sizeof(c)) != sizeof(c)) {
|
|
|
|
virReportSystemError(errno, "%s", _("Unable to notify child process"));
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeNotify[1]);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeNotify[1]);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-14 19:47:25 +00:00
|
|
|
/**
|
|
|
|
* virCommandFree:
|
|
|
|
* @cmd: optional command to free
|
|
|
|
*
|
2011-07-12 16:42:41 +00:00
|
|
|
* Release all resources. The only exception is that if you called
|
|
|
|
* virCommandRunAsync with a non-null pid, then the asynchronous child
|
2012-09-24 16:59:31 +00:00
|
|
|
* is not reaped, and you must call virProcessWait() or virProcessAbort() yourself.
|
2010-05-25 11:14:06 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandFree(virCommandPtr cmd)
|
|
|
|
{
|
Convert 'int i' to 'size_t i' in src/util/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
size_t i;
|
2010-05-25 11:14:06 +00:00
|
|
|
if (!cmd)
|
|
|
|
return;
|
|
|
|
|
2013-07-11 10:31:56 +00:00
|
|
|
for (i = 0; i < cmd->npassfd; i++) {
|
|
|
|
if (cmd->passfd[i].flags & VIR_COMMAND_PASS_FD_CLOSE_PARENT)
|
|
|
|
VIR_FORCE_CLOSE(cmd->passfd[i].fd);
|
2010-05-25 11:14:06 +00:00
|
|
|
}
|
2013-07-11 10:31:56 +00:00
|
|
|
cmd->npassfd = 0;
|
|
|
|
VIR_FREE(cmd->passfd);
|
2010-05-25 11:14:06 +00:00
|
|
|
|
2013-02-08 14:17:44 +00:00
|
|
|
if (cmd->asyncioThread) {
|
|
|
|
virThreadJoin(cmd->asyncioThread);
|
|
|
|
VIR_FREE(cmd->asyncioThread);
|
|
|
|
}
|
2010-12-10 15:56:30 +00:00
|
|
|
VIR_FREE(cmd->inbuf);
|
2010-05-25 11:14:06 +00:00
|
|
|
VIR_FORCE_CLOSE(cmd->outfd);
|
|
|
|
VIR_FORCE_CLOSE(cmd->errfd);
|
|
|
|
|
2013-05-21 07:58:16 +00:00
|
|
|
for (i = 0; i < cmd->nargs; i++)
|
2010-05-25 11:14:06 +00:00
|
|
|
VIR_FREE(cmd->args[i]);
|
|
|
|
VIR_FREE(cmd->args);
|
|
|
|
|
2013-05-21 07:58:16 +00:00
|
|
|
for (i = 0; i < cmd->nenv; i++)
|
2010-05-25 11:14:06 +00:00
|
|
|
VIR_FREE(cmd->env[i]);
|
|
|
|
VIR_FREE(cmd->env);
|
|
|
|
|
|
|
|
VIR_FREE(cmd->pwd);
|
|
|
|
|
2010-11-22 13:31:35 +00:00
|
|
|
if (cmd->handshake) {
|
|
|
|
/* The other 2 fds in these arrays are closed
|
2013-07-11 10:31:56 +00:00
|
|
|
* due to use with virCommandPassFD
|
2010-11-22 13:31:35 +00:00
|
|
|
*/
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeWait[0]);
|
|
|
|
VIR_FORCE_CLOSE(cmd->handshakeNotify[1]);
|
|
|
|
}
|
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
VIR_FREE(cmd->pidfile);
|
|
|
|
|
2011-03-22 22:22:37 +00:00
|
|
|
if (cmd->reap)
|
|
|
|
virCommandAbort(cmd);
|
|
|
|
|
2013-02-01 19:32:37 +00:00
|
|
|
#if defined(WITH_SECDRIVER_SELINUX)
|
|
|
|
VIR_FREE(cmd->seLinuxLabel);
|
|
|
|
#endif
|
|
|
|
#if defined(WITH_SECDRIVER_APPARMOR)
|
|
|
|
VIR_FREE(cmd->appArmorProfile);
|
|
|
|
#endif
|
2012-01-03 10:29:07 +00:00
|
|
|
|
2010-05-25 11:14:06 +00:00
|
|
|
VIR_FREE(cmd);
|
|
|
|
}
|
2013-01-16 10:33:17 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* virCommandDoAsyncIO:
|
|
|
|
* @cmd: command to do async IO on
|
|
|
|
*
|
|
|
|
* This requests asynchronous string IO on @cmd. It is useful in
|
|
|
|
* combination with virCommandRunAsync():
|
|
|
|
*
|
|
|
|
* virCommandPtr cmd = virCommandNew*(...);
|
|
|
|
* char *buf = NULL;
|
|
|
|
*
|
|
|
|
* ...
|
|
|
|
*
|
|
|
|
* virCommandSetOutputBuffer(cmd, &buf);
|
|
|
|
* virCommandDoAsyncIO(cmd);
|
|
|
|
*
|
|
|
|
* if (virCommandRunAsync(cmd, NULL) < 0)
|
|
|
|
* goto cleanup;
|
|
|
|
*
|
|
|
|
* ...
|
|
|
|
*
|
|
|
|
* if (virCommandWait(cmd, NULL) < 0)
|
|
|
|
* goto cleanup;
|
|
|
|
*
|
|
|
|
* // @buf now contains @cmd's stdout
|
|
|
|
* VIR_DEBUG("STDOUT: %s", NULLSTR(buf));
|
|
|
|
*
|
|
|
|
* ...
|
|
|
|
*
|
|
|
|
* cleanup:
|
|
|
|
* VIR_FREE(buf);
|
|
|
|
* virCommandFree(cmd);
|
|
|
|
*
|
|
|
|
* The libvirt's event loop is used for handling stdios of @cmd.
|
|
|
|
* Since current implementation uses strlen to determine length
|
|
|
|
* of data to be written to @cmd's stdin, don't pass any binary
|
|
|
|
* data. If you want to re-run command, you need to call this and
|
|
|
|
* buffer setting functions (virCommandSet.*Buffer) prior each run.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virCommandDoAsyncIO(virCommandPtr cmd)
|
|
|
|
{
|
|
|
|
if (!cmd || cmd->has_error)
|
|
|
|
return;
|
|
|
|
|
|
|
|
cmd->flags |= VIR_EXEC_ASYNC_IO | VIR_EXEC_NONBLOCK;
|
|
|
|
}
|
2014-01-28 18:18:43 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* virCommandSetDryRun:
|
|
|
|
* @buf: buffer to store stringified commands
|
2014-03-07 11:39:48 +00:00
|
|
|
* @callback: callback to process input/output/args
|
2014-01-28 18:18:43 +00:00
|
|
|
*
|
|
|
|
* Sometimes it's desired to not actually run given command, but
|
|
|
|
* see its string representation without having to change the
|
|
|
|
* callee. Unit testing serves as a great example. In such cases,
|
|
|
|
* the callee constructs the command and calls it via
|
|
|
|
* virCommandRun* API. The virCommandSetDryRun allows you to
|
|
|
|
* modify this behavior: once called, every call to
|
|
|
|
* virCommandRun* results in command string representation being
|
2014-03-07 11:39:48 +00:00
|
|
|
* appended to @buf instead of being executed. If @callback is
|
|
|
|
* provided, then it is invoked with the argv, env and stdin
|
|
|
|
* data string for the command. It is expected to fill the stdout
|
|
|
|
* and stderr data strings and exit status variables.
|
|
|
|
*
|
|
|
|
* The strings stored in @buf are escaped for a shell and
|
|
|
|
* separated by a newline. For example:
|
2014-01-28 18:18:43 +00:00
|
|
|
*
|
|
|
|
* virBuffer buffer = VIR_BUFFER_INITIALIZER;
|
|
|
|
* virCommandSetDryRun(&buffer);
|
|
|
|
*
|
|
|
|
* virCommandPtr echocmd = virCommandNewArgList("/bin/echo", "Hello world", NULL);
|
|
|
|
* virCommandRun(echocmd, NULL);
|
|
|
|
*
|
|
|
|
* After this, the @buffer should contain:
|
|
|
|
*
|
|
|
|
* /bin/echo 'Hello world'\n
|
|
|
|
*
|
2014-03-07 11:39:48 +00:00
|
|
|
* To cancel this effect pass NULL for @buf and @callback.
|
2014-01-28 18:18:43 +00:00
|
|
|
*/
|
|
|
|
void
|
2014-03-07 11:39:48 +00:00
|
|
|
virCommandSetDryRun(virBufferPtr buf,
|
|
|
|
virCommandDryRunCallback cb,
|
|
|
|
void *opaque)
|
2014-01-28 18:18:43 +00:00
|
|
|
{
|
|
|
|
dryRunBuffer = buf;
|
2014-03-07 11:39:48 +00:00
|
|
|
dryRunCallback = cb;
|
|
|
|
dryRunOpaque = opaque;
|
2014-01-28 18:18:43 +00:00
|
|
|
}
|
2014-03-18 14:35:01 +00:00
|
|
|
|
|
|
|
#ifndef WIN32
|
|
|
|
/*
|
|
|
|
* Run an external program.
|
|
|
|
*
|
|
|
|
* Read its output and apply a series of regexes to each line
|
|
|
|
* When the entire set of regexes has matched consecutively
|
|
|
|
* then run a callback passing in all the matches
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
virCommandRunRegex(virCommandPtr cmd,
|
|
|
|
int nregex,
|
|
|
|
const char **regex,
|
|
|
|
int *nvars,
|
|
|
|
virCommandRunRegexFunc func,
|
|
|
|
void *data,
|
|
|
|
const char *prefix)
|
|
|
|
{
|
2014-03-19 12:16:13 +00:00
|
|
|
int err;
|
2014-03-18 14:35:01 +00:00
|
|
|
regex_t *reg;
|
|
|
|
regmatch_t *vars = NULL;
|
2014-03-19 12:16:13 +00:00
|
|
|
size_t i, j, k;
|
2014-03-18 14:35:01 +00:00
|
|
|
int totgroups = 0, ngroup = 0, maxvars = 0;
|
|
|
|
char **groups;
|
2014-03-19 12:16:13 +00:00
|
|
|
char *outbuf = NULL;
|
|
|
|
char **lines = NULL;
|
|
|
|
int ret = -1;
|
2014-03-18 14:35:01 +00:00
|
|
|
|
|
|
|
/* Compile all regular expressions */
|
|
|
|
if (VIR_ALLOC_N(reg, nregex) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
for (i = 0; i < nregex; i++) {
|
|
|
|
err = regcomp(®[i], regex[i], REG_EXTENDED);
|
|
|
|
if (err != 0) {
|
|
|
|
char error[100];
|
|
|
|
regerror(err, ®[i], error, sizeof(error));
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
_("Failed to compile regex %s"), error);
|
|
|
|
for (j = 0; j < i; j++)
|
|
|
|
regfree(®[j]);
|
|
|
|
VIR_FREE(reg);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
totgroups += nvars[i];
|
|
|
|
if (nvars[i] > maxvars)
|
|
|
|
maxvars = nvars[i];
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Storage for matched variables */
|
|
|
|
if (VIR_ALLOC_N(groups, totgroups) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
if (VIR_ALLOC_N(vars, maxvars+1) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2014-03-19 12:16:13 +00:00
|
|
|
virCommandSetOutputBuffer(cmd, &outbuf);
|
|
|
|
if (virCommandRun(cmd, NULL) < 0)
|
2014-03-18 14:35:01 +00:00
|
|
|
goto cleanup;
|
|
|
|
|
2014-03-19 12:16:13 +00:00
|
|
|
if (!outbuf) {
|
|
|
|
/* no output */
|
|
|
|
ret = 0;
|
2014-03-18 14:35:01 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
2014-03-19 12:16:13 +00:00
|
|
|
if (!(lines = virStringSplit(outbuf, "\n", 0)))
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
for (k = 0; lines[k]; k++) {
|
2014-03-20 12:14:11 +00:00
|
|
|
const char *p = NULL;
|
2014-03-18 14:35:01 +00:00
|
|
|
|
|
|
|
/* ignore any command prefix */
|
|
|
|
if (prefix)
|
2014-03-19 12:16:13 +00:00
|
|
|
p = STRSKIP(lines[k], prefix);
|
2014-03-18 14:35:01 +00:00
|
|
|
if (!p)
|
2014-03-19 12:16:13 +00:00
|
|
|
p = lines[k];
|
2014-03-18 14:35:01 +00:00
|
|
|
|
2014-03-20 12:05:13 +00:00
|
|
|
ngroup = 0;
|
2014-03-20 11:56:58 +00:00
|
|
|
for (i = 0; i < nregex; i++) {
|
|
|
|
if (regexec(®[i], p, nvars[i]+1, vars, 0) != 0)
|
|
|
|
break;
|
2014-03-18 14:35:01 +00:00
|
|
|
|
2014-03-20 12:20:08 +00:00
|
|
|
/* NB vars[0] is the full pattern, so we offset j by 1 */
|
|
|
|
for (j = 1; j <= nvars[i]; j++) {
|
|
|
|
if (VIR_STRNDUP(groups[ngroup++], p + vars[j].rm_so,
|
|
|
|
vars[j].rm_eo - vars[j].rm_so) < 0)
|
2014-03-20 11:56:58 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
2014-03-18 14:35:01 +00:00
|
|
|
|
2014-03-20 12:05:13 +00:00
|
|
|
}
|
|
|
|
/* We've matched on the last regex, so callback time */
|
|
|
|
if (i == nregex) {
|
|
|
|
if (((*func)(groups, data)) < 0)
|
|
|
|
goto cleanup;
|
2014-03-18 14:35:01 +00:00
|
|
|
}
|
2014-03-20 12:08:49 +00:00
|
|
|
|
|
|
|
for (j = 0; j < ngroup; j++)
|
|
|
|
VIR_FREE(groups[j]);
|
2014-03-18 14:35:01 +00:00
|
|
|
}
|
|
|
|
|
2014-03-19 12:16:13 +00:00
|
|
|
ret = 0;
|
2014-03-25 06:53:22 +00:00
|
|
|
cleanup:
|
2014-03-19 12:16:13 +00:00
|
|
|
virStringFreeList(lines);
|
|
|
|
VIR_FREE(outbuf);
|
2014-03-18 14:35:01 +00:00
|
|
|
if (groups) {
|
|
|
|
for (j = 0; j < totgroups; j++)
|
|
|
|
VIR_FREE(groups[j]);
|
|
|
|
VIR_FREE(groups);
|
|
|
|
}
|
|
|
|
VIR_FREE(vars);
|
|
|
|
|
|
|
|
for (i = 0; i < nregex; i++)
|
|
|
|
regfree(®[i]);
|
|
|
|
|
|
|
|
VIR_FREE(reg);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Run an external program and read from its standard output
|
|
|
|
* a stream of tokens from IN_STREAM, applying FUNC to
|
|
|
|
* each successive sequence of N_COLUMNS tokens.
|
|
|
|
* If FUNC returns < 0, stop processing input and return -1.
|
|
|
|
* Return -1 if N_COLUMNS == 0.
|
|
|
|
* Return -1 upon memory allocation error.
|
|
|
|
* If the number of input tokens is not a multiple of N_COLUMNS,
|
|
|
|
* then the final FUNC call will specify a number smaller than N_COLUMNS.
|
|
|
|
* If there are no input tokens (empty input), call FUNC with N_COLUMNS == 0.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
virCommandRunNul(virCommandPtr cmd,
|
|
|
|
size_t n_columns,
|
|
|
|
virCommandRunNulFunc func,
|
|
|
|
void *data)
|
|
|
|
{
|
|
|
|
size_t n_tok = 0;
|
|
|
|
int fd = -1;
|
|
|
|
FILE *fp = NULL;
|
|
|
|
char **v;
|
|
|
|
int ret = -1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
if (n_columns == 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (VIR_ALLOC_N(v, n_columns) < 0)
|
|
|
|
return -1;
|
|
|
|
for (i = 0; i < n_columns; i++)
|
|
|
|
v[i] = NULL;
|
|
|
|
|
|
|
|
virCommandSetOutputFD(cmd, &fd);
|
|
|
|
if (virCommandRunAsync(cmd, NULL) < 0) {
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((fp = VIR_FDOPEN(fd, "r")) == NULL) {
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
"%s", _("cannot open file using fd"));
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (1) {
|
|
|
|
char *buf = NULL;
|
|
|
|
size_t buf_len = 0;
|
|
|
|
/* Be careful: even when it returns -1,
|
|
|
|
this use of getdelim allocates memory. */
|
|
|
|
ssize_t tok_len = getdelim(&buf, &buf_len, 0, fp);
|
|
|
|
v[n_tok] = buf;
|
|
|
|
if (tok_len < 0) {
|
|
|
|
/* Maybe EOF, maybe an error.
|
|
|
|
If n_tok > 0, then we know it's an error. */
|
|
|
|
if (n_tok && func(n_tok, v, data) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
++n_tok;
|
|
|
|
if (n_tok == n_columns) {
|
|
|
|
if (func(n_tok, v, data) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
n_tok = 0;
|
|
|
|
for (i = 0; i < n_columns; i++) {
|
|
|
|
VIR_FREE(v[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (feof(fp) < 0) {
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("read error on pipe"));
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = virCommandWait(cmd, NULL);
|
|
|
|
cleanup:
|
|
|
|
for (i = 0; i < n_columns; i++)
|
|
|
|
VIR_FREE(v[i]);
|
|
|
|
VIR_FREE(v);
|
|
|
|
|
|
|
|
VIR_FORCE_FCLOSE(fp);
|
|
|
|
VIR_FORCE_CLOSE(fd);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
#else /* WIN32 */
|
|
|
|
|
|
|
|
int
|
|
|
|
virCommandRunRegex(virCommandPtr cmd ATTRIBUTE_UNUSED,
|
|
|
|
int nregex ATTRIBUTE_UNUSED,
|
|
|
|
const char **regex ATTRIBUTE_UNUSED,
|
|
|
|
int *nvars ATTRIBUTE_UNUSED,
|
|
|
|
virCommandRunRegexFunc func ATTRIBUTE_UNUSED,
|
|
|
|
void *data ATTRIBUTE_UNUSED,
|
|
|
|
const char *prefix ATTRIBUTE_UNUSED)
|
|
|
|
{
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
_("%s not implemented on Win32"), __FUNCTION__);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
virCommandRunNul(virCommandPtr cmd ATTRIBUTE_UNUSED,
|
|
|
|
size_t n_columns ATTRIBUTE_UNUSED,
|
|
|
|
virCommandRunNulFunc func ATTRIBUTE_UNUSED,
|
|
|
|
void *data ATTRIBUTE_UNUSED)
|
|
|
|
{
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
_("%s not implemented on Win32"), __FUNCTION__);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
#endif /* WIN32 */
|