1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2012, Joyent Inc. All rights reserved.
25 */
26
27 /*
28 * zoneadmd manages zones; one zoneadmd process is launched for each
29 * non-global zone on the system. This daemon juggles four jobs:
30 *
31 * - Implement setup and teardown of the zone "virtual platform": mount and
32 * unmount filesystems; create and destroy network interfaces; communicate
33 * with devfsadmd to lay out devices for the zone; instantiate the zone
34 * console device; configure process runtime attributes such as resource
35 * controls, pool bindings, fine-grained privileges.
36 *
37 * - Launch the zone's init(1M) process.
38 *
39 * - Implement a door server; clients (like zoneadm) connect to the door
40 * server and request zone state changes. The kernel is also a client of
41 * this door server. A request to halt or reboot the zone which originates
42 * *inside* the zone results in a door upcall from the kernel into zoneadmd.
43 *
44 * One minor problem is that messages emitted by zoneadmd need to be passed
45 * back to the zoneadm process making the request. These messages need to
46 * be rendered in the client's locale; so, this is passed in as part of the
47 * request. The exception is the kernel upcall to zoneadmd, in which case
48 * messages are syslog'd.
49 *
50 * To make all of this work, the Makefile adds -a to xgettext to extract *all*
51 * strings, and an exclusion file (zoneadmd.xcl) is used to exclude those
52 * strings which do not need to be translated.
53 *
54 * - Act as a console server for zlogin -C processes; see comments in zcons.c
55 * for more information about the zone console architecture.
56 *
57 * DESIGN NOTES
58 *
59 * Restart:
60 * A chief design constraint of zoneadmd is that it should be restartable in
61 * the case that the administrator kills it off, or it suffers a fatal error,
62 * without the running zone being impacted; this is akin to being able to
63 * reboot the service processor of a server without affecting the OS instance.
64 */
65
66 #include <sys/param.h>
67 #include <sys/mman.h>
68 #include <sys/types.h>
69 #include <sys/stat.h>
70 #include <sys/sysmacros.h>
71
72 #include <bsm/adt.h>
73 #include <bsm/adt_event.h>
74
75 #include <alloca.h>
76 #include <assert.h>
77 #include <errno.h>
78 #include <door.h>
79 #include <fcntl.h>
80 #include <locale.h>
81 #include <signal.h>
82 #include <stdarg.h>
83 #include <stdio.h>
84 #include <stdlib.h>
85 #include <string.h>
86 #include <strings.h>
87 #include <synch.h>
88 #include <syslog.h>
89 #include <thread.h>
90 #include <unistd.h>
91 #include <wait.h>
92 #include <limits.h>
93 #include <zone.h>
94 #include <libbrand.h>
95 #include <sys/brand.h>
96 #include <libcontract.h>
97 #include <libcontract_priv.h>
98 #include <sys/brand.h>
99 #include <sys/contract/process.h>
100 #include <sys/ctfs.h>
101 #include <libdladm.h>
102 #include <sys/dls_mgmt.h>
103
104 #include <libzonecfg.h>
105 #include <zonestat_impl.h>
106 #include "zoneadmd.h"
107
108 static char *progname;
109 char *zone_name; /* zone which we are managing */
110 zone_dochandle_t snap_hndl; /* handle for snapshot created when ready */
111 char pool_name[MAXNAMELEN];
112 char default_brand[MAXNAMELEN];
113 char brand_name[MAXNAMELEN];
114 boolean_t zone_isnative;
115 boolean_t zone_iscluster;
116 boolean_t zone_islabeled;
117 static zoneid_t zone_id;
118 static zoneid_t zone_did = 0;
119 dladm_handle_t dld_handle = NULL;
120
121 char pre_statechg_hook[2 * MAXPATHLEN];
122 char post_statechg_hook[2 * MAXPATHLEN];
123 char query_hook[2 * MAXPATHLEN];
124
125 zlog_t logsys;
126
127 mutex_t lock = DEFAULTMUTEX; /* to serialize stuff */
128 mutex_t msglock = DEFAULTMUTEX; /* for calling setlocale() */
129
130 static sema_t scratch_sem; /* for scratch zones */
131
132 static char zone_door_path[MAXPATHLEN];
133 static int zone_door = -1;
134
135 boolean_t in_death_throes = B_FALSE; /* daemon is dying */
136 boolean_t bringup_failure_recovery = B_FALSE; /* ignore certain failures */
137
138 #if !defined(TEXT_DOMAIN) /* should be defined by cc -D */
139 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */
140 #endif
141
142 #define DEFAULT_LOCALE "C"
143
144 #define RSRC_NET "net"
145 #define RSRC_DEV "device"
146
147 static const char *
148 z_cmd_name(zone_cmd_t zcmd)
149 {
150 /* This list needs to match the enum in sys/zone.h */
151 static const char *zcmdstr[] = {
152 "ready", "boot", "forceboot", "reboot", "halt",
153 "note_uninstalling", "mount", "forcemount", "unmount"
154 };
155
156 if (zcmd >= sizeof (zcmdstr) / sizeof (*zcmdstr))
157 return ("unknown");
158 else
159 return (zcmdstr[(int)zcmd]);
160 }
161
162 static char *
163 get_execbasename(char *execfullname)
164 {
165 char *last_slash, *execbasename;
166
167 /* guard against '/' at end of command invocation */
168 for (;;) {
169 last_slash = strrchr(execfullname, '/');
170 if (last_slash == NULL) {
171 execbasename = execfullname;
172 break;
173 } else {
174 execbasename = last_slash + 1;
175 if (*execbasename == '\0') {
176 *last_slash = '\0';
177 continue;
178 }
179 break;
180 }
181 }
182 return (execbasename);
183 }
184
185 static void
186 usage(void)
187 {
188 (void) fprintf(stderr, gettext("Usage: %s -z zonename\n"), progname);
189 (void) fprintf(stderr,
190 gettext("\tNote: %s should not be run directly.\n"), progname);
191 exit(2);
192 }
193
194 /* ARGSUSED */
195 static void
196 sigchld(int sig)
197 {
198 }
199
200 char *
201 localize_msg(char *locale, const char *msg)
202 {
203 char *out;
204
205 (void) mutex_lock(&msglock);
206 (void) setlocale(LC_MESSAGES, locale);
207 out = gettext(msg);
208 (void) setlocale(LC_MESSAGES, DEFAULT_LOCALE);
209 (void) mutex_unlock(&msglock);
210 return (out);
211 }
212
213 /* PRINTFLIKE3 */
214 void
215 zerror(zlog_t *zlogp, boolean_t use_strerror, const char *fmt, ...)
216 {
217 va_list alist;
218 char buf[MAXPATHLEN * 2]; /* enough space for err msg with a path */
219 char *bp;
220 int saved_errno = errno;
221
222 if (zlogp == NULL)
223 return;
224 if (zlogp == &logsys)
225 (void) snprintf(buf, sizeof (buf), "[zone '%s'] ",
226 zone_name);
227 else
228 buf[0] = '\0';
229 bp = &(buf[strlen(buf)]);
230
231 /*
232 * In theory, the locale pointer should be set to either "C" or a
233 * char array, so it should never be NULL
234 */
235 assert(zlogp->locale != NULL);
236 /* Locale is per process, but we are multi-threaded... */
237 fmt = localize_msg(zlogp->locale, fmt);
238
239 va_start(alist, fmt);
240 (void) vsnprintf(bp, sizeof (buf) - (bp - buf), fmt, alist);
241 va_end(alist);
242 bp = &(buf[strlen(buf)]);
243 if (use_strerror)
244 (void) snprintf(bp, sizeof (buf) - (bp - buf), ": %s",
245 strerror(saved_errno));
246 if (zlogp == &logsys) {
247 (void) syslog(LOG_ERR, "%s", buf);
248 } else if (zlogp->logfile != NULL) {
249 (void) fprintf(zlogp->logfile, "%s\n", buf);
250 } else {
251 size_t buflen;
252 size_t copylen;
253
254 buflen = snprintf(zlogp->log, zlogp->loglen, "%s\n", buf);
255 copylen = MIN(buflen, zlogp->loglen);
256 zlogp->log += copylen;
257 zlogp->loglen -= copylen;
258 }
259 }
260
261 /*
262 * Emit a warning for any boot arguments which are unrecognized. Since
263 * Solaris boot arguments are getopt(3c) compatible (see kernel(1m)), we
264 * put the arguments into an argv style array, use getopt to process them,
265 * and put the resultant argument string back into outargs.
266 *
267 * During the filtering, we pull out any arguments which are truly "boot"
268 * arguments, leaving only those which are to be passed intact to the
269 * progenitor process. The one we support at the moment is -i, which
270 * indicates to the kernel which program should be launched as 'init'.
271 *
272 * A return of Z_INVAL indicates specifically that the arguments are
273 * not valid; this is a non-fatal error. Except for Z_OK, all other return
274 * values are treated as fatal.
275 */
276 static int
277 filter_bootargs(zlog_t *zlogp, const char *inargs, char *outargs,
278 char *init_file, char *badarg)
279 {
280 int argc = 0, argc_save;
281 int i;
282 int err = Z_OK;
283 char *arg, *lasts, **argv = NULL, **argv_save;
284 char zonecfg_args[BOOTARGS_MAX];
285 char scratchargs[BOOTARGS_MAX], *sargs;
286 char c;
287
288 bzero(outargs, BOOTARGS_MAX);
289 bzero(badarg, BOOTARGS_MAX);
290
291 /*
292 * If the user didn't specify transient boot arguments, check
293 * to see if there were any specified in the zone configuration,
294 * and use them if applicable.
295 */
296 if (inargs == NULL || inargs[0] == '\0') {
297 bzero(zonecfg_args, sizeof (zonecfg_args));
298 (void) zonecfg_get_bootargs(snap_hndl, zonecfg_args,
299 sizeof (zonecfg_args));
300 inargs = zonecfg_args;
301 }
302
303 if (strlen(inargs) >= BOOTARGS_MAX) {
304 zerror(zlogp, B_FALSE, "boot argument string too long");
305 return (Z_INVAL);
306 }
307
308 (void) strlcpy(scratchargs, inargs, sizeof (scratchargs));
309 sargs = scratchargs;
310 while ((arg = strtok_r(sargs, " \t", &lasts)) != NULL) {
311 sargs = NULL;
312 argc++;
313 }
314
315 if ((argv = calloc(argc + 1, sizeof (char *))) == NULL) {
316 zerror(zlogp, B_FALSE, "memory allocation failed");
317 return (Z_NOMEM);
318 }
319
320 argv_save = argv;
321 argc_save = argc;
322
323 (void) strlcpy(scratchargs, inargs, sizeof (scratchargs));
324 sargs = scratchargs;
325 i = 0;
326 while ((arg = strtok_r(sargs, " \t", &lasts)) != NULL) {
327 sargs = NULL;
328 if ((argv[i] = strdup(arg)) == NULL) {
329 err = Z_NOMEM;
330 zerror(zlogp, B_FALSE, "memory allocation failed");
331 goto done;
332 }
333 i++;
334 }
335
336 /*
337 * We preserve compatibility with the Solaris system boot behavior,
338 * which allows:
339 *
340 * # reboot kernel/unix -s -m verbose
341 *
342 * In this example, kernel/unix tells the booter what file to
343 * boot. We don't want reboot in a zone to be gratuitously different,
344 * so we silently ignore the boot file, if necessary.
345 */
346 if (argv[0] == NULL)
347 goto done;
348
349 assert(argv[0][0] != ' ');
350 assert(argv[0][0] != '\t');
351
352 if (argv[0][0] != '-' && argv[0][0] != '\0') {
353 argv = &argv[1];
354 argc--;
355 }
356
357 optind = 0;
358 opterr = 0;
359 err = Z_OK;
360 while ((c = getopt(argc, argv, "fi:m:s")) != -1) {
361 switch (c) {
362 case 'i':
363 /*
364 * -i is handled by the runtime and is not passed
365 * along to userland
366 */
367 (void) strlcpy(init_file, optarg, MAXPATHLEN);
368 break;
369 case 'f':
370 /* This has already been processed by zoneadm */
371 break;
372 case 'm':
373 case 's':
374 /* These pass through unmolested */
375 (void) snprintf(outargs, BOOTARGS_MAX,
376 "%s -%c %s ", outargs, c, optarg ? optarg : "");
377 break;
378 case '?':
379 /*
380 * We warn about unknown arguments but pass them
381 * along anyway-- if someone wants to develop their
382 * own init replacement, they can pass it whatever
383 * args they want.
384 */
385 err = Z_INVAL;
386 (void) snprintf(outargs, BOOTARGS_MAX,
387 "%s -%c", outargs, optopt);
388 (void) snprintf(badarg, BOOTARGS_MAX,
389 "%s -%c", badarg, optopt);
390 break;
391 }
392 }
393
394 /*
395 * For Solaris Zones we warn about and discard non-option arguments.
396 * Hence 'boot foo bar baz gub' --> 'boot'. However, to be similar
397 * to the kernel, we concat up all the other remaining boot args.
398 * and warn on them as a group.
399 */
400 if (optind < argc) {
401 err = Z_INVAL;
402 while (optind < argc) {
403 (void) snprintf(badarg, BOOTARGS_MAX, "%s%s%s",
404 badarg, strlen(badarg) > 0 ? " " : "",
405 argv[optind]);
406 optind++;
407 }
408 zerror(zlogp, B_FALSE, "WARNING: Unused or invalid boot "
409 "arguments `%s'.", badarg);
410 }
411
412 done:
413 for (i = 0; i < argc_save; i++) {
414 if (argv_save[i] != NULL)
415 free(argv_save[i]);
416 }
417 free(argv_save);
418 return (err);
419 }
420
421
422 static int
423 mkzonedir(zlog_t *zlogp)
424 {
425 struct stat st;
426 /*
427 * We must create and lock everyone but root out of ZONES_TMPDIR
428 * since anyone can open any UNIX domain socket, regardless of
429 * its file system permissions. Sigh...
430 */
431 if (mkdir(ZONES_TMPDIR, S_IRWXU) < 0 && errno != EEXIST) {
432 zerror(zlogp, B_TRUE, "could not mkdir '%s'", ZONES_TMPDIR);
433 return (-1);
434 }
435 /* paranoia */
436 if ((stat(ZONES_TMPDIR, &st) < 0) || !S_ISDIR(st.st_mode)) {
437 zerror(zlogp, B_TRUE, "'%s' is not a directory", ZONES_TMPDIR);
438 return (-1);
439 }
440 (void) chmod(ZONES_TMPDIR, S_IRWXU);
441 return (0);
442 }
443
444 /*
445 * Run the brand's pre-state change callback, if it exists.
446 */
447 static int
448 brand_prestatechg(zlog_t *zlogp, int state, int cmd, boolean_t debug)
449 {
450 char cmdbuf[2 * MAXPATHLEN];
451 const char *altroot;
452
453 if (pre_statechg_hook[0] == '\0')
454 return (0);
455
456 altroot = zonecfg_get_root();
457 if (snprintf(cmdbuf, sizeof (cmdbuf), "%s %d %d %s", pre_statechg_hook,
458 state, cmd, altroot) > sizeof (cmdbuf))
459 return (-1);
460
461 if (do_subproc(zlogp, cmdbuf, NULL, debug) != 0)
462 return (-1);
463
464 return (0);
465 }
466
467 /*
468 * Run the brand's post-state change callback, if it exists.
469 */
470 static int
471 brand_poststatechg(zlog_t *zlogp, int state, int cmd, boolean_t debug)
472 {
473 char cmdbuf[2 * MAXPATHLEN];
474 const char *altroot;
475
476 if (post_statechg_hook[0] == '\0')
477 return (0);
478
479 altroot = zonecfg_get_root();
480 if (snprintf(cmdbuf, sizeof (cmdbuf), "%s %d %d %s", post_statechg_hook,
481 state, cmd, altroot) > sizeof (cmdbuf))
482 return (-1);
483
484 if (do_subproc(zlogp, cmdbuf, NULL, debug) != 0)
485 return (-1);
486
487 return (0);
488 }
489
490 /*
491 * Notify zonestatd of the new zone. If zonestatd is not running, this
492 * will do nothing.
493 */
494 static void
495 notify_zonestatd(zoneid_t zoneid)
496 {
497 int cmd[2];
498 int fd;
499 door_arg_t params;
500
501 fd = open(ZS_DOOR_PATH, O_RDONLY);
502 if (fd < 0)
503 return;
504
505 cmd[0] = ZSD_CMD_NEW_ZONE;
506 cmd[1] = zoneid;
507 params.data_ptr = (char *)&cmd;
508 params.data_size = sizeof (cmd);
509 params.desc_ptr = NULL;
510 params.desc_num = 0;
511 params.rbuf = NULL;
512 params.rsize = NULL;
513 (void) door_call(fd, ¶ms);
514 (void) close(fd);
515 }
516
517 /*
518 * Bring a zone up to the pre-boot "ready" stage. The mount_cmd argument is
519 * 'true' if this is being invoked as part of the processing for the "mount"
520 * subcommand.
521 */
522 static int
523 zone_ready(zlog_t *zlogp, zone_mnt_t mount_cmd, int zstate, boolean_t debug)
524 {
525 int err;
526 boolean_t snapped = B_FALSE;
527
528 if ((snap_hndl = zonecfg_init_handle()) == NULL) {
529 zerror(zlogp, B_TRUE, "getting zone configuration handle");
530 goto bad;
531 }
532 if ((err = zonecfg_create_snapshot(zone_name)) != Z_OK) {
533 zerror(zlogp, B_FALSE, "unable to create snapshot: %s",
534 zonecfg_strerror(err));
535 goto bad;
536 }
537 snapped = B_TRUE;
538
539 if (zonecfg_get_snapshot_handle(zone_name, snap_hndl) != Z_OK) {
540 zerror(zlogp, B_FALSE, "invalid configuration snapshot");
541 goto bad;
542 }
543
544 if (zone_did == 0)
545 zone_did = zone_get_did(zone_name);
546
547 if (brand_prestatechg(zlogp, zstate, Z_READY, debug) != 0)
548 goto bad;
549
550 if ((zone_id = vplat_create(zlogp, mount_cmd, zone_did)) == -1)
551 goto bad;
552
553 if (vplat_bringup(zlogp, mount_cmd, zone_id) != 0) {
554 bringup_failure_recovery = B_TRUE;
555 (void) vplat_teardown(NULL, (mount_cmd != Z_MNT_BOOT), B_FALSE,
556 debug);
557 goto bad;
558 }
559
560 if (brand_poststatechg(zlogp, zstate, Z_READY, debug) != 0)
561 goto bad;
562
563 return (0);
564
565 bad:
566 /*
567 * If something goes wrong, we up the zones's state to the target
568 * state, READY, and then invoke the hook as if we're halting.
569 */
570 (void) brand_poststatechg(zlogp, ZONE_STATE_READY, Z_HALT, debug);
571 if (snapped)
572 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK)
573 zerror(zlogp, B_FALSE, "destroying snapshot: %s",
574 zonecfg_strerror(err));
575 zonecfg_fini_handle(snap_hndl);
576 snap_hndl = NULL;
577 return (-1);
578 }
579
580 int
581 init_template(void)
582 {
583 int fd;
584 int err = 0;
585
586 fd = open64(CTFS_ROOT "/process/template", O_RDWR);
587 if (fd == -1)
588 return (-1);
589
590 /*
591 * For now, zoneadmd doesn't do anything with the contract.
592 * Deliver no events, don't inherit, and allow it to be orphaned.
593 */
594 err |= ct_tmpl_set_critical(fd, 0);
595 err |= ct_tmpl_set_informative(fd, 0);
596 err |= ct_pr_tmpl_set_fatal(fd, CT_PR_EV_HWERR);
597 err |= ct_pr_tmpl_set_param(fd, CT_PR_PGRPONLY | CT_PR_REGENT);
598 if (err || ct_tmpl_activate(fd)) {
599 (void) close(fd);
600 return (-1);
601 }
602
603 return (fd);
604 }
605
606 typedef struct fs_callback {
607 zlog_t *zlogp;
608 zoneid_t zoneid;
609 boolean_t mount_cmd;
610 } fs_callback_t;
611
612 static int
613 mount_early_fs(void *data, const char *spec, const char *dir,
614 const char *fstype, const char *opt)
615 {
616 zlog_t *zlogp = ((fs_callback_t *)data)->zlogp;
617 zoneid_t zoneid = ((fs_callback_t *)data)->zoneid;
618 boolean_t mount_cmd = ((fs_callback_t *)data)->mount_cmd;
619 char rootpath[MAXPATHLEN];
620 pid_t child;
621 int child_status;
622 int tmpl_fd;
623 int rv;
624 ctid_t ct;
625
626 /* determine the zone rootpath */
627 if (mount_cmd) {
628 char zonepath[MAXPATHLEN];
629 char luroot[MAXPATHLEN];
630
631 if (zone_get_zonepath(zone_name,
632 zonepath, sizeof (zonepath)) != Z_OK) {
633 zerror(zlogp, B_FALSE, "unable to determine zone path");
634 return (-1);
635 }
636
637 (void) snprintf(luroot, sizeof (luroot), "%s/lu", zonepath);
638 resolve_lofs(zlogp, luroot, sizeof (luroot));
639 (void) strlcpy(rootpath, luroot, sizeof (rootpath));
640 } else {
641 if (zone_get_rootpath(zone_name,
642 rootpath, sizeof (rootpath)) != Z_OK) {
643 zerror(zlogp, B_FALSE, "unable to determine zone root");
644 return (-1);
645 }
646 }
647
648 if ((rv = valid_mount_path(zlogp, rootpath, spec, dir, fstype)) < 0) {
649 zerror(zlogp, B_FALSE, "%s%s is not a valid mount point",
650 rootpath, dir);
651 return (-1);
652 } else if (rv > 0) {
653 /* The mount point path doesn't exist, create it now. */
654 if (make_one_dir(zlogp, rootpath, dir,
655 DEFAULT_DIR_MODE, DEFAULT_DIR_USER,
656 DEFAULT_DIR_GROUP) != 0) {
657 zerror(zlogp, B_FALSE, "failed to create mount point");
658 return (-1);
659 }
660
661 /*
662 * Now this might seem weird, but we need to invoke
663 * valid_mount_path() again. Why? Because it checks
664 * to make sure that the mount point path is canonical,
665 * which it can only do if the path exists, so now that
666 * we've created the path we have to verify it again.
667 */
668 if ((rv = valid_mount_path(zlogp, rootpath, spec, dir,
669 fstype)) < 0) {
670 zerror(zlogp, B_FALSE,
671 "%s%s is not a valid mount point", rootpath, dir);
672 return (-1);
673 }
674 }
675
676 if ((tmpl_fd = init_template()) == -1) {
677 zerror(zlogp, B_TRUE, "failed to create contract");
678 return (-1);
679 }
680
681 if ((child = fork()) == -1) {
682 (void) ct_tmpl_clear(tmpl_fd);
683 (void) close(tmpl_fd);
684 zerror(zlogp, B_TRUE, "failed to fork");
685 return (-1);
686
687 } else if (child == 0) { /* child */
688 char opt_buf[MAX_MNTOPT_STR];
689 int optlen = 0;
690 int mflag = MS_DATA;
691
692 (void) ct_tmpl_clear(tmpl_fd);
693 /*
694 * Even though there are no procs running in the zone, we
695 * do this for paranoia's sake.
696 */
697 (void) closefrom(0);
698
699 if (zone_enter(zoneid) == -1) {
700 _exit(errno);
701 }
702 if (opt != NULL) {
703 /*
704 * The mount() system call is incredibly annoying.
705 * If options are specified, we need to copy them
706 * into a temporary buffer since the mount() system
707 * call will overwrite the options string. It will
708 * also fail if the new option string it wants to
709 * write is bigger than the one we passed in, so
710 * you must pass in a buffer of the maximum possible
711 * option string length. sigh.
712 */
713 (void) strlcpy(opt_buf, opt, sizeof (opt_buf));
714 opt = opt_buf;
715 optlen = MAX_MNTOPT_STR;
716 mflag = MS_OPTIONSTR;
717 }
718 if (mount(spec, dir, mflag, fstype, NULL, 0, opt, optlen) != 0)
719 _exit(errno);
720 _exit(0);
721 }
722
723 /* parent */
724 if (contract_latest(&ct) == -1)
725 ct = -1;
726 (void) ct_tmpl_clear(tmpl_fd);
727 (void) close(tmpl_fd);
728 if (waitpid(child, &child_status, 0) != child) {
729 /* unexpected: we must have been signalled */
730 (void) contract_abandon_id(ct);
731 return (-1);
732 }
733 (void) contract_abandon_id(ct);
734 if (WEXITSTATUS(child_status) != 0) {
735 errno = WEXITSTATUS(child_status);
736 zerror(zlogp, B_TRUE, "mount of %s failed", dir);
737 return (-1);
738 }
739
740 return (0);
741 }
742
743 /*
744 * env variable name format
745 * _ZONECFG_{resource name}_{identifying attr. name}_{property name}
746 * Any dashes (-) in the property names are replaced with underscore (_).
747 */
748 static void
749 set_zonecfg_env(char *rsrc, char *attr, char *name, char *val)
750 {
751 char *p;
752 char nm[MAXNAMELEN];
753
754 (void) snprintf(nm, sizeof (nm), "_ZONECFG_%s_%s_%s", rsrc, attr, name);
755
756 p = nm;
757 while ((p = strchr(p, '-')) != NULL)
758 *p++ = '_';
759
760 (void) setenv(nm, val, 1);
761 }
762
763 /*
764 * Export zonecfg network and device properties into environment for the boot
765 * and state change hooks.
766 * If debug is true, export the brand hook debug env. variable as well.
767 *
768 * We could export more of the config in the future, as necessary.
769 */
770 static int
771 setup_subproc_env(boolean_t debug)
772 {
773 int res;
774 struct zone_nwiftab ntab;
775 struct zone_devtab dtab;
776 char net_resources[MAXNAMELEN * 2];
777 char dev_resources[MAXNAMELEN * 2];
778
779 net_resources[0] = '\0';
780 if ((res = zonecfg_setnwifent(snap_hndl)) != Z_OK)
781 goto done;
782
783 while (zonecfg_getnwifent(snap_hndl, &ntab) == Z_OK) {
784 struct zone_res_attrtab *rap;
785 char *phys;
786
787 phys = ntab.zone_nwif_physical;
788
789 (void) strlcat(net_resources, phys, sizeof (net_resources));
790 (void) strlcat(net_resources, " ", sizeof (net_resources));
791
792 set_zonecfg_env(RSRC_NET, phys, "physical", phys);
793
794 set_zonecfg_env(RSRC_NET, phys, "address",
795 ntab.zone_nwif_address);
796 set_zonecfg_env(RSRC_NET, phys, "allowed-address",
797 ntab.zone_nwif_allowed_address);
798 set_zonecfg_env(RSRC_NET, phys, "defrouter",
799 ntab.zone_nwif_defrouter);
800 set_zonecfg_env(RSRC_NET, phys, "global-nic",
801 ntab.zone_nwif_gnic);
802 set_zonecfg_env(RSRC_NET, phys, "mac-addr", ntab.zone_nwif_mac);
803 set_zonecfg_env(RSRC_NET, phys, "vlan-id",
804 ntab.zone_nwif_vlan_id);
805
806 for (rap = ntab.zone_nwif_attrp; rap != NULL;
807 rap = rap->zone_res_attr_next)
808 set_zonecfg_env(RSRC_NET, phys, rap->zone_res_attr_name,
809 rap->zone_res_attr_value);
810 nwifent_free_attrs(&ntab);
811 }
812
813 (void) setenv("_ZONECFG_net_resources", net_resources, 1);
814
815 (void) zonecfg_endnwifent(snap_hndl);
816
817 if ((res = zonecfg_setdevent(snap_hndl)) != Z_OK)
818 goto done;
819
820 while (zonecfg_getdevent(snap_hndl, &dtab) == Z_OK) {
821 struct zone_res_attrtab *rap;
822 char *match;
823
824 match = dtab.zone_dev_match;
825
826 (void) strlcat(dev_resources, match, sizeof (dev_resources));
827 (void) strlcat(dev_resources, " ", sizeof (dev_resources));
828
829 for (rap = dtab.zone_dev_attrp; rap != NULL;
830 rap = rap->zone_res_attr_next)
831 set_zonecfg_env(RSRC_DEV, match,
832 rap->zone_res_attr_name, rap->zone_res_attr_value);
833 }
834
835 (void) zonecfg_enddevent(snap_hndl);
836
837 if (debug)
838 (void) setenv("_ZONEADMD_brand_debug", "1", 1);
839 else
840 (void) setenv("_ZONEADMD_brand_debug", "", 1);
841
842 res = Z_OK;
843
844 done:
845 return (res);
846 }
847
848 void
849 nwifent_free_attrs(struct zone_nwiftab *np)
850 {
851 struct zone_res_attrtab *rap;
852
853 for (rap = np->zone_nwif_attrp; rap != NULL; ) {
854 struct zone_res_attrtab *tp = rap;
855
856 rap = rap->zone_res_attr_next;
857 free(tp);
858 }
859 }
860
861 /*
862 * If retstr is not NULL, the output of the subproc is returned in the str,
863 * otherwise it is output using zerror(). Any memory allocated for retstr
864 * should be freed by the caller.
865 */
866 int
867 do_subproc(zlog_t *zlogp, char *cmdbuf, char **retstr, boolean_t debug)
868 {
869 char buf[1024]; /* arbitrary large amount */
870 char *inbuf;
871 FILE *file;
872 int status;
873 int rd_cnt;
874
875 if (retstr != NULL) {
876 if ((*retstr = malloc(1024)) == NULL) {
877 zerror(zlogp, B_FALSE, "out of memory");
878 return (-1);
879 }
880 inbuf = *retstr;
881 rd_cnt = 0;
882 } else {
883 inbuf = buf;
884 }
885
886 if (setup_subproc_env(debug) != Z_OK) {
887 zerror(zlogp, B_FALSE, "failed to setup environment");
888 return (-1);
889 }
890
891 file = popen(cmdbuf, "r");
892 if (file == NULL) {
893 zerror(zlogp, B_TRUE, "could not launch: %s", cmdbuf);
894 return (-1);
895 }
896
897 while (fgets(inbuf, 1024, file) != NULL) {
898 if (retstr == NULL) {
899 if (zlogp != &logsys) {
900 int last = strlen(inbuf) - 1;
901
902 if (inbuf[last] == '\n')
903 inbuf[last] = '\0';
904 zerror(zlogp, B_FALSE, "%s", inbuf);
905 }
906 } else {
907 char *p;
908
909 rd_cnt += 1024 - 1;
910 if ((p = realloc(*retstr, rd_cnt + 1024)) == NULL) {
911 zerror(zlogp, B_FALSE, "out of memory");
912 (void) pclose(file);
913 return (-1);
914 }
915
916 *retstr = p;
917 inbuf = *retstr + rd_cnt;
918 }
919 }
920 status = pclose(file);
921
922 if (WIFSIGNALED(status)) {
923 zerror(zlogp, B_FALSE, "%s unexpectedly terminated due to "
924 "signal %d", cmdbuf, WTERMSIG(status));
925 return (-1);
926 }
927 assert(WIFEXITED(status));
928 if (WEXITSTATUS(status) == ZEXIT_EXEC) {
929 zerror(zlogp, B_FALSE, "failed to exec %s", cmdbuf);
930 return (-1);
931 }
932 return (WEXITSTATUS(status));
933 }
934
935 /*
936 * Get the path for this zone's init(1M) (or equivalent) process. First look
937 * for a zone-specific init-name attr, then get it from the brand.
938 */
939 static int
940 get_initname(brand_handle_t bh, char *initname, int len)
941 {
942 struct zone_attrtab a;
943
944 bzero(&a, sizeof (a));
945 (void) strlcpy(a.zone_attr_name, "init-name",
946 sizeof (a.zone_attr_name));
947
948 if (zonecfg_lookup_attr(snap_hndl, &a) == Z_OK) {
949 (void) strlcpy(initname, a.zone_attr_value, len);
950 return (0);
951 }
952
953 return (brand_get_initname(bh, initname, len));
954 }
955
956 /*
957 * Get the restart-init flag for this zone's init(1M) (or equivalent) process.
958 * First look for a zone-specific restart-init attr, then get it from the brand.
959 */
960 static boolean_t
961 restartinit(brand_handle_t bh)
962 {
963 struct zone_attrtab a;
964
965 bzero(&a, sizeof (a));
966 (void) strlcpy(a.zone_attr_name, "restart-init",
967 sizeof (a.zone_attr_name));
968
969 if (zonecfg_lookup_attr(snap_hndl, &a) == Z_OK) {
970 if (strcmp(a.zone_attr_value, "false") == 0)
971 return (B_FALSE);
972 return (B_TRUE);
973 }
974
975 return (brand_restartinit(bh));
976 }
977
978 static int
979 zone_bootup(zlog_t *zlogp, const char *bootargs, int zstate, boolean_t debug)
980 {
981 zoneid_t zoneid;
982 struct stat st;
983 char zpath[MAXPATHLEN], initpath[MAXPATHLEN], init_file[MAXPATHLEN];
984 char nbootargs[BOOTARGS_MAX];
985 char cmdbuf[MAXPATHLEN];
986 fs_callback_t cb;
987 brand_handle_t bh;
988 zone_iptype_t iptype;
989 boolean_t links_loaded = B_FALSE;
990 dladm_status_t status;
991 char errmsg[DLADM_STRSIZE];
992 int err;
993 boolean_t restart_init;
994
995 if (brand_prestatechg(zlogp, zstate, Z_BOOT, debug) != 0)
996 return (-1);
997
998 if ((zoneid = getzoneidbyname(zone_name)) == -1) {
999 zerror(zlogp, B_TRUE, "unable to get zoneid");
1000 goto bad;
1001 }
1002
1003 cb.zlogp = zlogp;
1004 cb.zoneid = zoneid;
1005 cb.mount_cmd = B_FALSE;
1006
1007 /* Get a handle to the brand info for this zone */
1008 if ((bh = brand_open(brand_name)) == NULL) {
1009 zerror(zlogp, B_FALSE, "unable to determine zone brand");
1010 goto bad;
1011 }
1012
1013 /*
1014 * Get the list of filesystems to mount from the brand
1015 * configuration. These mounts are done via a thread that will
1016 * enter the zone, so they are done from within the context of the
1017 * zone.
1018 */
1019 if (brand_platform_iter_mounts(bh, mount_early_fs, &cb) != 0) {
1020 zerror(zlogp, B_FALSE, "unable to mount filesystems");
1021 brand_close(bh);
1022 goto bad;
1023 }
1024
1025 /*
1026 * Get the brand's boot callback if it exists.
1027 */
1028 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK) {
1029 zerror(zlogp, B_FALSE, "unable to determine zone path");
1030 brand_close(bh);
1031 goto bad;
1032 }
1033 (void) strcpy(cmdbuf, EXEC_PREFIX);
1034 if (brand_get_boot(bh, zone_name, zpath, cmdbuf + EXEC_LEN,
1035 sizeof (cmdbuf) - EXEC_LEN) != 0) {
1036 zerror(zlogp, B_FALSE,
1037 "unable to determine branded zone's boot callback");
1038 brand_close(bh);
1039 goto bad;
1040 }
1041
1042 /* Get the path for this zone's init(1M) (or equivalent) process. */
1043 if (get_initname(bh, init_file, MAXPATHLEN) != 0) {
1044 zerror(zlogp, B_FALSE,
1045 "unable to determine zone's init(1M) location");
1046 brand_close(bh);
1047 goto bad;
1048 }
1049
1050 /* See if we should restart init if it dies. */
1051 restart_init = restartinit(bh);
1052
1053 brand_close(bh);
1054
1055 err = filter_bootargs(zlogp, bootargs, nbootargs, init_file,
1056 bad_boot_arg);
1057 if (err == Z_INVAL)
1058 eventstream_write(Z_EVT_ZONE_BADARGS);
1059 else if (err != Z_OK)
1060 goto bad;
1061
1062 assert(init_file[0] != '\0');
1063
1064 /* Try to anticipate possible problems: Make sure init is executable. */
1065 if (zone_get_rootpath(zone_name, zpath, sizeof (zpath)) != Z_OK) {
1066 zerror(zlogp, B_FALSE, "unable to determine zone root");
1067 goto bad;
1068 }
1069
1070 (void) snprintf(initpath, sizeof (initpath), "%s%s", zpath, init_file);
1071
1072 if (stat(initpath, &st) == -1) {
1073 zerror(zlogp, B_TRUE, "could not stat %s", initpath);
1074 goto bad;
1075 }
1076
1077 if ((st.st_mode & S_IXUSR) == 0) {
1078 zerror(zlogp, B_FALSE, "%s is not executable", initpath);
1079 goto bad;
1080 }
1081
1082 /*
1083 * Exclusive stack zones interact with the dlmgmtd running in the
1084 * global zone. dladm_zone_boot() tells dlmgmtd that this zone is
1085 * booting, and loads its datalinks from the zone's datalink
1086 * configuration file.
1087 */
1088 if (vplat_get_iptype(zlogp, &iptype) == 0 && iptype == ZS_EXCLUSIVE) {
1089 status = dladm_zone_boot(dld_handle, zoneid);
1090 if (status != DLADM_STATUS_OK) {
1091 zerror(zlogp, B_FALSE, "unable to load zone datalinks: "
1092 " %s", dladm_status2str(status, errmsg));
1093 goto bad;
1094 }
1095 links_loaded = B_TRUE;
1096 }
1097
1098 /*
1099 * If there is a brand 'boot' callback, execute it now to give the
1100 * brand one last chance to do any additional setup before the zone
1101 * is booted.
1102 */
1103 if ((strlen(cmdbuf) > EXEC_LEN) &&
1104 (do_subproc(zlogp, cmdbuf, NULL, debug) != Z_OK)) {
1105 zerror(zlogp, B_FALSE, "%s failed", cmdbuf);
1106 goto bad;
1107 }
1108
1109 if (zone_setattr(zoneid, ZONE_ATTR_INITNAME, init_file, 0) == -1) {
1110 zerror(zlogp, B_TRUE, "could not set zone boot file");
1111 goto bad;
1112 }
1113
1114 if (zone_setattr(zoneid, ZONE_ATTR_BOOTARGS, nbootargs, 0) == -1) {
1115 zerror(zlogp, B_TRUE, "could not set zone boot arguments");
1116 goto bad;
1117 }
1118
1119 if (!restart_init && zone_setattr(zoneid, ZONE_ATTR_INITNORESTART,
1120 NULL, 0) == -1) {
1121 zerror(zlogp, B_TRUE, "could not set zone init-no-restart");
1122 goto bad;
1123 }
1124
1125 /*
1126 * Inform zonestatd of a new zone so that it can install a door for
1127 * the zone to contact it.
1128 */
1129 notify_zonestatd(zone_id);
1130
1131 if (zone_boot(zoneid) == -1) {
1132 zerror(zlogp, B_TRUE, "unable to boot zone");
1133 goto bad;
1134 }
1135
1136 if (brand_poststatechg(zlogp, zstate, Z_BOOT, debug) != 0)
1137 goto bad;
1138
1139 /* Startup a thread to perform memory capping for the zone. */
1140 create_mcap_thread(zlogp, zone_id);
1141
1142 return (0);
1143
1144 bad:
1145 /*
1146 * If something goes wrong, we up the zones's state to the target
1147 * state, RUNNING, and then invoke the hook as if we're halting.
1148 */
1149 (void) brand_poststatechg(zlogp, ZONE_STATE_RUNNING, Z_HALT, debug);
1150 if (links_loaded)
1151 (void) dladm_zone_halt(dld_handle, zoneid);
1152 return (-1);
1153 }
1154
1155 static int
1156 zone_halt(zlog_t *zlogp, boolean_t unmount_cmd, boolean_t rebooting, int zstate,
1157 boolean_t debug)
1158 {
1159 int err;
1160
1161 if (brand_prestatechg(zlogp, zstate, Z_HALT, debug) != 0)
1162 return (-1);
1163
1164 /* Shutting down, stop the memcap thread */
1165 destroy_mcap_thread();
1166
1167 if (vplat_teardown(zlogp, unmount_cmd, rebooting, debug) != 0) {
1168 if (!bringup_failure_recovery)
1169 zerror(zlogp, B_FALSE, "unable to destroy zone");
1170 return (-1);
1171 }
1172
1173 if (brand_poststatechg(zlogp, zstate, Z_HALT, debug) != 0)
1174 return (-1);
1175
1176 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK)
1177 zerror(zlogp, B_FALSE, "destroying snapshot: %s",
1178 zonecfg_strerror(err));
1179
1180 zonecfg_fini_handle(snap_hndl);
1181 snap_hndl = NULL;
1182
1183 return (0);
1184 }
1185
1186 /*
1187 * Generate AUE_zone_state for a command that boots a zone.
1188 */
1189 static void
1190 audit_put_record(zlog_t *zlogp, ucred_t *uc, int return_val,
1191 char *new_state)
1192 {
1193 adt_session_data_t *ah;
1194 adt_event_data_t *event;
1195 int pass_fail, fail_reason;
1196
1197 if (!adt_audit_enabled())
1198 return;
1199
1200 if (return_val == 0) {
1201 pass_fail = ADT_SUCCESS;
1202 fail_reason = ADT_SUCCESS;
1203 } else {
1204 pass_fail = ADT_FAILURE;
1205 fail_reason = ADT_FAIL_VALUE_PROGRAM;
1206 }
1207
1208 if (adt_start_session(&ah, NULL, 0)) {
1209 zerror(zlogp, B_TRUE, gettext("audit failure."));
1210 return;
1211 }
1212 if (adt_set_from_ucred(ah, uc, ADT_NEW)) {
1213 zerror(zlogp, B_TRUE, gettext("audit failure."));
1214 (void) adt_end_session(ah);
1215 return;
1216 }
1217
1218 event = adt_alloc_event(ah, ADT_zone_state);
1219 if (event == NULL) {
1220 zerror(zlogp, B_TRUE, gettext("audit failure."));
1221 (void) adt_end_session(ah);
1222 return;
1223 }
1224 event->adt_zone_state.zonename = zone_name;
1225 event->adt_zone_state.new_state = new_state;
1226
1227 if (adt_put_event(event, pass_fail, fail_reason))
1228 zerror(zlogp, B_TRUE, gettext("audit failure."));
1229
1230 adt_free_event(event);
1231
1232 (void) adt_end_session(ah);
1233 }
1234
1235 /*
1236 * The main routine for the door server that deals with zone state transitions.
1237 */
1238 /* ARGSUSED */
1239 static void
1240 server(void *cookie, char *args, size_t alen, door_desc_t *dp,
1241 uint_t n_desc)
1242 {
1243 ucred_t *uc = NULL;
1244 const priv_set_t *eset;
1245
1246 zone_state_t zstate;
1247 zone_cmd_t cmd;
1248 boolean_t debug;
1249 zone_cmd_arg_t *zargp;
1250
1251 boolean_t kernelcall;
1252
1253 int rval = -1;
1254 uint64_t uniqid;
1255 zoneid_t zoneid = -1;
1256 zlog_t zlog;
1257 zlog_t *zlogp;
1258 zone_cmd_rval_t *rvalp;
1259 size_t rlen = getpagesize(); /* conservative */
1260 fs_callback_t cb;
1261 brand_handle_t bh;
1262
1263 /* LINTED E_BAD_PTR_CAST_ALIGN */
1264 zargp = (zone_cmd_arg_t *)args;
1265
1266 /*
1267 * When we get the door unref message, we've fdetach'd the door, and
1268 * it is time for us to shut down zoneadmd.
1269 */
1270 if (zargp == DOOR_UNREF_DATA) {
1271 /*
1272 * See comment at end of main() for info on the last rites.
1273 */
1274 exit(0);
1275 }
1276
1277 if (zargp == NULL) {
1278 (void) door_return(NULL, 0, 0, 0);
1279 }
1280
1281 rvalp = alloca(rlen);
1282 bzero(rvalp, rlen);
1283 zlog.logfile = NULL;
1284 zlog.buflen = zlog.loglen = rlen - sizeof (zone_cmd_rval_t) + 1;
1285 zlog.buf = rvalp->errbuf;
1286 zlog.log = zlog.buf;
1287 /* defer initialization of zlog.locale until after credential check */
1288 zlogp = &zlog;
1289
1290 if (alen != sizeof (zone_cmd_arg_t)) {
1291 /*
1292 * This really shouldn't be happening.
1293 */
1294 zerror(&logsys, B_FALSE, "argument size (%d bytes) "
1295 "unexpected (expected %d bytes)", alen,
1296 sizeof (zone_cmd_arg_t));
1297 goto out;
1298 }
1299 cmd = zargp->cmd;
1300 debug = zargp->debug;
1301
1302 if (door_ucred(&uc) != 0) {
1303 zerror(&logsys, B_TRUE, "door_ucred");
1304 goto out;
1305 }
1306 eset = ucred_getprivset(uc, PRIV_EFFECTIVE);
1307 if (ucred_getzoneid(uc) != GLOBAL_ZONEID ||
1308 (eset != NULL ? !priv_ismember(eset, PRIV_SYS_CONFIG) :
1309 ucred_geteuid(uc) != 0)) {
1310 zerror(&logsys, B_FALSE, "insufficient privileges");
1311 goto out;
1312 }
1313
1314 kernelcall = ucred_getpid(uc) == 0;
1315
1316 /*
1317 * This is safe because we only use a zlog_t throughout the
1318 * duration of a door call; i.e., by the time the pointer
1319 * might become invalid, the door call would be over.
1320 */
1321 zlog.locale = kernelcall ? DEFAULT_LOCALE : zargp->locale;
1322
1323 (void) mutex_lock(&lock);
1324
1325 /*
1326 * Once we start to really die off, we don't want more connections.
1327 */
1328 if (in_death_throes) {
1329 (void) mutex_unlock(&lock);
1330 ucred_free(uc);
1331 (void) door_return(NULL, 0, 0, 0);
1332 thr_exit(NULL);
1333 }
1334
1335 /*
1336 * Check for validity of command.
1337 */
1338 if (cmd != Z_READY && cmd != Z_BOOT && cmd != Z_FORCEBOOT &&
1339 cmd != Z_REBOOT && cmd != Z_HALT && cmd != Z_NOTE_UNINSTALLING &&
1340 cmd != Z_MOUNT && cmd != Z_FORCEMOUNT && cmd != Z_UNMOUNT) {
1341 zerror(&logsys, B_FALSE, "invalid command %d", (int)cmd);
1342 goto out;
1343 }
1344
1345 if (kernelcall && (cmd != Z_HALT && cmd != Z_REBOOT)) {
1346 /*
1347 * Can't happen
1348 */
1349 zerror(&logsys, B_FALSE, "received unexpected kernel upcall %d",
1350 cmd);
1351 goto out;
1352 }
1353 /*
1354 * We ignore the possibility of someone calling zone_create(2)
1355 * explicitly; all requests must come through zoneadmd.
1356 */
1357 if (zone_get_state(zone_name, &zstate) != Z_OK) {
1358 /*
1359 * Something terribly wrong happened
1360 */
1361 zerror(&logsys, B_FALSE, "unable to determine state of zone");
1362 goto out;
1363 }
1364
1365 if (kernelcall) {
1366 /*
1367 * Kernel-initiated requests may lose their validity if the
1368 * zone_t the kernel was referring to has gone away.
1369 */
1370 if ((zoneid = getzoneidbyname(zone_name)) == -1 ||
1371 zone_getattr(zoneid, ZONE_ATTR_UNIQID, &uniqid,
1372 sizeof (uniqid)) == -1 || uniqid != zargp->uniqid) {
1373 /*
1374 * We're not talking about the same zone. The request
1375 * must have arrived too late. Return error.
1376 */
1377 rval = -1;
1378 goto out;
1379 }
1380 zlogp = &logsys; /* Log errors to syslog */
1381 }
1382
1383 /*
1384 * If we are being asked to forcibly mount or boot a zone, we
1385 * pretend that an INCOMPLETE zone is actually INSTALLED.
1386 */
1387 if (zstate == ZONE_STATE_INCOMPLETE &&
1388 (cmd == Z_FORCEBOOT || cmd == Z_FORCEMOUNT))
1389 zstate = ZONE_STATE_INSTALLED;
1390
1391 switch (zstate) {
1392 case ZONE_STATE_CONFIGURED:
1393 case ZONE_STATE_INCOMPLETE:
1394 /*
1395 * Not our area of expertise; we just print a nice message
1396 * and die off.
1397 */
1398 zerror(zlogp, B_FALSE,
1399 "%s operation is invalid for zones in state '%s'",
1400 z_cmd_name(cmd), zone_state_str(zstate));
1401 break;
1402
1403 case ZONE_STATE_INSTALLED:
1404 switch (cmd) {
1405 case Z_READY:
1406 rval = zone_ready(zlogp, Z_MNT_BOOT, zstate, debug);
1407 if (rval == 0)
1408 eventstream_write(Z_EVT_ZONE_READIED);
1409 break;
1410 case Z_BOOT:
1411 case Z_FORCEBOOT:
1412 eventstream_write(Z_EVT_ZONE_BOOTING);
1413 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate,
1414 debug)) == 0) {
1415 rval = zone_bootup(zlogp, zargp->bootbuf,
1416 zstate, debug);
1417 }
1418 audit_put_record(zlogp, uc, rval, "boot");
1419 if (rval != 0) {
1420 bringup_failure_recovery = B_TRUE;
1421 (void) zone_halt(zlogp, B_FALSE, B_FALSE,
1422 zstate, debug);
1423 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1424 }
1425 break;
1426 case Z_HALT:
1427 if (kernelcall) /* Invalid; can't happen */
1428 abort();
1429 /*
1430 * We could have two clients racing to halt this
1431 * zone; the second client loses, but his request
1432 * doesn't fail, since the zone is now in the desired
1433 * state.
1434 */
1435 zerror(zlogp, B_FALSE, "zone is already halted");
1436 rval = 0;
1437 break;
1438 case Z_REBOOT:
1439 if (kernelcall) /* Invalid; can't happen */
1440 abort();
1441 zerror(zlogp, B_FALSE, "%s operation is invalid "
1442 "for zones in state '%s'", z_cmd_name(cmd),
1443 zone_state_str(zstate));
1444 rval = -1;
1445 break;
1446 case Z_NOTE_UNINSTALLING:
1447 if (kernelcall) /* Invalid; can't happen */
1448 abort();
1449 /*
1450 * Tell the console to print out a message about this.
1451 * Once it does, we will be in_death_throes.
1452 */
1453 eventstream_write(Z_EVT_ZONE_UNINSTALLING);
1454 break;
1455 case Z_MOUNT:
1456 case Z_FORCEMOUNT:
1457 if (kernelcall) /* Invalid; can't happen */
1458 abort();
1459 if (!zone_isnative && !zone_iscluster &&
1460 !zone_islabeled) {
1461 /*
1462 * -U mounts the zone without lofs mounting
1463 * zone file systems back into the scratch
1464 * zone. This is required when mounting
1465 * non-native branded zones.
1466 */
1467 (void) strlcpy(zargp->bootbuf, "-U",
1468 BOOTARGS_MAX);
1469 }
1470
1471 rval = zone_ready(zlogp,
1472 strcmp(zargp->bootbuf, "-U") == 0 ?
1473 Z_MNT_UPDATE : Z_MNT_SCRATCH, zstate, debug);
1474 if (rval != 0)
1475 break;
1476
1477 eventstream_write(Z_EVT_ZONE_READIED);
1478
1479 /*
1480 * Get a handle to the default brand info.
1481 * We must always use the default brand file system
1482 * list when mounting the zone.
1483 */
1484 if ((bh = brand_open(default_brand)) == NULL) {
1485 rval = -1;
1486 break;
1487 }
1488
1489 /*
1490 * Get the list of filesystems to mount from
1491 * the brand configuration. These mounts are done
1492 * via a thread that will enter the zone, so they
1493 * are done from within the context of the zone.
1494 */
1495 cb.zlogp = zlogp;
1496 cb.zoneid = zone_id;
1497 cb.mount_cmd = B_TRUE;
1498 rval = brand_platform_iter_mounts(bh,
1499 mount_early_fs, &cb);
1500
1501 brand_close(bh);
1502
1503 /*
1504 * Ordinarily, /dev/fd would be mounted inside the zone
1505 * by svc:/system/filesystem/usr:default, but since
1506 * we're not booting the zone, we need to do this
1507 * manually.
1508 */
1509 if (rval == 0)
1510 rval = mount_early_fs(&cb,
1511 "fd", "/dev/fd", "fd", NULL);
1512 break;
1513 case Z_UNMOUNT:
1514 if (kernelcall) /* Invalid; can't happen */
1515 abort();
1516 zerror(zlogp, B_FALSE, "zone is already unmounted");
1517 rval = 0;
1518 break;
1519 }
1520 break;
1521
1522 case ZONE_STATE_READY:
1523 switch (cmd) {
1524 case Z_READY:
1525 /*
1526 * We could have two clients racing to ready this
1527 * zone; the second client loses, but his request
1528 * doesn't fail, since the zone is now in the desired
1529 * state.
1530 */
1531 zerror(zlogp, B_FALSE, "zone is already ready");
1532 rval = 0;
1533 break;
1534 case Z_BOOT:
1535 case Z_FORCEBOOT:
1536 (void) strlcpy(boot_args, zargp->bootbuf,
1537 sizeof (boot_args));
1538 eventstream_write(Z_EVT_ZONE_BOOTING);
1539 rval = zone_bootup(zlogp, zargp->bootbuf, zstate,
1540 debug);
1541 audit_put_record(zlogp, uc, rval, "boot");
1542 if (rval != 0) {
1543 bringup_failure_recovery = B_TRUE;
1544 (void) zone_halt(zlogp, B_FALSE, B_TRUE,
1545 zstate, debug);
1546 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1547 }
1548 boot_args[0] = '\0';
1549 break;
1550 case Z_HALT:
1551 if (kernelcall) /* Invalid; can't happen */
1552 abort();
1553 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate,
1554 debug)) != 0)
1555 break;
1556 eventstream_write(Z_EVT_ZONE_HALTED);
1557 break;
1558 case Z_REBOOT:
1559 case Z_NOTE_UNINSTALLING:
1560 case Z_MOUNT:
1561 case Z_FORCEMOUNT:
1562 case Z_UNMOUNT:
1563 if (kernelcall) /* Invalid; can't happen */
1564 abort();
1565 zerror(zlogp, B_FALSE, "%s operation is invalid "
1566 "for zones in state '%s'", z_cmd_name(cmd),
1567 zone_state_str(zstate));
1568 rval = -1;
1569 break;
1570 }
1571 break;
1572
1573 case ZONE_STATE_MOUNTED:
1574 switch (cmd) {
1575 case Z_UNMOUNT:
1576 if (kernelcall) /* Invalid; can't happen */
1577 abort();
1578 rval = zone_halt(zlogp, B_TRUE, B_FALSE, zstate, debug);
1579 if (rval == 0) {
1580 eventstream_write(Z_EVT_ZONE_HALTED);
1581 (void) sema_post(&scratch_sem);
1582 }
1583 break;
1584 default:
1585 if (kernelcall) /* Invalid; can't happen */
1586 abort();
1587 zerror(zlogp, B_FALSE, "%s operation is invalid "
1588 "for zones in state '%s'", z_cmd_name(cmd),
1589 zone_state_str(zstate));
1590 rval = -1;
1591 break;
1592 }
1593 break;
1594
1595 case ZONE_STATE_RUNNING:
1596 case ZONE_STATE_SHUTTING_DOWN:
1597 case ZONE_STATE_DOWN:
1598 switch (cmd) {
1599 case Z_READY:
1600 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate,
1601 debug)) != 0)
1602 break;
1603 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate,
1604 debug)) == 0)
1605 eventstream_write(Z_EVT_ZONE_READIED);
1606 else
1607 eventstream_write(Z_EVT_ZONE_HALTED);
1608 break;
1609 case Z_BOOT:
1610 case Z_FORCEBOOT:
1611 /*
1612 * We could have two clients racing to boot this
1613 * zone; the second client loses, but his request
1614 * doesn't fail, since the zone is now in the desired
1615 * state.
1616 */
1617 zerror(zlogp, B_FALSE, "zone is already booted");
1618 rval = 0;
1619 break;
1620 case Z_HALT:
1621 if ((rval = zone_halt(zlogp, B_FALSE, B_FALSE, zstate,
1622 debug)) != 0)
1623 break;
1624 eventstream_write(Z_EVT_ZONE_HALTED);
1625 break;
1626 case Z_REBOOT:
1627 (void) strlcpy(boot_args, zargp->bootbuf,
1628 sizeof (boot_args));
1629 eventstream_write(Z_EVT_ZONE_REBOOTING);
1630 if ((rval = zone_halt(zlogp, B_FALSE, B_TRUE, zstate,
1631 debug)) != 0) {
1632 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1633 boot_args[0] = '\0';
1634 break;
1635 }
1636 if ((rval = zone_ready(zlogp, Z_MNT_BOOT, zstate,
1637 debug)) != 0) {
1638 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1639 boot_args[0] = '\0';
1640 break;
1641 }
1642 rval = zone_bootup(zlogp, zargp->bootbuf, zstate,
1643 debug);
1644 audit_put_record(zlogp, uc, rval, "reboot");
1645 if (rval != 0) {
1646 (void) zone_halt(zlogp, B_FALSE, B_TRUE,
1647 zstate, debug);
1648 eventstream_write(Z_EVT_ZONE_BOOTFAILED);
1649 }
1650 boot_args[0] = '\0';
1651 break;
1652 case Z_NOTE_UNINSTALLING:
1653 case Z_MOUNT:
1654 case Z_FORCEMOUNT:
1655 case Z_UNMOUNT:
1656 zerror(zlogp, B_FALSE, "%s operation is invalid "
1657 "for zones in state '%s'", z_cmd_name(cmd),
1658 zone_state_str(zstate));
1659 rval = -1;
1660 break;
1661 }
1662 break;
1663 default:
1664 abort();
1665 }
1666
1667 /*
1668 * Because the state of the zone may have changed, we make sure
1669 * to wake the console poller, which is in charge of initiating
1670 * the shutdown procedure as necessary.
1671 */
1672 eventstream_write(Z_EVT_NULL);
1673
1674 out:
1675 (void) mutex_unlock(&lock);
1676 if (kernelcall) {
1677 rvalp = NULL;
1678 rlen = 0;
1679 } else {
1680 rvalp->rval = rval;
1681 }
1682 if (uc != NULL)
1683 ucred_free(uc);
1684 (void) door_return((char *)rvalp, rlen, NULL, 0);
1685 thr_exit(NULL);
1686 }
1687
1688 static int
1689 setup_door(zlog_t *zlogp)
1690 {
1691 if ((zone_door = door_create(server, NULL,
1692 DOOR_UNREF | DOOR_REFUSE_DESC | DOOR_NO_CANCEL)) < 0) {
1693 zerror(zlogp, B_TRUE, "%s failed", "door_create");
1694 return (-1);
1695 }
1696 (void) fdetach(zone_door_path);
1697
1698 if (fattach(zone_door, zone_door_path) != 0) {
1699 zerror(zlogp, B_TRUE, "fattach to %s failed", zone_door_path);
1700 (void) door_revoke(zone_door);
1701 (void) fdetach(zone_door_path);
1702 zone_door = -1;
1703 return (-1);
1704 }
1705 return (0);
1706 }
1707
1708 /*
1709 * zoneadm(1m) will start zoneadmd if it thinks it isn't running; this
1710 * is where zoneadmd itself will check to see that another instance of
1711 * zoneadmd isn't already controlling this zone.
1712 *
1713 * The idea here is that we want to open the path to which we will
1714 * attach our door, lock it, and then make sure that no-one has beat us
1715 * to fattach(3c)ing onto it.
1716 *
1717 * fattach(3c) is really a mount, so there are actually two possible
1718 * vnodes we could be dealing with. Our strategy is as follows:
1719 *
1720 * - If the file we opened is a regular file (common case):
1721 * There is no fattach(3c)ed door, so we have a chance of becoming
1722 * the managing zoneadmd. We attempt to lock the file: if it is
1723 * already locked, that means someone else raced us here, so we
1724 * lose and give up. zoneadm(1m) will try to contact the zoneadmd
1725 * that beat us to it.
1726 *
1727 * - If the file we opened is a namefs file:
1728 * This means there is already an established door fattach(3c)'ed
1729 * to the rendezvous path. We've lost the race, so we give up.
1730 * Note that in this case we also try to grab the file lock, and
1731 * will succeed in acquiring it since the vnode locked by the
1732 * "winning" zoneadmd was a regular one, and the one we locked was
1733 * the fattach(3c)'ed door node. At any rate, no harm is done, and
1734 * we just return to zoneadm(1m) which knows to retry.
1735 */
1736 static int
1737 make_daemon_exclusive(zlog_t *zlogp)
1738 {
1739 int doorfd = -1;
1740 int err, ret = -1;
1741 struct stat st;
1742 struct flock flock;
1743 zone_state_t zstate;
1744
1745 top:
1746 if ((err = zone_get_state(zone_name, &zstate)) != Z_OK) {
1747 zerror(zlogp, B_FALSE, "failed to get zone state: %s",
1748 zonecfg_strerror(err));
1749 goto out;
1750 }
1751 if ((doorfd = open(zone_door_path, O_CREAT|O_RDWR,
1752 S_IREAD|S_IWRITE)) < 0) {
1753 zerror(zlogp, B_TRUE, "failed to open %s", zone_door_path);
1754 goto out;
1755 }
1756 if (fstat(doorfd, &st) < 0) {
1757 zerror(zlogp, B_TRUE, "failed to stat %s", zone_door_path);
1758 goto out;
1759 }
1760 /*
1761 * Lock the file to synchronize with other zoneadmd
1762 */
1763 flock.l_type = F_WRLCK;
1764 flock.l_whence = SEEK_SET;
1765 flock.l_start = (off_t)0;
1766 flock.l_len = (off_t)0;
1767 if (fcntl(doorfd, F_SETLK, &flock) < 0) {
1768 /*
1769 * Someone else raced us here and grabbed the lock file
1770 * first. A warning here is inappropriate since nothing
1771 * went wrong.
1772 */
1773 goto out;
1774 }
1775
1776 if (strcmp(st.st_fstype, "namefs") == 0) {
1777 struct door_info info;
1778
1779 /*
1780 * There is already something fattach()'ed to this file.
1781 * Lets see what the door is up to.
1782 */
1783 if (door_info(doorfd, &info) == 0 && info.di_target != -1) {
1784 /*
1785 * Another zoneadmd process seems to be in
1786 * control of the situation and we don't need to
1787 * be here. A warning here is inappropriate
1788 * since nothing went wrong.
1789 *
1790 * If the door has been revoked, the zoneadmd
1791 * process currently managing the zone is going
1792 * away. We'll return control to zoneadm(1m)
1793 * which will try again (by which time zoneadmd
1794 * will hopefully have exited).
1795 */
1796 goto out;
1797 }
1798
1799 /*
1800 * If we got this far, there's a fattach(3c)'ed door
1801 * that belongs to a process that has exited, which can
1802 * happen if the previous zoneadmd died unexpectedly.
1803 *
1804 * Let user know that something is amiss, but that we can
1805 * recover; if the zone is in the installed state, then don't
1806 * message, since having a running zoneadmd isn't really
1807 * expected/needed. We want to keep occurences of this message
1808 * limited to times when zoneadmd is picking back up from a
1809 * zoneadmd that died while the zone was in some non-trivial
1810 * state.
1811 */
1812 if (zstate > ZONE_STATE_INSTALLED) {
1813 static zoneid_t zid;
1814
1815 zerror(zlogp, B_FALSE,
1816 "zone '%s': WARNING: zone is in state '%s', but "
1817 "zoneadmd does not appear to be available; "
1818 "restarted zoneadmd to recover.",
1819 zone_name, zone_state_str(zstate));
1820
1821 /*
1822 * Startup a thread to perform memory capping for the
1823 * zone.
1824 */
1825 if ((zid = getzoneidbyname(zone_name)) != -1)
1826 create_mcap_thread(zlogp, zid);
1827
1828 /* recover the global configuration snapshot */
1829 if (snap_hndl == NULL) {
1830 if ((snap_hndl = zonecfg_init_handle())
1831 == NULL ||
1832 zonecfg_create_snapshot(zone_name)
1833 != Z_OK ||
1834 zonecfg_get_snapshot_handle(zone_name,
1835 snap_hndl) != Z_OK) {
1836 zerror(zlogp, B_FALSE, "recovering "
1837 "zone configuration handle");
1838 goto out;
1839 }
1840 }
1841 }
1842
1843 (void) fdetach(zone_door_path);
1844 (void) close(doorfd);
1845 goto top;
1846 }
1847 ret = 0;
1848 out:
1849 (void) close(doorfd);
1850 return (ret);
1851 }
1852
1853 /*
1854 * Run the query hook with the 'env' parameter. It should return a
1855 * string of tab-delimited key-value pairs, each of which should be set
1856 * in the environment.
1857 *
1858 * Because the env_vars string values become part of the environment, the
1859 * string is static and we don't free it.
1860 */
1861 static int
1862 set_brand_env(zlog_t *zlogp)
1863 {
1864 int ret = 0;
1865 int err;
1866 boolean_t snapped = B_FALSE;
1867 static char *env_vars = NULL;
1868 char buf[2 * MAXPATHLEN];
1869
1870 if (query_hook[0] == '\0' || env_vars != NULL)
1871 return (0);
1872
1873 if (snprintf(buf, sizeof (buf), "%s env", query_hook) > sizeof (buf))
1874 return (-1);
1875
1876 if (snap_hndl == NULL) {
1877 if ((snap_hndl = zonecfg_init_handle()) == NULL) {
1878 zerror(zlogp, B_TRUE,
1879 "getting zone configuration handle");
1880 return (-1);
1881 }
1882 snapped = B_TRUE;
1883 if ((err = zonecfg_create_snapshot(zone_name)) != Z_OK) {
1884 zerror(zlogp, B_FALSE, "unable to create snapshot: %s",
1885 zonecfg_strerror(err));
1886 ret = -1;
1887 goto done;
1888 }
1889 if ((err = zonecfg_get_snapshot_handle(zone_name, snap_hndl))
1890 != Z_OK) {
1891 zerror(zlogp, B_FALSE, "unable to get snapshot: %s",
1892 zonecfg_strerror(err));
1893 ret = -1;
1894 goto done;
1895 }
1896 }
1897
1898 if (do_subproc(zlogp, buf, &env_vars, B_FALSE) != 0) {
1899 ret = -1;
1900 goto done;
1901 }
1902
1903 if (env_vars != NULL) {
1904 char *sp;
1905
1906 sp = strtok(env_vars, "\t");
1907 while (sp != NULL) {
1908 if (putenv(sp) != 0) {
1909 ret = -1;
1910 break;
1911 }
1912 sp = strtok(NULL, "\t");
1913 }
1914 }
1915
1916 done:
1917 if (snapped) {
1918 if ((err = zonecfg_destroy_snapshot(zone_name)) != Z_OK)
1919 zerror(zlogp, B_FALSE, "destroying snapshot: %s",
1920 zonecfg_strerror(err));
1921
1922 zonecfg_fini_handle(snap_hndl);
1923 snap_hndl = NULL;
1924 }
1925
1926 return (ret);
1927 }
1928
1929 /*
1930 * Setup the brand's pre and post state change callbacks, as well as the
1931 * query callback, if any of these exist.
1932 */
1933 static int
1934 brand_callback_init(brand_handle_t bh, char *zone_name)
1935 {
1936 char zpath[MAXPATHLEN];
1937
1938 if (zone_get_zonepath(zone_name, zpath, sizeof (zpath)) != Z_OK)
1939 return (-1);
1940
1941 (void) strlcpy(pre_statechg_hook, EXEC_PREFIX,
1942 sizeof (pre_statechg_hook));
1943
1944 if (brand_get_prestatechange(bh, zone_name, zpath,
1945 pre_statechg_hook + EXEC_LEN,
1946 sizeof (pre_statechg_hook) - EXEC_LEN) != 0)
1947 return (-1);
1948
1949 if (strlen(pre_statechg_hook) <= EXEC_LEN)
1950 pre_statechg_hook[0] = '\0';
1951
1952 (void) strlcpy(post_statechg_hook, EXEC_PREFIX,
1953 sizeof (post_statechg_hook));
1954
1955 if (brand_get_poststatechange(bh, zone_name, zpath,
1956 post_statechg_hook + EXEC_LEN,
1957 sizeof (post_statechg_hook) - EXEC_LEN) != 0)
1958 return (-1);
1959
1960 if (strlen(post_statechg_hook) <= EXEC_LEN)
1961 post_statechg_hook[0] = '\0';
1962
1963 (void) strlcpy(query_hook, EXEC_PREFIX,
1964 sizeof (query_hook));
1965
1966 if (brand_get_query(bh, zone_name, zpath, query_hook + EXEC_LEN,
1967 sizeof (query_hook) - EXEC_LEN) != 0)
1968 return (-1);
1969
1970 if (strlen(query_hook) <= EXEC_LEN)
1971 query_hook[0] = '\0';
1972
1973 return (0);
1974 }
1975
1976 int
1977 main(int argc, char *argv[])
1978 {
1979 int opt;
1980 zoneid_t zid;
1981 priv_set_t *privset;
1982 zone_state_t zstate;
1983 char parents_locale[MAXPATHLEN];
1984 brand_handle_t bh;
1985 int err;
1986
1987 pid_t pid;
1988 sigset_t blockset;
1989 sigset_t block_cld;
1990
1991 struct {
1992 sema_t sem;
1993 int status;
1994 zlog_t log;
1995 } *shstate;
1996 size_t shstatelen = getpagesize();
1997
1998 zlog_t errlog;
1999 zlog_t *zlogp;
2000
2001 int ctfd;
2002
2003 progname = get_execbasename(argv[0]);
2004
2005 /*
2006 * Make sure stderr is unbuffered
2007 */
2008 (void) setbuffer(stderr, NULL, 0);
2009
2010 /*
2011 * Get out of the way of mounted filesystems, since we will daemonize
2012 * soon.
2013 */
2014 (void) chdir("/");
2015
2016 /*
2017 * Use the default system umask per PSARC 1998/110 rather than
2018 * anything that may have been set by the caller.
2019 */
2020 (void) umask(CMASK);
2021
2022 /*
2023 * Initially we want to use our parent's locale.
2024 */
2025 (void) setlocale(LC_ALL, "");
2026 (void) textdomain(TEXT_DOMAIN);
2027 (void) strlcpy(parents_locale, setlocale(LC_MESSAGES, NULL),
2028 sizeof (parents_locale));
2029
2030 /*
2031 * This zlog_t is used for writing to stderr
2032 */
2033 errlog.logfile = stderr;
2034 errlog.buflen = errlog.loglen = 0;
2035 errlog.buf = errlog.log = NULL;
2036 errlog.locale = parents_locale;
2037
2038 /*
2039 * We start off writing to stderr until we're ready to daemonize.
2040 */
2041 zlogp = &errlog;
2042
2043 /*
2044 * Process options.
2045 */
2046 while ((opt = getopt(argc, argv, "R:z:")) != EOF) {
2047 switch (opt) {
2048 case 'R':
2049 zonecfg_set_root(optarg);
2050 break;
2051 case 'z':
2052 zone_name = optarg;
2053 break;
2054 default:
2055 usage();
2056 }
2057 }
2058
2059 if (zone_name == NULL)
2060 usage();
2061
2062 /*
2063 * Because usage() prints directly to stderr, it has gettext()
2064 * wrapping, which depends on the locale. But since zerror() calls
2065 * localize() which tweaks the locale, it is not safe to call zerror()
2066 * until after the last call to usage(). Fortunately, the last call
2067 * to usage() is just above and the first call to zerror() is just
2068 * below. Don't mess this up.
2069 */
2070 if (strcmp(zone_name, GLOBAL_ZONENAME) == 0) {
2071 zerror(zlogp, B_FALSE, "cannot manage the %s zone",
2072 GLOBAL_ZONENAME);
2073 return (1);
2074 }
2075
2076 if (zone_get_id(zone_name, &zid) != 0) {
2077 zerror(zlogp, B_FALSE, "could not manage %s: %s", zone_name,
2078 zonecfg_strerror(Z_NO_ZONE));
2079 return (1);
2080 }
2081
2082 if ((err = zone_get_state(zone_name, &zstate)) != Z_OK) {
2083 zerror(zlogp, B_FALSE, "failed to get zone state: %s",
2084 zonecfg_strerror(err));
2085 return (1);
2086 }
2087 if (zstate < ZONE_STATE_INCOMPLETE) {
2088 zerror(zlogp, B_FALSE,
2089 "cannot manage a zone which is in state '%s'",
2090 zone_state_str(zstate));
2091 return (1);
2092 }
2093
2094 if (zonecfg_default_brand(default_brand,
2095 sizeof (default_brand)) != Z_OK) {
2096 zerror(zlogp, B_FALSE, "unable to determine default brand");
2097 return (1);
2098 }
2099
2100 /* Get a handle to the brand info for this zone */
2101 if (zone_get_brand(zone_name, brand_name, sizeof (brand_name))
2102 != Z_OK) {
2103 zerror(zlogp, B_FALSE, "unable to determine zone brand");
2104 return (1);
2105 }
2106 zone_isnative = (strcmp(brand_name, NATIVE_BRAND_NAME) == 0);
2107 zone_islabeled = (strcmp(brand_name, LABELED_BRAND_NAME) == 0);
2108
2109 /*
2110 * In the alternate root environment, the only supported
2111 * operations are mount and unmount. In this case, just treat
2112 * the zone as native if it is cluster. Cluster zones can be
2113 * native for the purpose of LU or upgrade, and the cluster
2114 * brand may not exist in the miniroot (such as in net install
2115 * upgrade).
2116 */
2117 if (strcmp(brand_name, CLUSTER_BRAND_NAME) == 0) {
2118 zone_iscluster = B_TRUE;
2119 if (zonecfg_in_alt_root()) {
2120 (void) strlcpy(brand_name, default_brand,
2121 sizeof (brand_name));
2122 }
2123 } else {
2124 zone_iscluster = B_FALSE;
2125 }
2126
2127 if ((bh = brand_open(brand_name)) == NULL) {
2128 zerror(zlogp, B_FALSE, "unable to open zone brand");
2129 return (1);
2130 }
2131
2132 /* Get state change brand hooks. */
2133 if (brand_callback_init(bh, zone_name) == -1) {
2134 zerror(zlogp, B_TRUE,
2135 "failed to initialize brand state change hooks");
2136 brand_close(bh);
2137 return (1);
2138 }
2139
2140 brand_close(bh);
2141
2142 /*
2143 * Check that we have all privileges. It would be nice to pare
2144 * this down, but this is at least a first cut.
2145 */
2146 if ((privset = priv_allocset()) == NULL) {
2147 zerror(zlogp, B_TRUE, "%s failed", "priv_allocset");
2148 return (1);
2149 }
2150
2151 if (getppriv(PRIV_EFFECTIVE, privset) != 0) {
2152 zerror(zlogp, B_TRUE, "%s failed", "getppriv");
2153 priv_freeset(privset);
2154 return (1);
2155 }
2156
2157 if (priv_isfullset(privset) == B_FALSE) {
2158 zerror(zlogp, B_FALSE, "You lack sufficient privilege to "
2159 "run this command (all privs required)");
2160 priv_freeset(privset);
2161 return (1);
2162 }
2163 priv_freeset(privset);
2164
2165 if (set_brand_env(zlogp) != 0) {
2166 zerror(zlogp, B_FALSE, "Unable to setup brand's environment");
2167 return (1);
2168 }
2169
2170 if (mkzonedir(zlogp) != 0)
2171 return (1);
2172
2173 /*
2174 * Pre-fork: setup shared state
2175 */
2176 if ((shstate = (void *)mmap(NULL, shstatelen,
2177 PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANON, -1, (off_t)0)) ==
2178 MAP_FAILED) {
2179 zerror(zlogp, B_TRUE, "%s failed", "mmap");
2180 return (1);
2181 }
2182 if (sema_init(&shstate->sem, 0, USYNC_PROCESS, NULL) != 0) {
2183 zerror(zlogp, B_TRUE, "%s failed", "sema_init()");
2184 (void) munmap((char *)shstate, shstatelen);
2185 return (1);
2186 }
2187 shstate->log.logfile = NULL;
2188 shstate->log.buflen = shstatelen - sizeof (*shstate);
2189 shstate->log.loglen = shstate->log.buflen;
2190 shstate->log.buf = (char *)shstate + sizeof (*shstate);
2191 shstate->log.log = shstate->log.buf;
2192 shstate->log.locale = parents_locale;
2193 shstate->status = -1;
2194
2195 /*
2196 * We need a SIGCHLD handler so the sema_wait() below will wake
2197 * up if the child dies without doing a sema_post().
2198 */
2199 (void) sigset(SIGCHLD, sigchld);
2200 /*
2201 * We must mask SIGCHLD until after we've coped with the fork
2202 * sufficiently to deal with it; otherwise we can race and
2203 * receive the signal before pid has been initialized
2204 * (yes, this really happens).
2205 */
2206 (void) sigemptyset(&block_cld);
2207 (void) sigaddset(&block_cld, SIGCHLD);
2208 (void) sigprocmask(SIG_BLOCK, &block_cld, NULL);
2209
2210 if ((ctfd = init_template()) == -1) {
2211 zerror(zlogp, B_TRUE, "failed to create contract");
2212 return (1);
2213 }
2214
2215 /*
2216 * Do not let another thread localize a message while we are forking.
2217 */
2218 (void) mutex_lock(&msglock);
2219 pid = fork();
2220 (void) mutex_unlock(&msglock);
2221
2222 /*
2223 * In all cases (parent, child, and in the event of an error) we
2224 * don't want to cause creation of contracts on subsequent fork()s.
2225 */
2226 (void) ct_tmpl_clear(ctfd);
2227 (void) close(ctfd);
2228
2229 if (pid == -1) {
2230 zerror(zlogp, B_TRUE, "could not fork");
2231 return (1);
2232
2233 } else if (pid > 0) { /* parent */
2234 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2235 /*
2236 * This marks a window of vulnerability in which we receive
2237 * the SIGCLD before falling into sema_wait (normally we would
2238 * get woken up from sema_wait with EINTR upon receipt of
2239 * SIGCLD). So we may need to use some other scheme like
2240 * sema_posting in the sigcld handler.
2241 * blech
2242 */
2243 (void) sema_wait(&shstate->sem);
2244 (void) sema_destroy(&shstate->sem);
2245 if (shstate->status != 0)
2246 (void) waitpid(pid, NULL, WNOHANG);
2247 /*
2248 * It's ok if we die with SIGPIPE. It's not like we could have
2249 * done anything about it.
2250 */
2251 (void) fprintf(stderr, "%s", shstate->log.buf);
2252 _exit(shstate->status == 0 ? 0 : 1);
2253 }
2254
2255 /*
2256 * The child charges on.
2257 */
2258 (void) sigset(SIGCHLD, SIG_DFL);
2259 (void) sigprocmask(SIG_UNBLOCK, &block_cld, NULL);
2260
2261 /*
2262 * SIGPIPE can be delivered if we write to a socket for which the
2263 * peer endpoint is gone. That can lead to too-early termination
2264 * of zoneadmd, and that's not good eats.
2265 */
2266 (void) sigset(SIGPIPE, SIG_IGN);
2267 /*
2268 * Stop using stderr
2269 */
2270 zlogp = &shstate->log;
2271
2272 /*
2273 * We don't need stdout/stderr from now on.
2274 */
2275 closefrom(0);
2276
2277 /*
2278 * Initialize the syslog zlog_t. This needs to be done after
2279 * the call to closefrom().
2280 */
2281 logsys.buf = logsys.log = NULL;
2282 logsys.buflen = logsys.loglen = 0;
2283 logsys.logfile = NULL;
2284 logsys.locale = DEFAULT_LOCALE;
2285
2286 openlog("zoneadmd", LOG_PID, LOG_DAEMON);
2287
2288 /*
2289 * The eventstream is used to publish state changes in the zone
2290 * from the door threads to the console I/O poller.
2291 */
2292 if (eventstream_init() == -1) {
2293 zerror(zlogp, B_TRUE, "unable to create eventstream");
2294 goto child_out;
2295 }
2296
2297 (void) snprintf(zone_door_path, sizeof (zone_door_path),
2298 "%s" ZONE_DOOR_PATH, zonecfg_get_root(), zone_name);
2299
2300 /*
2301 * See if another zoneadmd is running for this zone. If not, then we
2302 * can now modify system state.
2303 */
2304 if (make_daemon_exclusive(zlogp) == -1)
2305 goto child_out;
2306
2307
2308 /*
2309 * Create/join a new session; we need to be careful of what we do with
2310 * the console from now on so we don't end up being the session leader
2311 * for the terminal we're going to be handing out.
2312 */
2313 (void) setsid();
2314
2315 /*
2316 * This thread shouldn't be receiving any signals; in particular,
2317 * SIGCHLD should be received by the thread doing the fork().
2318 */
2319 (void) sigfillset(&blockset);
2320 (void) thr_sigsetmask(SIG_BLOCK, &blockset, NULL);
2321
2322 /*
2323 * Setup the console device and get ready to serve the console;
2324 * once this has completed, we're ready to let console clients
2325 * make an attempt to connect (they will block until
2326 * serve_console_sock() below gets called, and any pending
2327 * connection is accept()ed).
2328 */
2329 if (!zonecfg_in_alt_root() && init_console(zlogp) < 0)
2330 goto child_out;
2331
2332 /*
2333 * Take the lock now, so that when the door server gets going, we
2334 * are guaranteed that it won't take a request until we are sure
2335 * that everything is completely set up. See the child_out: label
2336 * below to see why this matters.
2337 */
2338 (void) mutex_lock(&lock);
2339
2340 /* Init semaphore for scratch zones. */
2341 if (sema_init(&scratch_sem, 0, USYNC_THREAD, NULL) == -1) {
2342 zerror(zlogp, B_TRUE,
2343 "failed to initialize semaphore for scratch zone");
2344 goto child_out;
2345 }
2346
2347 /* open the dladm handle */
2348 if (dladm_open(&dld_handle) != DLADM_STATUS_OK) {
2349 zerror(zlogp, B_FALSE, "failed to open dladm handle");
2350 goto child_out;
2351 }
2352
2353 /*
2354 * Note: door setup must occur *after* the console is setup.
2355 * This is so that as zlogin tests the door to see if zoneadmd
2356 * is ready yet, we know that the console will get serviced
2357 * once door_info() indicates that the door is "up".
2358 */
2359 if (setup_door(zlogp) == -1)
2360 goto child_out;
2361
2362 /*
2363 * Things seem OK so far; tell the parent process that we're done
2364 * with setup tasks. This will cause the parent to exit, signalling
2365 * to zoneadm, zlogin, or whatever forked it that we are ready to
2366 * service requests.
2367 */
2368 shstate->status = 0;
2369 (void) sema_post(&shstate->sem);
2370 (void) munmap((char *)shstate, shstatelen);
2371 shstate = NULL;
2372
2373 (void) mutex_unlock(&lock);
2374
2375 /*
2376 * zlogp is now invalid, so reset it to the syslog logger.
2377 */
2378 zlogp = &logsys;
2379
2380 /*
2381 * Now that we are free of any parents, switch to the default locale.
2382 */
2383 (void) setlocale(LC_ALL, DEFAULT_LOCALE);
2384
2385 /*
2386 * At this point the setup portion of main() is basically done, so
2387 * we reuse this thread to manage the zone console. When
2388 * serve_console() has returned, we are past the point of no return
2389 * in the life of this zoneadmd.
2390 */
2391 if (zonecfg_in_alt_root()) {
2392 /*
2393 * This is just awful, but mounted scratch zones don't (and
2394 * can't) have consoles. We just wait for unmount instead.
2395 */
2396 while (sema_wait(&scratch_sem) == EINTR)
2397 ;
2398 } else {
2399 serve_console(zlogp);
2400 assert(in_death_throes);
2401 }
2402
2403 /*
2404 * This is the next-to-last part of the exit interlock. Upon calling
2405 * fdetach(), the door will go unreferenced; once any
2406 * outstanding requests (like the door thread doing Z_HALT) are
2407 * done, the door will get an UNREF notification; when it handles
2408 * the UNREF, the door server will cause the exit. It's possible
2409 * that fdetach() can fail because the file is in use, in which
2410 * case we'll retry the operation.
2411 */
2412 assert(!MUTEX_HELD(&lock));
2413 for (;;) {
2414 if ((fdetach(zone_door_path) == 0) || (errno != EBUSY))
2415 break;
2416 yield();
2417 }
2418
2419 for (;;)
2420 (void) pause();
2421
2422 child_out:
2423 assert(pid == 0);
2424 if (shstate != NULL) {
2425 shstate->status = -1;
2426 (void) sema_post(&shstate->sem);
2427 (void) munmap((char *)shstate, shstatelen);
2428 }
2429
2430 /*
2431 * This might trigger an unref notification, but if so,
2432 * we are still holding the lock, so our call to exit will
2433 * ultimately win the race and will publish the right exit
2434 * code.
2435 */
2436 if (zone_door != -1) {
2437 assert(MUTEX_HELD(&lock));
2438 (void) door_revoke(zone_door);
2439 (void) fdetach(zone_door_path);
2440 }
2441
2442 if (dld_handle != NULL)
2443 dladm_close(dld_handle);
2444
2445 return (1); /* return from main() forcibly exits an MT process */
2446 }