bin/spiceproxy

   1 #!/usr/bin/perl -T
   2
   3 # Note: In theory, all this can be done by 'pveproxy' daemon. But some
   4 # API call still have blocking code, so we use a separate daemon to avoid
   5 # that the console gets blocked.
   6
   7 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
   8
   9 delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
  10
  11 use strict;
  12 use warnings;
  13 use English;
  14
  15 use PVE::SafeSyslog;
  16 use PVE::Daemon;
  17 use PVE::APIDaemon; # fixme: remove
  18 use PVE::API2;
  19
  20 use base qw(PVE::Daemon);
  21
  22 $SIG{'__WARN__'} = sub {
  23     my $err = $@;
  24     my $t = $_[0];
  25     chomp $t;
  26     print STDERR "$t\n";
  27     syslog('warning', "%s", $t);
  28     $@ = $err;
  29 };
  30
  31 my $cmdline = [$0, @ARGV];
  32
  33 my %daemon_options = (
  34     max_workers => 1, # todo: do we need more?
  35     restart_on_error => 5,
  36     stop_wait_time => 15,
  37     leave_children_open_on_reload => 1,
  38     run_dir => '/var/run/pveproxy',
  39 );
  40
  41 my $daemon = __PACKAGE__->new('spiceproxy', $cmdline, %daemon_options);
  42
  43 my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
  44 POSIX::setgid($gid) || die "setgid $gid failed - $!\n";
  45 $EGID = "$gid $gid"; # this calls setgroups
  46 my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n";
  47 POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
  48
  49 # just to be sure
  50 die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
  51
  52 sub init {
  53     my ($self) = @_;
  54
  55     # we use same ALLOW/DENY/POLICY as pveproxy
  56     my $proxyconf = PVE::APIDaemon::read_proxy_config();
  57
  58     my $accept_lock_fn = "/var/lock/spiceproxy.lck";
  59
  60     my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
  61         die "unable to open lock file '${accept_lock_fn}' - $!\n";
  62
  63     my $socket = $self->create_reusable_socket(3128);
  64
  65     $self->{server_config} = {
  66         base_handler_class => 'PVE::API2',
  67         keep_alive => 0,
  68         max_conn => 500,
  69         lockfile => $accept_lock_fn,
  70         socket => $socket,
  71         lockfh => $lockfh,
  72         debug => $self->{debug},
  73         spiceproxy => 1,
  74         trusted_env => 0,
  75         logfile => '/var/log/pveproxy/access.log',
  76         allow_from => $proxyconf->{ALLOW_FROM},
  77         deny_from => $proxyconf->{DENY_FROM},
  78         policy => $proxyconf->{POLICY},
  79     };
  80 }
  81
  82 sub run {
  83     my ($self) = @_;
  84
  85     my $server = PVE::HTTPServer->new(%{$self->{server_config}});
  86     $server->run();
  87 }
  88
  89 $daemon->register_start_command();
  90 $daemon->register_restart_command(1);
  91 $daemon->register_stop_command();
  92 $daemon->register_status_command();
  93
  94 my $cmddef = {
  95     start => [ __PACKAGE__, 'start', []],
  96     restart => [ __PACKAGE__, 'restart', []],
  97     stop => [ __PACKAGE__, 'stop', []],
  98     status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ],
  99 };
 100
 101 my $cmd = shift;
 102
 103 PVE::CLIHandler::handle_cmd($cmddef, $0, $cmd, \@ARGV, undef, $0);
 104
 105 exit (0);
 106
 107 __END__
 108
 109 =head1 NAME
 110
 111 spiceproxy - SPICE proxy server for Proxmox VE
 112
 113 =head1 SYNOPSIS
 114
 115 =include synopsis
 116
 117 =head1 DESCRIPTION
 118
 119 SPICE proxy server for Proxmox VE. Listens on port 3128.
 120
 121 =head1 Host based access control
 122
 123 It is possible to configure apache2 like access control lists. Values are read
 124 from file /etc/default/pveproxy (see 'pveproxy' for details).
 125
 126 =head1 FILES
 127
 128  /etc/default/pveproxy
 129
 130 =include pve_copyright