]> git.proxmox.com Git - mirror_lxc.git/blob - src/lxc/commands.c
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2643 from brauner/2018-09-23/cgroup_scoping_fixes
[mirror_lxc.git] / src / lxc / commands.c
1 /*
2 * lxc: linux Container library
3 *
4 * (C) Copyright IBM Corp. 2007, 2009
5 *
6 * Authors:
7 * Daniel Lezcano <daniel.lezcano at free.fr>
8 *
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22 */
23
24 #ifndef _GNU_SOURCE
25 #define _GNU_SOURCE 1
26 #endif
27 #include <caps.h>
28 #include <errno.h>
29 #include <fcntl.h>
30 #include <malloc.h>
31 #include <poll.h>
32 #include <signal.h>
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <sys/param.h>
36 #include <sys/socket.h>
37 #include <sys/un.h>
38 #include <unistd.h>
39
40 #include "af_unix.h"
41 #include "cgroup.h"
42 #include "commands.h"
43 #include "commands_utils.h"
44 #include "conf.h"
45 #include "config.h"
46 #include "confile.h"
47 #include "log.h"
48 #include "lxc.h"
49 #include "lxclock.h"
50 #include "mainloop.h"
51 #include "monitor.h"
52 #include "start.h"
53 #include "terminal.h"
54 #include "utils.h"
55
56 /*
57 * This file provides the different functions for clients to query/command the
58 * server. The client is typically some lxc tool and the server is typically the
59 * container (ie. lxc-start).
60 *
61 * Each command is transactional, the clients send a request to the server and
62 * the server answers the request with a message giving the request's status
63 * (zero or a negative errno value). Both the request and response may contain
64 * additional data.
65 *
66 * Each command is wrapped in a ancillary message in order to pass a credential
67 * making possible to the server to check if the client is allowed to ask for
68 * this command or not.
69 *
70 * IMPORTANTLY: Note that semantics for current commands are fixed. If you wish
71 * to make any changes to how, say, LXC_CMD_GET_CONFIG_ITEM works by adding
72 * information to the end of cmd.data, then you must introduce a new
73 * LXC_CMD_GET_CONFIG_ITEM_V2 define with a new number. You may wish to also
74 * mark LXC_CMD_GET_CONFIG_ITEM deprecated in commands.h.
75 *
76 * This is necessary in order to avoid having a newly compiled lxc command
77 * communicating with a running (old) monitor from crashing the running
78 * container.
79 */
80
81 lxc_log_define(commands, lxc);
82
83 static const char *lxc_cmd_str(lxc_cmd_t cmd)
84 {
85 static const char *const cmdname[LXC_CMD_MAX] = {
86 [LXC_CMD_CONSOLE] = "console",
87 [LXC_CMD_TERMINAL_WINCH] = "terminal_winch",
88 [LXC_CMD_STOP] = "stop",
89 [LXC_CMD_GET_STATE] = "get_state",
90 [LXC_CMD_GET_INIT_PID] = "get_init_pid",
91 [LXC_CMD_GET_CLONE_FLAGS] = "get_clone_flags",
92 [LXC_CMD_GET_CGROUP] = "get_cgroup",
93 [LXC_CMD_GET_CONFIG_ITEM] = "get_config_item",
94 [LXC_CMD_GET_NAME] = "get_name",
95 [LXC_CMD_GET_LXCPATH] = "get_lxcpath",
96 [LXC_CMD_ADD_STATE_CLIENT] = "add_state_client",
97 [LXC_CMD_CONSOLE_LOG] = "console_log",
98 [LXC_CMD_SERVE_STATE_CLIENTS] = "serve_state_clients",
99 };
100
101 if (cmd >= LXC_CMD_MAX)
102 return "Invalid request";
103
104 return cmdname[cmd];
105 }
106
107 /*
108 * lxc_cmd_rsp_recv: Receive a response to a command
109 *
110 * @sock : the socket connected to the container
111 * @cmd : command to put response in
112 *
113 * Returns the size of the response message or < 0 on failure
114 *
115 * Note that if the command response datalen > 0, then data is
116 * a malloc()ed buffer and should be free()ed by the caller. If
117 * the response data is <= a void * worth of data, it will be
118 * stored directly in data and datalen will be 0.
119 *
120 * As a special case, the response for LXC_CMD_CONSOLE is created
121 * here as it contains an fd for the master pty passed through the
122 * unix socket.
123 */
124 static int lxc_cmd_rsp_recv(int sock, struct lxc_cmd_rr *cmd)
125 {
126 int ret, rspfd;
127 struct lxc_cmd_rsp *rsp = &cmd->rsp;
128
129 ret = lxc_abstract_unix_recv_fds(sock, &rspfd, 1, rsp, sizeof(*rsp));
130 if (ret < 0) {
131 SYSWARN("Failed to receive response for command \"%s\"",
132 lxc_cmd_str(cmd->req.cmd));
133
134 if (errno == ECONNRESET)
135 return -1;
136
137 return -1;
138 }
139 TRACE("Command \"%s\" received response", lxc_cmd_str(cmd->req.cmd));
140
141 if (cmd->req.cmd == LXC_CMD_CONSOLE) {
142 struct lxc_cmd_console_rsp_data *rspdata;
143
144 /* recv() returns 0 bytes when a tty cannot be allocated,
145 * rsp->ret is < 0 when the peer permission check failed
146 */
147 if (ret == 0 || rsp->ret < 0)
148 return 0;
149
150 rspdata = malloc(sizeof(*rspdata));
151 if (!rspdata) {
152 errno = ENOMEM;
153 ERROR("Failed to allocate response buffer for command \"%s\"",
154 lxc_cmd_str(cmd->req.cmd));
155 return -1;
156 }
157
158 rspdata->masterfd = rspfd;
159 rspdata->ttynum = PTR_TO_INT(rsp->data);
160 rsp->data = rspdata;
161 }
162
163 if (rsp->datalen == 0) {
164 DEBUG("Response data length for command \"%s\" is 0",
165 lxc_cmd_str(cmd->req.cmd));
166 return ret;
167 }
168
169 if ((rsp->datalen > LXC_CMD_DATA_MAX) &&
170 (cmd->req.cmd != LXC_CMD_CONSOLE_LOG)) {
171 ERROR("Response data for command \"%s\" is too long: %d bytes > %d",
172 lxc_cmd_str(cmd->req.cmd), rsp->datalen, LXC_CMD_DATA_MAX);
173 return -1;
174 }
175
176 if (cmd->req.cmd == LXC_CMD_CONSOLE_LOG) {
177 rsp->data = malloc(rsp->datalen + 1);
178 ((char *)rsp->data)[rsp->datalen] = '\0';
179 } else {
180 rsp->data = malloc(rsp->datalen);
181 }
182 if (!rsp->data) {
183 errno = ENOMEM;
184 ERROR("Failed to allocate response buffer for command \"%s\"",
185 lxc_cmd_str(cmd->req.cmd));
186 return -1;
187 }
188
189 ret = lxc_recv_nointr(sock, rsp->data, rsp->datalen, 0);
190 if (ret != rsp->datalen) {
191 SYSERROR("Failed to receive response data for command \"%s\"",
192 lxc_cmd_str(cmd->req.cmd));
193 return -1;
194 }
195
196 return ret;
197 }
198
199 /*
200 * lxc_cmd_rsp_send: Send a command response
201 *
202 * @fd : file descriptor of socket to send response on
203 * @rsp : response to send
204 *
205 * Returns 0 on success, < 0 on failure
206 */
207 static int lxc_cmd_rsp_send(int fd, struct lxc_cmd_rsp *rsp)
208 {
209 ssize_t ret;
210
211 errno = EMSGSIZE;
212 ret = lxc_send_nointr(fd, rsp, sizeof(*rsp), MSG_NOSIGNAL);
213 if (ret < 0 || (size_t)ret != sizeof(*rsp)) {
214 SYSERROR("Failed to send command response %zd", ret);
215 return -1;
216 }
217
218 if (!rsp->data || rsp->datalen <= 0)
219 return 0;
220
221 errno = EMSGSIZE;
222 ret = lxc_send_nointr(fd, rsp->data, rsp->datalen, MSG_NOSIGNAL);
223 if (ret < 0 || ret != (ssize_t)rsp->datalen) {
224 SYSWARN("Failed to send command response data %zd", ret);
225 return -1;
226 }
227
228 return 0;
229 }
230
231 static int lxc_cmd_send(const char *name, struct lxc_cmd_rr *cmd,
232 const char *lxcpath, const char *hashed_sock_name)
233 {
234 int client_fd, saved_errno;
235 ssize_t ret = -1;
236
237 client_fd = lxc_cmd_connect(name, lxcpath, hashed_sock_name, "command");
238 if (client_fd < 0)
239 return -1;
240
241 ret = lxc_abstract_unix_send_credential(client_fd, &cmd->req,
242 sizeof(cmd->req));
243 if (ret < 0 || (size_t)ret != sizeof(cmd->req))
244 goto on_error;
245
246 if (cmd->req.datalen <= 0)
247 return client_fd;
248
249 errno = EMSGSIZE;
250 ret = lxc_send_nointr(client_fd, (void *)cmd->req.data,
251 cmd->req.datalen, MSG_NOSIGNAL);
252 if (ret < 0 || ret != (ssize_t)cmd->req.datalen)
253 goto on_error;
254
255 return client_fd;
256
257 on_error:
258 saved_errno = errno;
259 close(client_fd);
260 errno = saved_errno;
261
262 return -1;
263 }
264
265 /*
266 * lxc_cmd: Connect to the specified running container, send it a command
267 * request and collect the response
268 *
269 * @name : name of container to connect to
270 * @cmd : command with initialized request to send
271 * @stopped : output indicator if the container was not running
272 * @lxcpath : the lxcpath in which the container is running
273 *
274 * Returns the size of the response message on success, < 0 on failure
275 *
276 * Note that there is a special case for LXC_CMD_CONSOLE. For this command
277 * the fd cannot be closed because it is used as a placeholder to indicate
278 * that a particular tty slot is in use. The fd is also used as a signal to
279 * the container that when the caller dies or closes the fd, the container
280 * will notice the fd on its side of the socket in its mainloop select and
281 * then free the slot with lxc_cmd_fd_cleanup(). The socket fd will be
282 * returned in the cmd response structure.
283 */
284 static int lxc_cmd(const char *name, struct lxc_cmd_rr *cmd, int *stopped,
285 const char *lxcpath, const char *hashed_sock_name)
286 {
287 int client_fd, saved_errno;
288 int ret = -1;
289 bool stay_connected = false;
290
291 if (cmd->req.cmd == LXC_CMD_CONSOLE ||
292 cmd->req.cmd == LXC_CMD_ADD_STATE_CLIENT)
293 stay_connected = true;
294
295 *stopped = 0;
296
297 client_fd = lxc_cmd_send(name, cmd, lxcpath, hashed_sock_name);
298 if (client_fd < 0) {
299 SYSTRACE("Command \"%s\" failed to connect command socket",
300 lxc_cmd_str(cmd->req.cmd));
301
302 if (errno == ECONNREFUSED)
303 *stopped = 1;
304
305 if (errno == EPIPE) {
306 *stopped = 1;
307 client_fd = 0;
308 }
309
310 return -1;
311 }
312
313 ret = lxc_cmd_rsp_recv(client_fd, cmd);
314 if (ret < 0 && errno == ECONNRESET)
315 *stopped = 1;
316
317 if (!stay_connected || ret <= 0)
318 if (client_fd >= 0) {
319 saved_errno = errno;
320 close(client_fd);
321 errno = saved_errno;
322 }
323
324 if (stay_connected && ret > 0)
325 cmd->rsp.ret = client_fd;
326
327 return ret;
328 }
329
330 int lxc_try_cmd(const char *name, const char *lxcpath)
331 {
332 int stopped, ret;
333 struct lxc_cmd_rr cmd = {
334 .req = { .cmd = LXC_CMD_GET_INIT_PID },
335 };
336
337 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
338 if (stopped)
339 return 0;
340 if (ret > 0 && cmd.rsp.ret < 0) {
341 errno = cmd.rsp.ret;
342 return -1;
343 }
344 if (ret > 0)
345 return 0;
346
347 /* At this point we weren't denied access, and the container *was*
348 * started. There was some inexplicable error in the protocol. I'm not
349 * clear on whether we should return -1 here, but we didn't receive a
350 * -EACCES, so technically it's not that we're not allowed to control
351 * the container - it's just not behaving.
352 */
353 return 0;
354 }
355
356 /* Implentations of the commands and their callbacks */
357
358 /*
359 * lxc_cmd_get_init_pid: Get pid of the container's init process
360 *
361 * @name : name of container to connect to
362 * @lxcpath : the lxcpath in which the container is running
363 *
364 * Returns the pid on success, < 0 on failure
365 */
366 pid_t lxc_cmd_get_init_pid(const char *name, const char *lxcpath)
367 {
368 int ret, stopped;
369 intmax_t pid;
370 struct lxc_cmd_rr cmd = {
371 .req = {
372 .cmd = LXC_CMD_GET_INIT_PID
373 },
374 .rsp = {
375 .data = INTMAX_TO_PTR((intmax_t){-1})
376 }
377 };
378
379 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
380 if (ret < 0)
381 return -1;
382
383 pid = PTR_TO_INTMAX(cmd.rsp.data);
384 if (pid < 0)
385 return -1;
386
387 /* We need to assume that pid_t can actually hold any pid given to us
388 * by the kernel. If it can't it's a libc bug.
389 */
390 return (pid_t)pid;
391 }
392
393 static int lxc_cmd_get_init_pid_callback(int fd, struct lxc_cmd_req *req,
394 struct lxc_handler *handler)
395 {
396 intmax_t pid = handler->pid;
397
398 struct lxc_cmd_rsp rsp = {
399 .data = INTMAX_TO_PTR(pid)
400 };
401
402 return lxc_cmd_rsp_send(fd, &rsp);
403 }
404
405 /*
406 * lxc_cmd_get_clone_flags: Get clone flags container was spawned with
407 *
408 * @name : name of container to connect to
409 * @lxcpath : the lxcpath in which the container is running
410 *
411 * Returns the clone flags on success, < 0 on failure
412 */
413 int lxc_cmd_get_clone_flags(const char *name, const char *lxcpath)
414 {
415 int ret, stopped;
416 struct lxc_cmd_rr cmd = {
417 .req = { .cmd = LXC_CMD_GET_CLONE_FLAGS },
418 };
419
420 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
421 if (ret < 0)
422 return ret;
423
424 return PTR_TO_INT(cmd.rsp.data);
425 }
426
427 static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req,
428 struct lxc_handler *handler)
429 {
430 struct lxc_cmd_rsp rsp = { .data = INT_TO_PTR(handler->ns_clone_flags) };
431
432 return lxc_cmd_rsp_send(fd, &rsp);
433 }
434
435 /*
436 * lxc_cmd_get_cgroup_path: Calculate a container's cgroup path for a
437 * particular subsystem. This is the cgroup path relative to the root
438 * of the cgroup filesystem.
439 *
440 * @name : name of container to connect to
441 * @lxcpath : the lxcpath in which the container is running
442 * @subsystem : the subsystem being asked about
443 *
444 * Returns the path on success, NULL on failure. The caller must free() the
445 * returned path.
446 */
447 char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
448 const char *subsystem)
449 {
450 int ret, stopped;
451 struct lxc_cmd_rr cmd = {
452 .req = {
453 .cmd = LXC_CMD_GET_CGROUP,
454 .data = subsystem,
455 .datalen = 0,
456 },
457 };
458
459 cmd.req.data = subsystem;
460 cmd.req.datalen = 0;
461 if (subsystem)
462 cmd.req.datalen = strlen(subsystem) + 1;
463
464 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
465 if (ret < 0)
466 return NULL;
467
468 if (ret == 0)
469 return NULL;
470
471 if (cmd.rsp.ret < 0 || cmd.rsp.datalen < 0)
472 return NULL;
473
474 return cmd.rsp.data;
475 }
476
477 static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req,
478 struct lxc_handler *handler)
479 {
480 const char *path;
481 struct lxc_cmd_rsp rsp;
482 struct cgroup_ops *cgroup_ops = handler->cgroup_ops;
483
484 if (req->datalen > 0)
485 path = cgroup_ops->get_cgroup(cgroup_ops, req->data);
486 else
487 path = cgroup_ops->get_cgroup(cgroup_ops, NULL);
488 if (!path)
489 return -1;
490
491 rsp.ret = 0;
492 rsp.datalen = strlen(path) + 1;
493 rsp.data = (char *)path;
494
495 return lxc_cmd_rsp_send(fd, &rsp);
496 }
497
498 /*
499 * lxc_cmd_get_config_item: Get config item the running container
500 *
501 * @name : name of container to connect to
502 * @item : the configuration item to retrieve (ex: lxc.net.0.veth.pair)
503 * @lxcpath : the lxcpath in which the container is running
504 *
505 * Returns the item on success, NULL on failure. The caller must free() the
506 * returned item.
507 */
508 char *lxc_cmd_get_config_item(const char *name, const char *item,
509 const char *lxcpath)
510 {
511 int ret, stopped;
512 struct lxc_cmd_rr cmd = {
513 .req = { .cmd = LXC_CMD_GET_CONFIG_ITEM,
514 .data = item,
515 .datalen = strlen(item) + 1,
516 },
517 };
518
519 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
520 if (ret < 0)
521 return NULL;
522
523 if (cmd.rsp.ret == 0)
524 return cmd.rsp.data;
525
526 return NULL;
527 }
528
529 static int lxc_cmd_get_config_item_callback(int fd, struct lxc_cmd_req *req,
530 struct lxc_handler *handler)
531 {
532 int cilen;
533 char *cidata;
534 struct lxc_config_t *item;
535 struct lxc_cmd_rsp rsp;
536
537 memset(&rsp, 0, sizeof(rsp));
538 item = lxc_get_config(req->data);
539 if (!item)
540 goto err1;
541
542 cilen = item->get(req->data, NULL, 0, handler->conf, NULL);
543 if (cilen <= 0)
544 goto err1;
545
546 cidata = alloca(cilen + 1);
547 if (item->get(req->data, cidata, cilen + 1, handler->conf, NULL) != cilen)
548 goto err1;
549
550 cidata[cilen] = '\0';
551 rsp.data = cidata;
552 rsp.datalen = cilen + 1;
553 rsp.ret = 0;
554 goto out;
555
556 err1:
557 rsp.ret = -1;
558 out:
559 return lxc_cmd_rsp_send(fd, &rsp);
560 }
561
562 /*
563 * lxc_cmd_get_state: Get current state of the container
564 *
565 * @name : name of container to connect to
566 * @lxcpath : the lxcpath in which the container is running
567 *
568 * Returns the state on success, < 0 on failure
569 */
570 int lxc_cmd_get_state(const char *name, const char *lxcpath)
571 {
572 int ret, stopped;
573 struct lxc_cmd_rr cmd = {
574 .req = { .cmd = LXC_CMD_GET_STATE }
575 };
576
577 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
578 if (ret < 0 && stopped)
579 return STOPPED;
580
581 if (ret < 0)
582 return -1;
583
584 if (!ret) {
585 WARN("Container \"%s\" has stopped before sending its state", name);
586 return -1;
587 }
588
589 DEBUG("Container \"%s\" is in \"%s\" state", name,
590 lxc_state2str(PTR_TO_INT(cmd.rsp.data)));
591
592 return PTR_TO_INT(cmd.rsp.data);
593 }
594
595 static int lxc_cmd_get_state_callback(int fd, struct lxc_cmd_req *req,
596 struct lxc_handler *handler)
597 {
598 struct lxc_cmd_rsp rsp = { .data = INT_TO_PTR(handler->state) };
599
600 return lxc_cmd_rsp_send(fd, &rsp);
601 }
602
603 /*
604 * lxc_cmd_stop: Stop the container previously started with lxc_start. All
605 * the processes running inside this container will be killed.
606 *
607 * @name : name of container to connect to
608 * @lxcpath : the lxcpath in which the container is running
609 *
610 * Returns 0 on success, < 0 on failure
611 */
612 int lxc_cmd_stop(const char *name, const char *lxcpath)
613 {
614 int ret, stopped;
615 struct lxc_cmd_rr cmd = {
616 .req = { .cmd = LXC_CMD_STOP },
617 };
618
619 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
620 if (ret < 0) {
621 if (stopped) {
622 INFO("Container \"%s\" is already stopped", name);
623 return 0;
624 }
625
626 return -1;
627 }
628
629 /* We do not expect any answer, because we wait for the connection to be
630 * closed.
631 */
632 if (ret > 0) {
633 errno = -cmd.rsp.ret;
634 SYSERROR("Failed to stop container \"%s\"", name);
635 return -1;
636 }
637
638 INFO("Container \"%s\" has stopped", name);
639 return 0;
640 }
641
642 static int lxc_cmd_stop_callback(int fd, struct lxc_cmd_req *req,
643 struct lxc_handler *handler)
644 {
645 struct lxc_cmd_rsp rsp;
646 int stopsignal = SIGKILL;
647 struct cgroup_ops *cgroup_ops = handler->cgroup_ops;
648
649 if (handler->conf->stopsignal)
650 stopsignal = handler->conf->stopsignal;
651 memset(&rsp, 0, sizeof(rsp));
652 rsp.ret = kill(handler->pid, stopsignal);
653 if (!rsp.ret) {
654 /* We can't just use lxc_unfreeze() since we are already in the
655 * context of handling the STOP cmd in lxc-start, and calling
656 * lxc_unfreeze() would do another cmd (GET_CGROUP) which would
657 * deadlock us.
658 */
659 if (!cgroup_ops->get_cgroup(cgroup_ops, "freezer"))
660 return 0;
661
662 if (cgroup_ops->unfreeze(cgroup_ops))
663 return 0;
664
665 ERROR("Failed to unfreeze container \"%s\"", handler->name);
666 rsp.ret = -1;
667 }
668
669 return lxc_cmd_rsp_send(fd, &rsp);
670 }
671
672 /*
673 * lxc_cmd_terminal_winch: To process as if a SIGWINCH were received
674 *
675 * @name : name of container to connect to
676 * @lxcpath : the lxcpath in which the container is running
677 *
678 * Returns 0 on success, < 0 on failure
679 */
680 int lxc_cmd_terminal_winch(const char *name, const char *lxcpath)
681 {
682 int ret, stopped;
683 struct lxc_cmd_rr cmd = {
684 .req = { .cmd = LXC_CMD_TERMINAL_WINCH },
685 };
686
687 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
688 if (ret < 0)
689 return ret;
690
691 return 0;
692 }
693
694 static int lxc_cmd_terminal_winch_callback(int fd, struct lxc_cmd_req *req,
695 struct lxc_handler *handler)
696 {
697 struct lxc_cmd_rsp rsp = { .data = 0 };
698
699 lxc_terminal_sigwinch(SIGWINCH);
700
701 return lxc_cmd_rsp_send(fd, &rsp);
702 }
703
704 /*
705 * lxc_cmd_console: Open an fd to a tty in the container
706 *
707 * @name : name of container to connect to
708 * @ttynum : in: the tty to open or -1 for next available
709 * : out: the tty allocated
710 * @fd : out: file descriptor for master side of pty
711 * @lxcpath : the lxcpath in which the container is running
712 *
713 * Returns fd holding tty allocated on success, < 0 on failure
714 */
715 int lxc_cmd_console(const char *name, int *ttynum, int *fd, const char *lxcpath)
716 {
717 int ret, stopped;
718 struct lxc_cmd_console_rsp_data *rspdata;
719 struct lxc_cmd_rr cmd = {
720 .req = { .cmd = LXC_CMD_CONSOLE, .data = INT_TO_PTR(*ttynum) },
721 };
722
723 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
724 if (ret < 0)
725 return ret;
726
727 if (cmd.rsp.ret < 0) {
728 errno = -cmd.rsp.ret;
729 SYSERROR("Denied access to tty");
730 ret = -1;
731 goto out;
732 }
733
734 if (ret == 0) {
735 ERROR("tty number %d invalid, busy or all ttys busy", *ttynum);
736 ret = -1;
737 goto out;
738 }
739
740 rspdata = cmd.rsp.data;
741 if (rspdata->masterfd < 0) {
742 ERROR("Unable to allocate fd for tty %d", rspdata->ttynum);
743 goto out;
744 }
745
746 ret = cmd.rsp.ret; /* socket fd */
747 *fd = rspdata->masterfd;
748 *ttynum = rspdata->ttynum;
749 INFO("Alloced fd %d for tty %d via socket %d", *fd, rspdata->ttynum, ret);
750
751 out:
752 free(cmd.rsp.data);
753 return ret;
754 }
755
756 static int lxc_cmd_console_callback(int fd, struct lxc_cmd_req *req,
757 struct lxc_handler *handler)
758 {
759 int masterfd, ret;
760 struct lxc_cmd_rsp rsp;
761 int ttynum = PTR_TO_INT(req->data);
762
763 masterfd = lxc_terminal_allocate(handler->conf, fd, &ttynum);
764 if (masterfd < 0)
765 goto out_close;
766
767 memset(&rsp, 0, sizeof(rsp));
768 rsp.data = INT_TO_PTR(ttynum);
769 ret = lxc_abstract_unix_send_fds(fd, &masterfd, 1, &rsp, sizeof(rsp));
770 if (ret < 0) {
771 SYSERROR("Failed to send tty to client");
772 lxc_terminal_free(handler->conf, fd);
773 goto out_close;
774 }
775
776 return 0;
777
778 out_close:
779 /* Special indicator to lxc_cmd_handler() to close the fd and do
780 * related cleanup.
781 */
782 return 1;
783 }
784
785 /*
786 * lxc_cmd_get_name: Returns the name of the container
787 *
788 * @hashed_sock_name: hashed socket name
789 *
790 * Returns the name on success, NULL on failure.
791 */
792 char *lxc_cmd_get_name(const char *hashed_sock_name)
793 {
794 int ret, stopped;
795 struct lxc_cmd_rr cmd = {
796 .req = { .cmd = LXC_CMD_GET_NAME},
797 };
798
799 ret = lxc_cmd(NULL, &cmd, &stopped, NULL, hashed_sock_name);
800 if (ret < 0)
801 return NULL;
802
803 if (cmd.rsp.ret == 0)
804 return cmd.rsp.data;
805
806 return NULL;
807 }
808
809 static int lxc_cmd_get_name_callback(int fd, struct lxc_cmd_req *req,
810 struct lxc_handler *handler)
811 {
812 struct lxc_cmd_rsp rsp;
813
814 memset(&rsp, 0, sizeof(rsp));
815
816 rsp.data = (char *)handler->name;
817 rsp.datalen = strlen(handler->name) + 1;
818 rsp.ret = 0;
819
820 return lxc_cmd_rsp_send(fd, &rsp);
821 }
822
823 /*
824 * lxc_cmd_get_lxcpath: Returns the lxcpath of the container
825 *
826 * @hashed_sock_name: hashed socket name
827 *
828 * Returns the lxcpath on success, NULL on failure.
829 */
830 char *lxc_cmd_get_lxcpath(const char *hashed_sock_name)
831 {
832 int ret, stopped;
833 struct lxc_cmd_rr cmd = {
834 .req = { .cmd = LXC_CMD_GET_LXCPATH},
835 };
836
837 ret = lxc_cmd(NULL, &cmd, &stopped, NULL, hashed_sock_name);
838 if (ret < 0)
839 return NULL;
840
841 if (cmd.rsp.ret == 0)
842 return cmd.rsp.data;
843
844 return NULL;
845 }
846
847 static int lxc_cmd_get_lxcpath_callback(int fd, struct lxc_cmd_req *req,
848 struct lxc_handler *handler)
849 {
850 struct lxc_cmd_rsp rsp;
851
852 memset(&rsp, 0, sizeof(rsp));
853
854 rsp.ret = 0;
855 rsp.data = (char *)handler->lxcpath;
856 rsp.datalen = strlen(handler->lxcpath) + 1;
857
858 return lxc_cmd_rsp_send(fd, &rsp);
859 }
860
861 int lxc_cmd_add_state_client(const char *name, const char *lxcpath,
862 lxc_state_t states[MAX_STATE],
863 int *state_client_fd)
864 {
865 int state, stopped;
866 ssize_t ret;
867 struct lxc_cmd_rr cmd = {
868 .req = {
869 .cmd = LXC_CMD_ADD_STATE_CLIENT,
870 .data = states,
871 .datalen = (sizeof(lxc_state_t) * MAX_STATE)
872 },
873 };
874
875 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
876 if (states[STOPPED] != 0 && stopped != 0)
877 return STOPPED;
878
879 if (ret < 0) {
880 if (errno != ECONNREFUSED)
881 SYSERROR("Failed to execute command");
882
883 return -1;
884 }
885
886 /* We should now be guaranteed to get an answer from the state sending
887 * function.
888 */
889 if (cmd.rsp.ret < 0) {
890 errno = -cmd.rsp.ret;
891 SYSERROR("Failed to receive socket fd");
892 return -1;
893 }
894
895 state = PTR_TO_INT(cmd.rsp.data);
896 if (state < MAX_STATE) {
897 TRACE("Container is already in requested state %s", lxc_state2str(state));
898 close(cmd.rsp.ret);
899 return state;
900 }
901
902 *state_client_fd = cmd.rsp.ret;
903 TRACE("Added state client %d to state client list", cmd.rsp.ret);
904 return MAX_STATE;
905 }
906
907 static int lxc_cmd_add_state_client_callback(int fd, struct lxc_cmd_req *req,
908 struct lxc_handler *handler)
909 {
910 int ret;
911 struct lxc_cmd_rsp rsp = {0};
912
913 if (req->datalen < 0)
914 goto reap_client_fd;
915
916 if (req->datalen > (sizeof(lxc_state_t) * MAX_STATE))
917 goto reap_client_fd;
918
919 if (!req->data)
920 goto reap_client_fd;
921
922 rsp.ret = lxc_add_state_client(fd, handler, (lxc_state_t *)req->data);
923 if (rsp.ret < 0)
924 goto reap_client_fd;
925
926 rsp.data = INT_TO_PTR(rsp.ret);
927
928 ret = lxc_cmd_rsp_send(fd, &rsp);
929 if (ret < 0)
930 goto reap_client_fd;
931
932 return 0;
933
934 reap_client_fd:
935 /* Special indicator to lxc_cmd_handler() to close the fd and do related
936 * cleanup.
937 */
938 return 1;
939 }
940
941 int lxc_cmd_console_log(const char *name, const char *lxcpath,
942 struct lxc_console_log *log)
943 {
944 int ret, stopped;
945 struct lxc_cmd_console_log data;
946 struct lxc_cmd_rr cmd;
947
948 data.clear = log->clear;
949 data.read = log->read;
950 data.read_max = *log->read_max;
951
952 cmd.req.cmd = LXC_CMD_CONSOLE_LOG;
953 cmd.req.data = &data;
954 cmd.req.datalen = sizeof(struct lxc_cmd_console_log);
955
956 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
957 if (ret < 0)
958 return ret;
959
960 /* There is nothing to be read from the buffer. So clear any values we
961 * where passed to clearly indicate to the user that nothing went wrong.
962 */
963 if (cmd.rsp.ret == -ENODATA || cmd.rsp.ret == -EFAULT || cmd.rsp.ret == -ENOENT) {
964 *log->read_max = 0;
965 log->data = NULL;
966 }
967
968 /* This is a proper error so don't touch any values we were passed. */
969 if (cmd.rsp.ret < 0)
970 return cmd.rsp.ret;
971
972 *log->read_max = cmd.rsp.datalen;
973 log->data = cmd.rsp.data;
974
975 return 0;
976 }
977
978 static int lxc_cmd_console_log_callback(int fd, struct lxc_cmd_req *req,
979 struct lxc_handler *handler)
980 {
981 struct lxc_cmd_rsp rsp;
982 uint64_t buffer_size = handler->conf->console.buffer_size;
983 const struct lxc_cmd_console_log *log = req->data;
984 struct lxc_ringbuf *buf = &handler->conf->console.ringbuf;
985
986 rsp.ret = -EFAULT;
987 rsp.datalen = 0;
988 rsp.data = NULL;
989 if (buffer_size <= 0)
990 goto out;
991
992 if (log->read || log->write_logfile)
993 rsp.datalen = lxc_ringbuf_used(buf);
994
995 if (log->read)
996 rsp.data = lxc_ringbuf_get_read_addr(buf);
997
998 if (log->read_max > 0 && (log->read_max <= rsp.datalen))
999 rsp.datalen = log->read_max;
1000
1001 /* there's nothing to read */
1002 rsp.ret = -ENODATA;
1003 if (log->read && (buf->r_off == buf->w_off))
1004 goto out;
1005
1006 rsp.ret = 0;
1007 if (log->clear)
1008 lxc_ringbuf_clear(buf); /* clear the ringbuffer */
1009 else if (rsp.datalen > 0)
1010 lxc_ringbuf_move_read_addr(buf, rsp.datalen);
1011
1012 out:
1013 return lxc_cmd_rsp_send(fd, &rsp);
1014 }
1015
1016 int lxc_cmd_serve_state_clients(const char *name, const char *lxcpath,
1017 lxc_state_t state)
1018 {
1019 int stopped;
1020 ssize_t ret;
1021 struct lxc_cmd_rr cmd = {
1022 .req = {
1023 .cmd = LXC_CMD_SERVE_STATE_CLIENTS,
1024 .data = INT_TO_PTR(state)
1025 },
1026 };
1027
1028 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
1029 if (ret < 0) {
1030 SYSERROR("Failed to execute command");
1031 return -1;
1032 }
1033
1034 return 0;
1035 }
1036
1037 static int lxc_cmd_serve_state_clients_callback(int fd, struct lxc_cmd_req *req,
1038 struct lxc_handler *handler)
1039 {
1040 int ret;
1041 lxc_state_t state = PTR_TO_INT(req->data);
1042 struct lxc_cmd_rsp rsp = {0};
1043
1044 ret = lxc_serve_state_clients(handler->name, handler, state);
1045 if (ret < 0)
1046 goto reap_client_fd;
1047
1048 ret = lxc_cmd_rsp_send(fd, &rsp);
1049 if (ret < 0)
1050 goto reap_client_fd;
1051
1052 return 0;
1053
1054 reap_client_fd:
1055 /* Special indicator to lxc_cmd_handler() to close the fd and do related
1056 * cleanup.
1057 */
1058 return 1;
1059 }
1060
1061 static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
1062 struct lxc_handler *handler)
1063 {
1064 typedef int (*callback)(int, struct lxc_cmd_req *, struct lxc_handler *);
1065
1066 callback cb[LXC_CMD_MAX] = {
1067 [LXC_CMD_CONSOLE] = lxc_cmd_console_callback,
1068 [LXC_CMD_TERMINAL_WINCH] = lxc_cmd_terminal_winch_callback,
1069 [LXC_CMD_STOP] = lxc_cmd_stop_callback,
1070 [LXC_CMD_GET_STATE] = lxc_cmd_get_state_callback,
1071 [LXC_CMD_GET_INIT_PID] = lxc_cmd_get_init_pid_callback,
1072 [LXC_CMD_GET_CLONE_FLAGS] = lxc_cmd_get_clone_flags_callback,
1073 [LXC_CMD_GET_CGROUP] = lxc_cmd_get_cgroup_callback,
1074 [LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback,
1075 [LXC_CMD_GET_NAME] = lxc_cmd_get_name_callback,
1076 [LXC_CMD_GET_LXCPATH] = lxc_cmd_get_lxcpath_callback,
1077 [LXC_CMD_ADD_STATE_CLIENT] = lxc_cmd_add_state_client_callback,
1078 [LXC_CMD_CONSOLE_LOG] = lxc_cmd_console_log_callback,
1079 [LXC_CMD_SERVE_STATE_CLIENTS] = lxc_cmd_serve_state_clients_callback,
1080 };
1081
1082 if (req->cmd >= LXC_CMD_MAX) {
1083 ERROR("Undefined command id %d", req->cmd);
1084 return -1;
1085 }
1086 return cb[req->cmd](fd, req, handler);
1087 }
1088
1089 static void lxc_cmd_fd_cleanup(int fd, struct lxc_handler *handler,
1090 struct lxc_epoll_descr *descr,
1091 const lxc_cmd_t cmd)
1092 {
1093 struct lxc_state_client *client;
1094 struct lxc_list *cur, *next;
1095
1096 lxc_terminal_free(handler->conf, fd);
1097 lxc_mainloop_del_handler(descr, fd);
1098 if (cmd != LXC_CMD_ADD_STATE_CLIENT) {
1099 close(fd);
1100 return;
1101 }
1102
1103 lxc_list_for_each_safe(cur, &handler->conf->state_clients, next) {
1104 client = cur->elem;
1105 if (client->clientfd != fd)
1106 continue;
1107
1108 /* kick client from list */
1109 lxc_list_del(cur);
1110 close(client->clientfd);
1111 free(cur->elem);
1112 free(cur);
1113 /* No need to walk the whole list. If we found the state client
1114 * fd there can't be a second one.
1115 */
1116 break;
1117 }
1118 }
1119
1120 static int lxc_cmd_handler(int fd, uint32_t events, void *data,
1121 struct lxc_epoll_descr *descr)
1122 {
1123 int ret;
1124 struct lxc_cmd_req req;
1125 void *reqdata = NULL;
1126 struct lxc_handler *handler = data;
1127
1128 ret = lxc_abstract_unix_rcv_credential(fd, &req, sizeof(req));
1129 if (ret < 0) {
1130 SYSERROR("Failed to receive data on command socket for command "
1131 "\"%s\"", lxc_cmd_str(req.cmd));
1132
1133 if (errno == EACCES) {
1134 /* We don't care for the peer, just send and close. */
1135 struct lxc_cmd_rsp rsp = {.ret = ret};
1136
1137 lxc_cmd_rsp_send(fd, &rsp);
1138 }
1139
1140 goto out_close;
1141 }
1142
1143 if (ret == 0)
1144 goto out_close;
1145
1146 if (ret != sizeof(req)) {
1147 WARN("Failed to receive full command request. Ignoring request "
1148 "for \"%s\"", lxc_cmd_str(req.cmd));
1149 ret = -1;
1150 goto out_close;
1151 }
1152
1153 if ((req.datalen > LXC_CMD_DATA_MAX) &&
1154 (req.cmd != LXC_CMD_CONSOLE_LOG)) {
1155 ERROR("Received command data length %d is too large for "
1156 "command \"%s\"", req.datalen, lxc_cmd_str(req.cmd));
1157 errno = EFBIG;
1158 ret = -EFBIG;
1159 goto out_close;
1160 }
1161
1162 if (req.datalen > 0) {
1163 /* LXC_CMD_CONSOLE_LOG needs to be able to allocate data
1164 * that exceeds LXC_CMD_DATA_MAX: use malloc() for that.
1165 */
1166 if (req.cmd == LXC_CMD_CONSOLE_LOG)
1167 reqdata = malloc(req.datalen);
1168 else
1169 reqdata = alloca(req.datalen);
1170 if (!reqdata) {
1171 ERROR("Failed to allocate memory for \"%s\" command",
1172 lxc_cmd_str(req.cmd));
1173 errno = ENOMEM;
1174 ret = -ENOMEM;
1175 goto out_close;
1176 }
1177
1178 ret = lxc_recv_nointr(fd, reqdata, req.datalen, 0);
1179 if (ret != req.datalen) {
1180 WARN("Failed to receive full command request. Ignoring "
1181 "request for \"%s\"", lxc_cmd_str(req.cmd));
1182 ret = LXC_MAINLOOP_ERROR;
1183 goto out_close;
1184 }
1185
1186 req.data = reqdata;
1187 }
1188
1189 ret = lxc_cmd_process(fd, &req, handler);
1190 if (ret) {
1191 /* This is not an error, but only a request to close fd. */
1192 ret = LXC_MAINLOOP_CONTINUE;
1193 goto out_close;
1194 }
1195
1196 out:
1197 if (req.cmd == LXC_CMD_CONSOLE_LOG && reqdata)
1198 free(reqdata);
1199
1200 return ret;
1201
1202 out_close:
1203 lxc_cmd_fd_cleanup(fd, handler, descr, req.cmd);
1204 goto out;
1205 }
1206
1207 static int lxc_cmd_accept(int fd, uint32_t events, void *data,
1208 struct lxc_epoll_descr *descr)
1209 {
1210 int connection;
1211 int opt = 1, ret = -1;
1212
1213 connection = accept(fd, NULL, 0);
1214 if (connection < 0) {
1215 SYSERROR("Failed to accept connection to run command.");
1216 return LXC_MAINLOOP_ERROR;
1217 }
1218
1219 ret = fcntl(connection, F_SETFD, FD_CLOEXEC);
1220 if (ret < 0) {
1221 SYSERROR("Failed to set close-on-exec on incoming command connection");
1222 goto out_close;
1223 }
1224
1225 ret = setsockopt(connection, SOL_SOCKET, SO_PASSCRED, &opt, sizeof(opt));
1226 if (ret < 0) {
1227 SYSERROR("Failed to enable necessary credentials on command socket");
1228 goto out_close;
1229 }
1230
1231 ret = lxc_mainloop_add_handler(descr, connection, lxc_cmd_handler, data);
1232 if (ret) {
1233 ERROR("Failed to add command handler");
1234 goto out_close;
1235 }
1236
1237 out:
1238 return ret;
1239
1240 out_close:
1241 close(connection);
1242 goto out;
1243 }
1244
1245 int lxc_cmd_init(const char *name, const char *lxcpath, const char *suffix)
1246 {
1247 int fd, len, ret;
1248 char path[LXC_AUDS_ADDR_LEN] = {0};
1249 char *offset = &path[1];
1250
1251 /* -2 here because this is an abstract unix socket so it needs a
1252 * leading \0, and we null terminate, so it needs a trailing \0.
1253 * Although null termination isn't required by the API, we do it anyway
1254 * because we print the sockname out sometimes.
1255 */
1256 len = sizeof(path) - 2;
1257 ret = lxc_make_abstract_socket_name(offset, len, name, lxcpath, NULL, suffix);
1258 if (ret < 0)
1259 return -1;
1260 TRACE("Creating abstract unix socket \"%s\"", offset);
1261
1262 fd = lxc_abstract_unix_open(path, SOCK_STREAM, 0);
1263 if (fd < 0) {
1264 SYSERROR("Failed to create command socket %s", offset);
1265 if (errno == EADDRINUSE)
1266 ERROR("Container \"%s\" appears to be already running", name);
1267
1268 return -1;
1269 }
1270
1271 ret = fcntl(fd, F_SETFD, FD_CLOEXEC);
1272 if (ret < 0) {
1273 SYSERROR("Failed to set FD_CLOEXEC on command socket file descriptor");
1274 close(fd);
1275 return -1;
1276 }
1277
1278 return fd;
1279 }
1280
1281 int lxc_cmd_mainloop_add(const char *name, struct lxc_epoll_descr *descr,
1282 struct lxc_handler *handler)
1283 {
1284 int ret;
1285 int fd = handler->conf->maincmd_fd;
1286
1287 ret = lxc_mainloop_add_handler(descr, fd, lxc_cmd_accept, handler);
1288 if (ret < 0) {
1289 ERROR("Failed to add handler for command socket");
1290 close(fd);
1291 }
1292
1293 return ret;
1294 }
LXC mirror