#!/usr/bin/perl -T # Note: In theory, all this can be done by 'pveproxy' daemon. But som API call # still have blocking code, so we use a separate daemon to avoid that the console # get blocked. $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin'; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; use strict; use warnings; use English; use Socket qw(IPPROTO_TCP TCP_NODELAY SOMAXCONN); use IO::Socket::INET; use PVE::SafeSyslog; use PVE::Daemon; use PVE::APIDaemon; # fixme: remove use PVE::API2; use base qw(PVE::Daemon); $SIG{'__WARN__'} = sub { my $err = $@; my $t = $_[0]; chomp $t; print STDERR "$t\n"; syslog('warning', "%s", $t); $@ = $err; }; my $cmdline = [$0, @ARGV]; my %daemon_options = ( max_workers => 1, # fixme: do we need more? restart_on_error => 5, stop_wait_time => 15, run_dir => '/var/run/pveproxy', ); my $daemon = __PACKAGE__->new('spiceproxy', $cmdline, %daemon_options); my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n"; POSIX::setgid($gid) || die "setgid $gid failed - $!\n"; $EGID = "$gid $gid"; # this calls setgroups my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n"; POSIX::setuid($uid) || die "setuid $uid failed - $!\n"; # just to be sure die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid"); sub init { my ($self) = @_; # we use same ALLOW/DENY/POLICY as pveproxy my $proxyconf = PVE::APIDaemon::read_proxy_config(); my $accept_lock_fn = "/var/lock/spiceproxy.lck"; my $lockfh = IO::File->new(">>${accept_lock_fn}") || die "unable to open lock file '${accept_lock_fn}' - $!\n"; my ($socket, $sockfd); if (defined($sockfd = $ENV{PVE_DAEMON_SOCKET_3128}) && $self->{env_restart_pve_daemon}) { die "unable to parse socket fd '$sockfd'\n" if $sockfd !~ m/^(\d+)$/; $sockfd = $1; # untaint $socket = IO::Socket::INET->new; $socket->fdopen($sockfd, 'w') || die "cannot fdopen file descriptor '$sockfd' - $!\n"; } else { $socket = IO::Socket::INET->new( LocalAddr => undef, # all interfaces LocalPort => 3128, Listen => SOMAXCONN, Proto => 'tcp', ReuseAddr => 1) || die "unable to create socket - $@\n"; # we often observe delays when using Nagle algorithm, # so we disable that to maximize performance setsockopt($socket, IPPROTO_TCP, TCP_NODELAY, 1); $ENV{PVE_DAEMON_SOCKET_3128} = $socket->fileno; } # remove FD_CLOEXEC bit to reuse on exec $socket->fcntl(Fcntl::F_SETFD(), 0); $self->{server_config} = { base_handler_class => 'PVE::API2', keep_alive => 0, max_conn => 500, lockfile => $accept_lock_fn, socket => $socket, lockfh => $lockfh, debug => $self->{debug}, spiceproxy => 1, trusted_env => 0, logfile => '/var/log/pveproxy/access.log', allow_from => $proxyconf->{ALLOW_FROM}, deny_from => $proxyconf->{DENY_FROM}, policy => $proxyconf->{POLICY}, }; } sub run { my ($self) = @_; my $server = PVE::HTTPServer->new(%{$self->{server_config}}); $server->run(); } $daemon->register_start_command(); $daemon->register_restart_command(0); $daemon->register_reload_command(); $daemon->register_stop_command(); $daemon->register_status_command(); my $cmddef = { start => [ __PACKAGE__, 'start', []], restart => [ __PACKAGE__, 'restart', []], reload => [ __PACKAGE__, 'reload', []], stop => [ __PACKAGE__, 'stop', []], status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ], }; my $cmd = shift; PVE::CLIHandler::handle_cmd($cmddef, $0, $cmd, \@ARGV, undef, $0); exit (0); __END__ =head1 NAME spiceproxy - SPICE proxy server for Proxmox VE =head1 SYNOPSIS =include synopsis =head1 DESCRIPTION SPICE proxy server for Proxmox VE. Listens on port 3128. =head1 Host based access control It is possible to configure apache2 like access control lists. Values are read from file /etc/default/pveproxy (see 'pveproxy' for details). =head1 FILES /etc/default/pveproxy =include pve_copyright