use strict;
use warnings;
use PVE::SafeSyslog;
-use POSIX ":sys_wait_h";
-use Fcntl ':flock';
-use Getopt::Long;
+use PVE::Daemon;
+
use Time::HiRes qw (gettimeofday);
use PVE::Tools qw(dir_glob_foreach file_read_firstline);
+use PVE::ProcFSTools;
use PVE::INotify;
use PVE::Cluster qw(cfs_read_file);
use PVE::RPCEnvironment;
use PVE::FirewallSimulator;
use Data::Dumper;
-use base qw(PVE::CLIHandler);
-
-my $pve_firewall_pidfile = "/var/run/pve-firewall.pid";
+use base qw(PVE::Daemon);
$SIG{'__WARN__'} = sub {
my $err = $@;
my $t = $_[0];
chomp $t;
- print "$t\n";
- syslog('warning', "WARNING: %s", $t);
+ print STDERR "$t\n";
+ syslog('warning', "%s", $t);
$@ = $err;
};
-initlog('pve-firewall');
-
-$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
+my $cmdline = [$0, @ARGV];
-die "please run as root\n" if $> != 0;
+my %daemon_options = (restart_on_error => 5, stop_wait_time => 5);
-PVE::INotify::inotify_init();
+my $daemon = __PACKAGE__->new('pve-firewall', $cmdline, %daemon_options);
my $rpcenv = PVE::RPCEnvironment->init('cli');
my $nodename = PVE::INotify::nodename();
-my $commandline = [$0, @ARGV];
-
-$0 = "pve-firewall";
-
-sub restart_server {
- my ($waittime) = @_;
-
- syslog('info', "server shutdown (restart)");
-
- $ENV{RESTART_PVE_FIREWALL} = 1;
-
- sleep($waittime) if $waittime; # avoid high server load due to restarts
-
- PVE::INotify::inotify_close();
-
- exec (@$commandline);
- exit (-1); # never reached?
-}
-
-sub cleanup {
- unlink "$pve_firewall_pidfile.lock";
- unlink $pve_firewall_pidfile;
-}
-
-sub lockpidfile {
- my $pidfile = shift;
- my $lkfn = "$pidfile.lock";
-
- if (!open (FLCK, ">>$lkfn")) {
- my $msg = "can't aquire lock on file '$lkfn' - $!";
- syslog ('err', $msg);
- die "ERROR: $msg\n";
- }
-
- if (!flock (FLCK, LOCK_EX|LOCK_NB)) {
- close (FLCK);
- my $msg = "can't aquire lock '$lkfn' - $!";
- syslog ('err', $msg);
- die "ERROR: $msg\n";
- }
-}
-
-sub writepidfile {
- my $pidfile = shift;
+sub init {
- if (!open (PIDFH, ">$pidfile")) {
- my $msg = "can't open pid file '$pidfile' - $!";
- syslog ('err', $msg);
- die "ERROR: $msg\n";
- }
- print PIDFH "$$\n";
- close (PIDFH);
+ PVE::Cluster::cfs_update();
+
+ PVE::Firewall::init();
}
my $restart_request = 0;
my $initial_memory_usage;
-sub run_server {
- my ($param) = @_;
-
- # try to get the lock
- lockpidfile($pve_firewall_pidfile);
+sub shutdown {
+ my ($self) = @_;
- # run in background
- my $spid;
+ syslog('info' , "server closing");
- my $restart = $ENV{RESTART_PVE_FIREWALL};
-
- delete $ENV{RESTART_PVE_FIREWALL};
-
- PVE::Cluster::cfs_update();
-
- PVE::Firewall::init();
-
- if (!$param->{debug}) {
- open STDIN, '</dev/null' || die "can't read /dev/null";
- open STDOUT, '>/dev/null' || die "can't write /dev/null";
- }
-
- if (!$restart && !$param->{debug}) {
- $spid = fork();
- if (!defined ($spid)) {
- my $msg = "can't put server into background - fork failed";
- syslog('err', $msg);
- die "ERROR: $msg\n";
- } elsif ($spid) { # parent
- exit (0);
- }
- }
-
- writepidfile($pve_firewall_pidfile);
-
- open STDERR, '>&STDOUT' || die "can't close STDERR\n";
-
- $SIG{INT} = $SIG{TERM} = $SIG{QUIT} = sub {
- syslog('info' , "server closing");
-
- $SIG{INT} = 'DEFAULT';
-
- # wait for children
- 1 while (waitpid(-1, POSIX::WNOHANG()) > 0);
+ # wait for children
+ 1 while (waitpid(-1, POSIX::WNOHANG()) > 0);
- syslog('info' , "clear firewall rules");
- eval { PVE::Firewall::remove_pvefw_chains(); die "STOP";};
- warn $@ if $@;
-
- cleanup();
-
- exit (0);
- };
-
- $SIG{HUP} = sub {
- # wake up process, so this forces an immediate firewall rules update
- syslog('info' , "received signal HUP (restart)");
- $restart_request = 1;
- };
-
- if ($restart) {
- syslog('info' , "restarting server");
- } else {
- syslog('info' , "starting server");
- }
-
- for (;;) { # forever
-
- eval {
-
- local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs
-
- $next_update = time() + $updatetime;
+ syslog('info' , "clear firewall rules");
- my ($ccsec, $cusec) = gettimeofday ();
- eval {
- PVE::Cluster::cfs_update();
- PVE::Firewall::update();
- };
- my $err = $@;
+ eval { PVE::Firewall::remove_pvefw_chains(); };
+ warn $@ if $@;
- if ($err) {
- syslog('err', "status update error: $err");
- }
+ $self->exit_daemon(0);
+}
- my ($ccsec_end, $cusec_end) = gettimeofday ();
- my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;
+sub hup {
+ my ($self) = @_;
- syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime))
- if ($cptime > 5);
+ $restart_request = 1;
+}
- $cycle++;
+sub run {
+ my ($self) = @_;
- my $mem = PVE::ProcFSTools::read_memory_usage();
+ local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs
- if (!defined($initial_memory_usage) || ($cycle < 10)) {
- $initial_memory_usage = $mem->{resident};
- } else {
- my $diff = $mem->{resident} - $initial_memory_usage;
- if ($diff > 5*1024*1024) {
- syslog ('info', "restarting server after $cycle cycles to " .
- "reduce memory usage (free $mem->{resident} ($diff) bytes)");
- restart_server();
- }
- }
+ for (;;) { # forever
- my $wcount = 0;
- while ((time() < $next_update) &&
- ($wcount < $updatetime) && # protect against time wrap
- !$restart_request) { $wcount++; sleep (1); };
+ $next_update = time() + $updatetime;
- restart_server() if $restart_request;
+ my ($ccsec, $cusec) = gettimeofday ();
+ eval {
+ PVE::Cluster::cfs_update();
+ PVE::Firewall::update();
};
-
my $err = $@;
-
+
if ($err) {
- syslog ('err', "ERROR: $err");
- restart_server(5);
- exit (0);
+ syslog('err', "status update error: $err");
}
- }
-}
-__PACKAGE__->register_method ({
- name => 'start',
- path => 'start',
- method => 'POST',
- description => "Start the Proxmox VE firewall service.",
- parameters => {
- additionalProperties => 0,
- properties => {
- debug => {
- description => "Debug mode - stay in foreground",
- type => "boolean",
- optional => 1,
- default => 0,
- },
- },
- },
- returns => { type => 'null' },
+ my ($ccsec_end, $cusec_end) = gettimeofday ();
+ my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;
- code => sub {
- my ($param) = @_;
+ syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime))
+ if ($cptime > 5);
- run_server($param);
+ $cycle++;
- return undef;
- }});
-
-__PACKAGE__->register_method ({
- name => 'stop',
- path => 'stop',
- method => 'POST',
- description => "Stop firewall. This removes all Proxmox VE related iptable rules. The host is unprotected afterwards.",
- parameters => {
- additionalProperties => 0,
- properties => {},
- },
- returns => { type => 'null' },
-
- code => sub {
- my ($param) = @_;
-
- my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
-
- if ($pid) {
- if (PVE::ProcFSTools::check_process_running($pid)) {
- kill(15, $pid); # send TERM signal
- # give max 5 seconds to shut down
- for (my $i = 0; $i < 5; $i++) {
- last if !PVE::ProcFSTools::check_process_running($pid);
- sleep (1);
- }
-
- # to be sure
- kill(9, $pid);
- waitpid($pid, 0);
- }
- if (-f $pve_firewall_pidfile) {
- # try to get the lock
- lockpidfile($pve_firewall_pidfile);
- cleanup();
+ my $mem = PVE::ProcFSTools::read_memory_usage();
+
+ if (!defined($initial_memory_usage) || ($cycle < 10)) {
+ $initial_memory_usage = $mem->{resident};
+ } else {
+ my $diff = $mem->{resident} - $initial_memory_usage;
+ if ($diff > 5*1024*1024) {
+ syslog ('info', "restarting server after $cycle cycles to " .
+ "reduce memory usage (free $mem->{resident} ($diff) bytes)");
+ $self->restart_daemon();
}
}
- return undef;
- }});
+ my $wcount = 0;
+ while ((time() < $next_update) &&
+ ($wcount < $updatetime) && # protect against time wrap
+ !$restart_request) { $wcount++; sleep (1); };
+
+ $self->restart_daemon() if $restart_request;
+ }
+}
+
+$daemon->register_start_command("Start the Proxmox VE firewall service.");
+$daemon->register_restart_command(1, "Restart the Proxmox VE firewall service.");
+$daemon->register_stop_command("Stop firewall. This removes all Proxmox VE " .
+ "related iptable rules. " .
+ "The host is unprotected afterwards.");
__PACKAGE__->register_method ({
name => 'status',
my $code = sub {
- my $pid = int(PVE::Tools::file_read_firstline($pve_firewall_pidfile) || 0);
- my $running = PVE::ProcFSTools::check_process_running($pid);
-
- my $status = $running ? 'running' : 'stopped';
+ my $status = $daemon->running() ? 'running' : 'stopped';
my $res = { status => $status };
my $cmddef = {
start => [ __PACKAGE__, 'start', []],
+ restart => [ __PACKAGE__, 'restart', []],
stop => [ __PACKAGE__, 'stop', []],
compile => [ __PACKAGE__, 'compile', []],
simulate => [ __PACKAGE__, 'simulate', []],