| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
Use a temporary file and atomic rename when writing the server PID
file to avoid racing with a process monitor that tries to read the PID
out of the file before it's written.
Change-Id: I827d02438612af407d1496a1160377c283b4e0a4
Reviewed-on: https://gerrit.stanford.edu/1397
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop checking whether something is non-NULL before freeing it.
POSIX guarantees you can just call the function without checking,
and several of our supporting data structures provide the same
guarantee.
Assume that memset/calloc will set all the pointers to NULL and
they don't have to be set explicitly.
Change-Id: Iea6529c1603aa7724647387f92fc5d4dc5dc708b
Reviewed-on: https://gerrit.stanford.edu/1395
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since I'm making major sweeping server source changes anyway,
take advantage of the opportunity to fix terminology to something
that's less confusing. It's better to think of each configuration
rule as a "rule" than a "configuration line."
Change-Id: I6755b7121e46265a6001def6edada299f2b31d69
Reviewed-on: https://gerrit.stanford.edu/1394
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
| |
Make this somewhat clearer until I have a chance to do further
refactoring.
Change-Id: Ic027672af74ec5eb9c67ff4d2dbb4b468e24bf1f
Reviewed-on: https://gerrit.stanford.edu/1393
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous implementation of the child process handling raced
the child exit with the event loop setup. Solve this problem by
setting up the event loop and the SIGCHLD handler first, and then
spawn the process via a one-time event inside the event loop.
This ensures that libevent is ready to catch the SIGCHLD signal
before it could possibly be sent.
Move all of the process handling code into a separate file and
use that refactoring to try to simplify the code and make it more
straightforward. There's still quite a bit of work to do on this.
Fix an evbuffer leak when processing standard input.
Change-Id: I17c03b9e7ac4fabadd1c8f95d647407a7d0fae18
Reviewed-on: https://gerrit.stanford.edu/1391
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a minor memory leak in the server when processing help commands.
We replaced the subcommand with the help subcommand without freeing
the previous one.
Change-Id: I3c1a1b50efcfb6d096bdb6269af6196b892eda47
Reviewed-on: https://gerrit.stanford.edu/1390
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Start isolating the process event loop from the rest of the code
by not reusing the struct iovec representation of the input data.
Instead, convert it to an evbuffer first.
This does make another copy of the data. We will rethink this if
it shows up as a performance issue.
Change-Id: Ie37dea0e9b4a58fa4f481ed0a4fd5ba8bb7ebdab
Reviewed-on: https://gerrit.stanford.edu/1389
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we're now using socketpair, we can use a single socket for
both standard input and standard output (and, for protocol version
one, standard error as well). Do this along with the resulting
code simplification and unification of some callbacks. Handle
ECONNRESET errors alongside EPIPE now that we're doing both input
and output on the same socket.
Change-Id: I960f39e71ca8db9405a0b41b01a334b5e82ed8e9
Reviewed-on: https://gerrit.stanford.edu/1388
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
| |
Change-Id: I408efd26f894ee137250e7dec9743c8fd6205d92
Reviewed-on: https://gerrit.stanford.edu/1387
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We were reporting, at debug level, the length of every argument
to the server. This seems unnecessary. It produces a lot of
output and I've never used this to diagnose problems. Stop doing
this.
Change-Id: I1fefe18893525e71c999b7d0f953c1a1f6c77197
Reviewed-on: https://gerrit.stanford.edu/1386
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
| |
We were avoiding sysdie because we had a particular desired exit
status. Use a callback to set the exit status instead and switch
to sysdie.
Change-Id: I770fcf75946519b3371274c12fe6a66a4df07340
Reviewed-on: https://gerrit.stanford.edu/1385
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use bufferevents to manage standard output and standard error from
the process as well. Replace all the remaining uses of the buffer
object in the server with evbuffers instead.
Change-Id: Ic6d59de1bc35dcae564fb62777863bda2935ddd0
Reviewed-on: https://gerrit.stanford.edu/1383
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
| |
Queue up stdin input to the process using a bufferevent rather
than manually handling the writes.
Change-Id: I488b670921aa2953bbb462af43816145d4d57f3b
Reviewed-on: https://gerrit.stanford.edu/1382
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
| |
libevent's buffevent mechanism requires sockets instead of pipes.
Switch from pipe to socketpair in anticipation of converting some
of the data handling to buffevent.
Change-Id: I278df53d47ca65693982d2ee75c01c1285a25f43
Reviewed-on: https://gerrit.stanford.edu/1380
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than capping the data returned by the server in one
MESSAGE_OUTPUT token at the rather arbitrary length of 65,000 octets,
send up to the maximum amount of data permitted by the protocol. This
also slightly increases the maximum length of the output returned
under the version one protocol.
Change-Id: Ia3e54957aeb67974ede66fda781aeb4a2c97171a
Reviewed-on: https://gerrit.stanford.edu/1379
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the complex hand-coded client event loop, using select,
with a rewritten one using libevent. This fixes race conditions
in noticing the client exit properly and removes the need for the
five-second polling to see whether the client has exited. It also
provides a framework for eventual added complexity in the event
loop.
Import the buffer utility functions from rra-c-util and use that
to manage the client output buffer for now. This will probably be
replaced with evbuffers.
This is the first cut, using basic libevent functionality. The
next step will be to use bufferevents in some places and extend the
use of libevent to other event loops in the server.
Currently requires libevent 2.x. Portability to libevent 1.4.3
will come in a subsequent commit.
Change-Id: Ia8e4cd0a857c710dbc0c348578648084466e886b
Reviewed-on: https://gerrit.stanford.edu/1378
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Preliminary documentation of the architecture of the remctl server.
Written mostly to put down the details of the event loops, in
preparation for rewriting them to use libevent, and to provide a
framework for further documentation.
Change-Id: Ib52b3e22aaf8fe60b60365b828987cf348e98dd6
Reviewed-on: https://gerrit.stanford.edu/1377
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for systemd. If built on a system with systemd installed,
remctl will install (but not enable) systemd units to start remctld
via socket activation. remctld will also notify systemd when its
initialization is complete if started by systemd with service
notification enabled.
Change-Id: I91caa7a3a909c7e85454e43b4cf3b6d7bd4a6067
Reviewed-on: https://gerrit.stanford.edu/1356
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add support for upstart's expect stop daemon synchronization method.
When starting remctld in stand-alone mode with upstart, pass the new
-Z option to remctld, and it will raise SIGSTOP when ready to accept
connections, signaling to upstart that the daemon has fully started.
Change-Id: Ief816224a80b0d7ff68033b454cf05bfa319cdeb
Reviewed-on: https://gerrit.stanford.edu/1355
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update to rra-c-util 5.1:
* Suppress a dummy symbol in the client library that could leak.
* Don't attempt to use Kerberos if no Kerberos error APIs were found.
* Improve error handling in xasprintf and xvasprintf.
* Check the return status of snprintf and vsnprintf properly.
* Preserve errno if snprintf fails in vasprintf replacement.
* Improve error handling of network_bind_* functions.
* vector_free and cvector_free now can be passed NULL.
* Abort remctl tests if the PID file already exists.
Update to C TAP Harness 2.4:
* Suppress lazy plans and test summaries if the test failed with bail.
Change-Id: I024db40536ff5e20f53bc8d1b346723be05543bc
Reviewed-on: https://gerrit.stanford.edu/1354
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
| |
Change-Id: Iba0376ea03a749d81abc2eeb49b0b5cf7d3e8847
Reviewed-on: https://gerrit.stanford.edu/1353
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
| |
Include the listening port that we were attempting to bind to when
reporting a bind failure.
Change-Id: I96df4eec3eac28b563cb2d3ec9395ca3a90cbab6
Reviewed-on: https://gerrit.stanford.edu/1348
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a new backend program that prints out large amounts of output
and add to server/streaming a regression test to ensure that we
get the proper amount of output even when the backend exits
immediately after sending its last output.
Change-Id: I00262b9b31345b5d0f886d1682c50825958a5a67
Reviewed-on: https://gerrit.stanford.edu/1208
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The backend being run is a shell script that does the following:
cat /root/tmp/databases/tw.db
rm -rf /root/tmp/databases
exit 0
remctld doesn't wait for the backend program to close its standard output
and standard error since, in some cases (such as when the backend program
spawns a daemon via an init script), standard output and standard error
are never closed. Instead, it waits until the child process exits, and
then considers the command finished.
The problem is that the operating system buffers pipes. In the above, cat
exits as soon as it's successfully written all of the file to its output
pipe. However, that success from the operating system just indicates that
all of the output has been buffered. With newer versions of Linux, that
buffer can be quite large. It then goes on to run rm and exit.
In the remctld process, on each trip through the select loop, it polls to
see if the child process has exited. If so, it attempts one more time to
read output data from the process with a timeout of 0, and then considers
the command complete.
The problem is that the remctld server process reads data in chunks of
64000 bytes. If the file is larger, say 100KB, a modern version of Linux
will buffer the entire file contents in the pipe buffer and cat will
essentially exit as soon as the file contents have been copied into kernel
space (which is extremely fast since it's just a move of pages from the
disk cache to the pipe cache). It's then possible, if remctld loses the
race, for the rm and exit to finish and for remctld to be signaled before
remctld reads any of the data. remctld will then observe the child
process has exited, read one more block of 64000 bytes, and then leave the
rest of the data unread in the pipe buffer, resulting in truncated
output. Usually only a small amount of data in excess of a multiple of
64000 at the end of the file is truncated.
The fix is to reduce the timeout to 0 but continue looping on select with
a timeout of 0 (indicating a poll of the file descriptors) until no
further output is immediately available for reading, and only then
consider the command complete.
Change-Id: I38f77a8a9b9d9938ef0521a3df73ea75399cd0bf
Reviewed-on: https://gerrit.stanford.edu/1207
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
|
| |
Found by clang --analyze.
Change-Id: I1124369a979105c7a04feccb2160fadc04417e5b
Reviewed-on: https://gerrit.stanford.edu/950
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
| |
Don't create the remctld PID file until the network socket is bound
and listening. This helps init scripts starting the daemon to know
when startup is complete and the service is available.
Change-Id: Iba4b1fdea49eb31f49af36aa68bb1f4161fe0e69
|
| |
|
|
|
|
|
|
| |
Fix a file descriptor leak when checking ACL files. This would cause
long-running remctld processes to eventually run out of available file
descriptors.
Change-Id: I607320ee67fb80990e8605ca2a7c5524010e4fca
|
| |
|
|
|
|
|
|
| |
Free the configuration properly if configuration parsing fails with
an error, and correctly free all of the allocated memory when freeing
the configuration data.
Change-Id: I67021ae6211b9dba0f944fa174acbaf1c11f81d8
|
| |
|
|
| |
Change-Id: I4c4c10eee44fccb9e7147cca5c60be18320b64e0
|
| |
|
|
|
|
|
|
| |
We were checking past the end of the argv array when there was no
subcommand, and allocating one too few pointers for the summary
argv.
Change-Id: If4cf91fa7db6390857e1db64437f7da16204bd0b
|
| |
|
|
|
|
|
|
|
| |
remctld now always closes the client connection after low-level errors
reading or sending tokens. Previously, it would attempt to continue
after some socket or GSS-API errors, which may have caused hanging
remctld processes in some circumstances.
Change-Id: I6887bc608f1cc846456e668f84b38897ee1f67ea
|
| |
|
|
|
|
|
|
|
| |
Fix a few comments and use a simpler call and return convention
in a few places. Move the test for help after the test for unknown
commands so that help on an unknown command returns an unknown
command error rather than an error about missing help.
Change-Id: Ie837abd619e9ce8f919ae964e28d22cc52c02c8f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added a 'summary=<arg>' option in the remctl config files. A user who
runs a simple 'help' command against the server will have returned the
results of running each command he has access to with whatever argument
has been specified as the summary command. This both lets him get an
idea of all commands he has access to, and provides basic help for those
commands.
Added a 'help=<arg>' option in the remctl config files. A user who runs
'help <command>' will have the command program run with whatever
argument is specified in that option. This creates a standard way to
get further help for any commands the user can run on the server.
Further, running 'help <command> <subcommand>' will pass along the
subcommand requested, so that the program can give more specific help
if it's so written.
Change-Id: I5202e4973bfb62f6374135e0010798e9372737dc
Reviewed-on: https://gerrit.stanford.edu/267
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
| |
Change-Id: I580dfdea672c497aedd2e34eabb24d572d197d4b
Reviewed-on: https://gerrit.stanford.edu/271
Tested-by: Russ Allbery <rra@stanford.edu>
Reviewed-by: Russ Allbery <rra@stanford.edu>
|
| |
|
|
|
|
|
|
| |
Factor out common code to convert a string to a number to a utility
function and modify the other configuration option parsing functions
to call it.
Change-Id: I6159b200f7acc426b07042ba9cf2807529975958
|
| |
|
|
|
|
|
|
|
| |
Add a new server configuration option for remctl commands, user,
which sets the user as which to run the command. If this option is
set, remctld changes to the given user and that user's groups before
running the command. The groups are set via initgroups and the
primary group is looked up via getpwuid. The user may be either a UID
or a username.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Set up a general framework for mapping certain errno values to token
error codes, also used for EOF, and map the timeout error to the
corresponding token error code so that special action can be taken
where appropriate.
Update the logging functions for client and server to recognize the
new token error code.
Change-Id: Ibc2a38574657273ec92c9af5806177ac8f11556a
|
| |
|
|
|
|
|
|
|
| |
The remctld server now imposes a one-hour timeout between messages
from the client rather than a one-hour timeout for the entire session,
allowing clients to continue to send commands for as long as they stay
connected and not idle.
Change-Id: I8c332e34a9561dace06a2b23274ebdafc2ab8bcd
|
| |
|
|
|
|
|
|
|
| |
Add timeout support to the token functions. Adjust all callers
accordingly. Use a one hour timeout for all server network calls.
Add the data and hook for setting a client timeout, although currently
there's no way to set it.
Change-Id: Ife4c6cd1b4fbc94623b82bd85e17a0d9a3919fb4
|
| |
|
|
| |
Change-Id: If80079f0d0ded800c3f30ca293cd6f0838c7a13c
|
| |
|
|
|
|
|
|
|
| |
Before, we were closing the connection after everything except a
MESSAGE_COMMAND with keepalive set. There wasn't very much else
available, so this isn't a huge issue, but it's cleaner when handling
version replies to keep the session alive. If this change had been
in previous versions, higher-version packets could have been used as
a no-op command.
|
| |
|
|
|
|
|
|
|
| |
Refactor how server token handling is done to be a bit clearer and
not treat everything else as weird exception cases for command
handling. Introduces a new error code (protocol spec changes coming
separately) for receiving unexpected tokens in the middle of a
continuation command, and hammers out the continuation handling so
that it's a bit more robust. (This still needs tests.)
|
| |
|
|
|
| |
I'm about to introduce a handle_command function, and it would otherwise
be confusing. handle_messages is more general anyway.
|
| |
|
|
|
|
|
| |
New protocol version 3, which introduces a new NOOP message. When the
client sends this message, the server replies with a NOOP message.
This can be used to keep a persistent remctl connection alive despite
network session timeouts.
|
| |
|
|
|
|
| |
Fix uninitialized variable in the remctld standalone server code that
could cause all remote connections to fail and add a more complete
test suite for remote address handling.
|
| | |
|
| |
|
|
|
|
| |
The remctld server now supports a -b command-line option specifying
which local addresses to which to bind. This option may be given
multiple times to bind to multiple local addresses.
|
| |
|
|
|
|
| |
Accepting connections from an array of file descriptors is a bit
fiddly. Move all that code out to a utility function that we can
reuse and simplify the server code.
|
| |
|
|
|
|
|
| |
When run as a standalone daemon, remctld now binds to both IPv4 and
IPv6 addresses rather than only IPv4.
Add binding to specified addresses to TODO.
|
| |
|
|
| |
Fix a few minor issues that turned up with the new, stricter warnings.
|
