diff --git a/agents/virt/include/static_map.h b/agents/virt/include/static_map.h index 36600186..736e823f 100644 --- a/agents/virt/include/static_map.h +++ b/agents/virt/include/static_map.h @@ -1,32 +1,34 @@ #ifndef _STATIC_MAP_H #define _STATIC_MAP_H typedef int (*map_load_t)(void *config, void **perm_info); -typedef int (*map_check_t)(void *info, const char *src, const char *tgt); +typedef int (*map_check_t)(void *info, const char *src, const char *tgt_uuid, const char *tgt_name); typedef void (*map_cleanup_t)(void **info); typedef struct { map_load_t load; map_check_t check; map_cleanup_t cleanup; void *info; } map_object_t; /* * These macros may be called from within a loadable module */ #define map_load(obj, config) \ obj->load(config, &obj->info) -#define map_check(obj, src, tgt) \ - obj->check(obj->info, src, tgt) +#define map_check(obj, src, tgt_uuid) \ + obj->check(obj->info, src, tgt_uuid, NULL) +#define map_check2(obj, src, tgt_uuid, tgt_name) \ + obj->check(obj->info, src, tgt_uuid, tgt_name) #define map_free(obj) \ obj->cleanup(obj->info) /* Returns a copy of our simple config object */ void *map_init(void); /* Frees a previously-allocated copy of our simple config object */ void map_release(void *c); #endif diff --git a/agents/virt/server/mcast.c b/agents/virt/server/mcast.c index a76888f9..a95ab37d 100644 --- a/agents/virt/server/mcast.c +++ b/agents/virt/server/mcast.c @@ -1,622 +1,622 @@ /* Copyright Red Hat, Inc. 2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ /* * Author: Lon Hohberger */ #include "config.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Local includes */ #include "xvm.h" #include "simple_auth.h" #include "options.h" #include "mcast.h" #include "tcp.h" #include "debug.h" #include "fdops.h" #include "list.h" #include "simpleconfig.h" #include "static_map.h" #include "server_plugin.h" #include "history.h" #define NAME "multicast" -#define MCAST_VERSION "1.2" +#define MCAST_VERSION "1.3" #define MCAST_MAGIC 0xabb911a3 #define VALIDATE(info) \ do {\ if (!info || info->magic != MCAST_MAGIC)\ return -EINVAL;\ } while(0) typedef struct _mcast_options { char *addr; char *key_file; int ifindex; int family; unsigned int port; unsigned int hash; unsigned int auth; unsigned int flags; } mcast_options; typedef struct _mcast_info { uint64_t magic; void *priv; map_object_t *map; history_info_t *history; char key[MAX_KEY_LEN]; mcast_options args; const fence_callbacks_t *cb; ssize_t key_len; int mc_sock; int need_kill; } mcast_info; struct mcast_hostlist_arg { map_object_t *map; const char *src; int fd; }; /* * See if we fenced this node recently (successfully) * If so, ignore the request for a few seconds. * * We purge our history when the entries time out. */ static int check_history(void *a, void *b) { fence_req_t *old = a, *current = b; if (old->request == current->request && old->seqno == current->seqno && !strcasecmp((const char *)old->domain, (const char *)current->domain)) { return 1; } return 0; } static int connect_tcp(fence_req_t *req, fence_auth_type_t auth, void *key, size_t key_len) { int fd = -1; struct sockaddr_in sin; struct sockaddr_in6 sin6; char buf[128]; switch(req->family) { case PF_INET: memset(&sin, 0, sizeof(sin)); memcpy(&sin.sin_addr, req->address, sizeof(sin.sin_addr)); sin.sin_family = PF_INET; fd = ipv4_connect(&sin.sin_addr, req->port, 5); if (fd < 0) { printf("Failed to call back\n"); return -1; } break; case PF_INET6: memset(&sin6, 0, sizeof(sin6)); memcpy(&sin6.sin6_addr, req->address, sizeof(sin6.sin6_addr)); sin.sin_family = PF_INET6; fd = ipv6_connect(&sin6.sin6_addr, req->port, 5); memset(buf,0,sizeof(buf)); inet_ntop(PF_INET6, &sin6.sin6_addr, buf, sizeof(buf)); if (fd < 0) { printf("Failed to call back %s\n", buf); return -1; } break; default: printf("Family = %d\n", req->family); return -1; } /* Noops if auth == AUTH_NONE */ if (sock_response(fd, auth, key, key_len, 10) <= 0) { printf("Failed to respond to challenge\n"); close(fd); return -1; } if (sock_challenge(fd, auth, key, key_len, 10) <= 0) { printf("Remote failed challenge\n"); close(fd); return -1; } return fd; } static int mcast_hostlist(const char *vm_name, const char *vm_uuid, int state, void *priv) { struct mcast_hostlist_arg *arg = (struct mcast_hostlist_arg *)priv; host_state_t hinfo; struct timeval tv; int ret; - if (map_check(arg->map, arg->src, vm_uuid) == 0) { + if (map_check2(arg->map, arg->src, vm_uuid, vm_name) == 0) { /* if we don't have access to fence this VM, * we should not see it in a hostlist either */ return 0; } strncpy((char *)hinfo.domain, vm_name, sizeof(hinfo.domain) - 1); strncpy((char *)hinfo.uuid, vm_uuid, sizeof(hinfo.uuid) - 1); hinfo.state = state; tv.tv_sec = 1; tv.tv_usec = 0; ret = _write_retry(arg->fd, &hinfo, sizeof(hinfo), &tv); if (ret == sizeof(hinfo)) return 0; return 1; } static int mcast_hostlist_begin(int fd) { struct timeval tv; char val = (char)RESP_HOSTLIST; tv.tv_sec = 1; tv.tv_usec = 0; return _write_retry(fd, &val, 1, &tv); } static int mcast_hostlist_end(int fd) { host_state_t hinfo; struct timeval tv; int ret; printf("Sending terminator packet\n"); memset(&hinfo, 0, sizeof(hinfo)); tv.tv_sec = 1; tv.tv_usec = 0; ret = _write_retry(fd, &hinfo, sizeof(hinfo), &tv); if (ret == sizeof(hinfo)) return 0; return 1; } static int do_fence_request_tcp(fence_req_t *req, mcast_info *info) { char ip_addr_src[1024]; int fd = -1; char response = 1; struct mcast_hostlist_arg arg; fd = connect_tcp(req, info->args.auth, info->key, info->key_len); if (fd < 0) { dbg_printf(2, "Could not send reply to fence request: %s\n", strerror(errno)); goto out; } inet_ntop(req->family, req->address, ip_addr_src, sizeof(ip_addr_src)); dbg_printf(2, "Request %d seqno %d src %s target %s\n", req->request, req->seqno, ip_addr_src, req->domain); switch(req->request) { case FENCE_NULL: response = info->cb->null((char *)req->domain, info->priv); break; case FENCE_ON: if (map_check(info->map, ip_addr_src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->on((char *)req->domain, ip_addr_src, req->seqno, info->priv); break; case FENCE_OFF: if (map_check(info->map, ip_addr_src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->off((char *)req->domain, ip_addr_src, req->seqno, info->priv); break; case FENCE_REBOOT: if (map_check(info->map, ip_addr_src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->reboot((char *)req->domain, ip_addr_src, req->seqno, info->priv); break; case FENCE_STATUS: if (map_check(info->map, ip_addr_src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->status((char *)req->domain, info->priv); break; case FENCE_DEVSTATUS: response = info->cb->devstatus(info->priv); break; case FENCE_HOSTLIST: arg.map = info->map; arg.src = ip_addr_src; arg.fd = fd; mcast_hostlist_begin(arg.fd); response = info->cb->hostlist(mcast_hostlist, &arg, info->priv); mcast_hostlist_end(arg.fd); break; } dbg_printf(3, "Sending response to caller...\n"); if (_write_retry(fd, &response, 1, NULL) < 0) { perror("write"); } /* XVM shotguns multicast packets, so we want to avoid * acting on the same request multiple times if the first * attempt was successful. */ history_record(info->history, req); out: if (fd != -1) close(fd); return 1; } static int mcast_dispatch(listener_context_t c, struct timeval *timeout) { mcast_info *info; fence_req_t data; fd_set rfds; struct sockaddr_in sin; int len; int n; socklen_t slen; info = (mcast_info *)c; VALIDATE(info); FD_ZERO(&rfds); FD_SET(info->mc_sock, &rfds); n = select((info->mc_sock)+1, &rfds, NULL, NULL, timeout); if (n <= 0) { if (errno == EINTR || errno == EAGAIN) n = 0; else dbg_printf(2, "select: %s\n", strerror(errno)); return n; } slen = sizeof(sin); len = recvfrom(info->mc_sock, &data, sizeof(data), 0, (struct sockaddr *)&sin, &slen); if (len <= 0) { perror("recvfrom"); return len; } swab_fence_req_t(&data); if (!verify_request(&data, info->args.hash, info->key, info->key_len)) { printf("Key mismatch; dropping packet\n"); return 0; } printf("Request %d seqno %d domain %s\n", data.request, data.seqno, data.domain); if (history_check(info->history, &data) == 1) { printf("We just did this request; dropping packet\n"); return 0; } switch(info->args.auth) { case AUTH_NONE: case AUTH_SHA1: case AUTH_SHA256: case AUTH_SHA512: printf("Plain TCP request\n"); do_fence_request_tcp(&data, info); break; default: printf("XXX Unhandled authentication\n"); } return 0; } static int mcast_config(config_object_t *config, mcast_options *args) { char value[1024]; int errors = 0; if (sc_get(config, "fence_virtd/@debug", value, sizeof(value))==0) dset(atoi(value)); if (sc_get(config, "listeners/multicast/@key_file", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for key_file\n", value); args->key_file = strdup(value); } else { args->key_file = strdup(DEFAULT_KEY_FILE); if (!args->key_file) { dbg_printf(1, "Failed to allocate memory\n"); return -1; } } args->hash = DEFAULT_HASH; if (sc_get(config, "listeners/multicast/@hash", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for hash\n", value); if (!strcasecmp(value, "none")) { args->hash = HASH_NONE; } else if (!strcasecmp(value, "sha1")) { args->hash = HASH_SHA1; } else if (!strcasecmp(value, "sha256")) { args->hash = HASH_SHA256; } else if (!strcasecmp(value, "sha512")) { args->hash = HASH_SHA512; } else { dbg_printf(1, "Unsupported hash: %s\n", value); ++errors; } } args->auth = DEFAULT_AUTH; if (sc_get(config, "listeners/multicast/@auth", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for auth\n", value); if (!strcasecmp(value, "none")) { args->auth = AUTH_NONE; } else if (!strcasecmp(value, "sha1")) { args->auth = AUTH_SHA1; } else if (!strcasecmp(value, "sha256")) { args->auth = AUTH_SHA256; } else if (!strcasecmp(value, "sha512")) { args->auth = AUTH_SHA512; } else { dbg_printf(1, "Unsupported auth: %s\n", value); ++errors; } } args->family = PF_INET; if (sc_get(config, "listeners/multicast/@family", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for family\n", value); if (!strcasecmp(value, "ipv4")) { args->family = PF_INET; } else if (!strcasecmp(value, "ipv6")) { args->family = PF_INET6; } else { dbg_printf(1, "Unsupported family: %s\n", value); ++errors; } } if (sc_get(config, "listeners/multicast/@address", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for address\n", value); args->addr = strdup(value); } else { if (args->family == PF_INET) { args->addr = strdup(IPV4_MCAST_DEFAULT); } else { args->addr = strdup(IPV6_MCAST_DEFAULT); } } if (!args->addr) { return -1; } args->port = DEFAULT_MCAST_PORT; if (sc_get(config, "listeners/multicast/@port", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for port\n", value); args->port = atoi(value); if (args->port <= 0) { dbg_printf(1, "Invalid port: %s\n", value); ++errors; } } args->ifindex = 0; if (sc_get(config, "listeners/multicast/@interface", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for interface\n", value); args->ifindex = if_nametoindex(value); if (args->ifindex < 0) { dbg_printf(1, "Invalid interface: %s\n", value); ++errors; } } return errors; } static int mcast_init(listener_context_t *c, const fence_callbacks_t *cb, config_object_t *config, map_object_t *map, void *priv) { mcast_info *info; int mc_sock, ret; /* Initialize NSS; required to do hashing, as silly as that sounds... */ if (NSS_NoDB_Init(NULL) != SECSuccess) { printf("Could not initialize NSS\n"); return 1; } info = malloc(sizeof(*info)); if (!info) return -1; memset(info, 0, sizeof(*info)); info->priv = priv; info->cb = cb; info->map = map; ret = mcast_config(config, &info->args); if (ret < 0) { perror("mcast_config"); free(info); return -1; } else if (ret > 0) { printf("%d errors found during configuration\n",ret); free(info); return -1; } if (info->args.auth != AUTH_NONE || info->args.hash != HASH_NONE) { info->key_len = read_key_file(info->args.key_file, info->key, sizeof(info->key)); if (info->key_len < 0) { printf("Could not read %s; operating without " "authentication\n", info->args.key_file); info->args.auth = AUTH_NONE; info->args.hash = HASH_NONE; info->key_len = 0; } } if (info->args.family == PF_INET) mc_sock = ipv4_recv_sk(info->args.addr, info->args.port, info->args.ifindex); else mc_sock = ipv6_recv_sk(info->args.addr, info->args.port, info->args.ifindex); if (mc_sock < 0) { printf("Could not set up multicast listen socket\n"); free(info); return -1; } info->magic = MCAST_MAGIC; info->mc_sock = mc_sock; info->history = history_init(check_history, 10, sizeof(fence_req_t)); *c = (listener_context_t)info; return 0; } static int mcast_shutdown(listener_context_t c) { mcast_info *info = (mcast_info *)c; VALIDATE(info); info->magic = 0; history_wipe(info->history); free(info->history); free(info->args.key_file); free(info->args.addr); close(info->mc_sock); free(info); return 0; } static listener_plugin_t mcast_plugin = { .name = NAME, .version = MCAST_VERSION, .init = mcast_init, .dispatch = mcast_dispatch, .cleanup = mcast_shutdown, }; double LISTENER_VER_SYM(void) { return PLUGIN_VERSION_LISTENER; } const listener_plugin_t * LISTENER_INFO_SYM(void) { return &mcast_plugin; } diff --git a/agents/virt/server/serial.c b/agents/virt/server/serial.c index c49fa25e..b5cbf5a4 100644 --- a/agents/virt/server/serial.c +++ b/agents/virt/server/serial.c @@ -1,459 +1,459 @@ /* Copyright Red Hat, Inc. 2010 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ /* * Author: Lon Hohberger */ #include "config.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Local includes */ #include "debug.h" #include "fdops.h" #include "serial.h" #include "list.h" #include "simpleconfig.h" #include "static_map.h" #include "server_plugin.h" #include "history.h" #include "xvm.h" #define NAME "serial" -#define SERIAL_VERSION "0.4" +#define SERIAL_VERSION "0.5" #define SERIAL_PLUG_MAGIC 0x1227a000 #define VALIDATE(info) \ do {\ if (!info || info->magic != SERIAL_PLUG_MAGIC)\ return -EINVAL;\ } while(0) typedef struct _serial_info { uint64_t magic; const fence_callbacks_t *cb; void *priv; char *uri; char *path; history_info_t *history; map_object_t *maps; int mode; int wake_fd; } serial_info; struct serial_hostlist_arg { map_object_t *map; const char *src; int fd; }; /* * See if we fenced this node recently (successfully) * If so, ignore the request for a few seconds. * * We purge our history when the entries time out. */ static int check_history(void *a, void *b) { serial_req_t *old = a, *current = b; if (old->request == current->request && old->seqno == current->seqno && !strcasecmp((const char *)old->domain, (const char *)current->domain)) { return 1; } return 0; } static int serial_hostlist(const char *vm_name, const char *vm_uuid, int state, void *priv) { struct serial_hostlist_arg *arg = (struct serial_hostlist_arg *)priv; host_state_t hinfo; struct timeval tv; int ret; - if (map_check(arg->map, arg->src, vm_uuid) == 0) { + if (map_check2(arg->map, arg->src, vm_uuid, vm_name) == 0) { /* if we don't have access to fence this VM, * we should not see it in a hostlist either */ return 0; } strncpy((char *)hinfo.domain, vm_name, sizeof(hinfo.domain) - 1); strncpy((char *)hinfo.uuid, vm_uuid, sizeof(hinfo.uuid) - 1); hinfo.state = state; tv.tv_sec = 1; tv.tv_usec = 0; ret = _write_retry(arg->fd, &hinfo, sizeof(hinfo), &tv); if (ret == sizeof(hinfo)) return 0; return 1; } static int serial_hostlist_begin(int fd) { struct timeval tv; serial_resp_t resp; resp.magic = SERIAL_MAGIC; resp.response = RESP_HOSTLIST; tv.tv_sec = 1; tv.tv_usec = 0; return _write_retry(fd, &resp, sizeof(resp), &tv); } static int serial_hostlist_end(int fd) { host_state_t hinfo; struct timeval tv; int ret; //printf("Sending terminator packet\n"); memset(&hinfo, 0, sizeof(hinfo)); tv.tv_sec = 1; tv.tv_usec = 0; ret = _write_retry(fd, &hinfo, sizeof(hinfo), &tv); if (ret == sizeof(hinfo)) return 0; return 1; } static int do_fence_request(int fd, const char *src, serial_req_t *req, serial_info *info) { char response = RESP_FAIL; struct serial_hostlist_arg arg; serial_resp_t resp; arg.fd = fd; switch(req->request) { case FENCE_NULL: response = info->cb->null((char *)req->domain, info->priv); break; case FENCE_ON: if (map_check(info->maps, src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->on((char *)req->domain, src, req->seqno, info->priv); break; case FENCE_OFF: if (map_check(info->maps, src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->off((char *)req->domain, src, req->seqno, info->priv); break; case FENCE_REBOOT: if (map_check(info->maps, src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->reboot((char *)req->domain, src, req->seqno, info->priv); break; case FENCE_STATUS: if (map_check(info->maps, src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->status((char *)req->domain, info->priv); break; case FENCE_DEVSTATUS: response = info->cb->devstatus(info->priv); break; case FENCE_HOSTLIST: arg.map = info->maps; arg.src = src; arg.fd = fd; serial_hostlist_begin(arg.fd); response = info->cb->hostlist(serial_hostlist, &arg, info->priv); serial_hostlist_end(arg.fd); break; } resp.magic = SERIAL_MAGIC; resp.response = response; swab_serial_resp_t(&resp); dbg_printf(3, "Sending response to caller...\n"); if (_write_retry(fd, &resp, sizeof(resp), NULL) < 0) perror("write"); /* XVM shotguns multicast packets, so we want to avoid * acting on the same request multiple times if the first * attempt was successful. */ history_record(info->history, req); return 1; } static int serial_dispatch(listener_context_t c, struct timeval *timeout) { char src_domain[MAX_DOMAINNAME_LENGTH]; serial_info *info; serial_req_t data; fd_set rfds; struct timeval tv; int max; int n, x, ret; info = (serial_info *)c; VALIDATE(info); FD_ZERO(&rfds); domain_sock_fdset(&rfds, &max); FD_SET(info->wake_fd, &rfds); if (info->wake_fd > max) max = info->wake_fd; n = select(max+1, &rfds, NULL, NULL, timeout); if (n < 0) { if (errno == EINTR || errno == EAGAIN) n = 0; else dbg_printf(2, "select: %s\n", strerror(errno)); return n; } /* * See if the goal was just to be woken up in order to refill our * file descriptor set. For example, if multiple domains were * created simultaneously, we would have to refill our fd_set */ if (FD_ISSET(info->wake_fd, &rfds)) { tv.tv_sec = 0; tv.tv_usec = 10000; _read_retry(info->wake_fd, &c, 1, &tv); return 0; } /* * If no requests, we're done */ if (n == 0) return 0; /* find & read request */ for (x = 0; x <= max; x++) { if (FD_ISSET(x, &rfds)) { tv.tv_sec = 1; tv.tv_usec = 0; ret = _read_retry(x, &data, sizeof(data), &tv); if (ret != sizeof(data)) { if (--n > 0) continue; else return 0; } else { swab_serial_req_t(&data); break; } } } src_domain[0] = 0; domain_sock_name(x, src_domain, sizeof(src_domain)); dbg_printf(2, "Sock %d Request %d seqno %d src %s target %s\n", x, data.request, data.seqno, src_domain, data.domain); if (history_check(info->history, &data) == 1) { dbg_printf(3, "We just did this request; dropping packet\n"); return 0; } do_fence_request(x, src_domain[0] == 0 ? NULL : src_domain, &data, info); return 0; } static int serial_config(config_object_t *config, serial_info *args) { char value[1024]; int errors = 0; if (sc_get(config, "fence_virtd/@debug", value, sizeof(value))==0) dset(atoi(value)); if (sc_get(config, "listeners/serial/@uri", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for uri\n", value); args->uri = strdup(value); } if (sc_get(config, "listeners/serial/@path", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for uri\n", value); args->path = strdup(value); } if (sc_get(config, "listeners/serial/@mode", value, sizeof(value)-1) == 0) { if (!strcasecmp(value, "vmchannel")) { args->mode = 1; } else if (!strcasecmp(value, "serial")) { args->mode = 0; } else { args->mode = atoi(value); if (args->mode < 0) args->mode = 0; } dbg_printf(1, "Got %s for mode\n", args->mode?"VMChannel":"serial"); } return errors; } static int serial_init(listener_context_t *c, const fence_callbacks_t *cb, config_object_t *config, map_object_t *map, void *priv) { serial_info *info; int ret; info = malloc(sizeof(*info)); if (!info) return -1; memset(info, 0, sizeof(*info)); info->priv = priv; info->cb = cb; ret = serial_config(config, info); if (ret < 0) { perror("serial_config"); return -1; } else if (ret > 0) { printf("%d errors found during configuration\n",ret); return -1; } info->maps = map; info->magic = SERIAL_PLUG_MAGIC; info->history = history_init(check_history, 10, sizeof(fence_req_t)); *c = (listener_context_t)info; start_event_listener(info->uri, info->path, info->mode, &info->wake_fd); sleep(1); return 0; } static int serial_shutdown(listener_context_t c) { serial_info *info = (serial_info *)c; dbg_printf(3, "Shutting down serial\n"); VALIDATE(info); info->magic = 0; stop_event_listener(); domain_sock_cleanup(); history_wipe(info->history); free(info->history); free(info->uri); free(info->path); free(info); return 0; } static listener_plugin_t serial_plugin = { .name = NAME, .version = SERIAL_VERSION, .init = serial_init, .dispatch = serial_dispatch, .cleanup = serial_shutdown, }; double LISTENER_VER_SYM(void) { return PLUGIN_VERSION_LISTENER; } const listener_plugin_t * LISTENER_INFO_SYM(void) { return &serial_plugin; } diff --git a/agents/virt/server/static_map.c b/agents/virt/server/static_map.c index 4a5b84c0..a5271889 100644 --- a/agents/virt/server/static_map.c +++ b/agents/virt/server/static_map.c @@ -1,229 +1,235 @@ #include "config.h" #include #include #include #include #include #include #include "simpleconfig.h" #include "static_map.h" #include "list.h" #include "debug.h" #include "serial.h" #include "uuid-test.h" struct perm_entry { list_head(); char name[129]; }; struct perm_group { list_head(); struct perm_entry *uuids; struct perm_entry *ips; char name[129]; }; static void static_map_cleanup(void **info) { struct perm_group *groups = (struct perm_group *)(*info); struct perm_group *group; struct perm_entry *entry; while (groups) { group = groups; list_remove(&groups, group); while (group->uuids) { entry = group->uuids; list_remove(&group->uuids, entry); free(entry); } while (group->ips) { entry = group->ips; list_remove(&group->ips, entry); free(entry); } free(group); } *info = NULL; } static int -static_map_check(void *info, const char *value1, const char *value2) +static_map_check(void *info, const char *src, const char *tgt_uuid, const char *tgt_name) { struct perm_group *groups = (struct perm_group *)info; struct perm_group *group; struct perm_entry *left, *tmp; int x, y, uuid = 0; if (!info) return 1; /* no maps == wide open */ - uuid = is_uuid(value1); + uuid = is_uuid(src); list_for(&groups, group, x) { left = NULL; if (uuid) { list_for(&group->uuids, tmp, y) { - if (!strcasecmp(tmp->name, value1)) { + if (!strcasecmp(tmp->name, src)) { left = tmp; break; } } } else { list_for(&group->ips, tmp, y) { - if (!strcasecmp(tmp->name, value1)) { + if (!strcasecmp(tmp->name, src)) { left = tmp; break; } } } if (!left) continue; list_for(&group->uuids, tmp, y) { - if (!strcasecmp(tmp->name, value2)) { + if (!strcasecmp(tmp->name, tgt_uuid)) { return 1; } + /* useful only for list */ + if (tgt_name) { + if (!strcasecmp(tmp->name, tgt_name)) { + return 1; + } + } } } return 0; } static int static_map_load(void *config_ptr, void **perm_info) { config_object_t *config = config_ptr; int group_idx = 0; int entry_idx = 0; int found; char value[128]; char buf[256]; char buf2[512]; struct perm_group *group = NULL, *groups = NULL; struct perm_entry *entry = NULL; if (!perm_info) return -1; do { snprintf(buf, sizeof(buf)-1, "groups/group[%d]", ++group_idx); if (sc_get(config, buf, value, sizeof(value)) != 0) { snprintf(buf2, sizeof(buf2)-1, "%s/@uuid", buf); if (sc_get(config, buf2, value, sizeof(value)) != 0) { snprintf(buf2, sizeof(buf2)-1, "%s/@ip", buf); if (sc_get(config, buf2, value, sizeof(value)) != 0) { break; } } snprintf(buf2, sizeof(buf2)-1, "%s/@name", buf); if (sc_get(config, buf2, value, sizeof(value)) != 0) { snprintf(value, sizeof(value), "unnamed-%d", group_idx); } } group = malloc(sizeof(*group)); assert(group); memset(group, 0, sizeof(*group)); strncpy(group->name, value, sizeof(group->name)); dbg_printf(3, "Group: %s\n", value); found = 0; entry_idx = 0; do { snprintf(buf2, sizeof(buf2)-1, "%s/@uuid[%d]", buf, ++entry_idx); if (sc_get(config, buf2, value, sizeof(value)) != 0) { break; } ++found; entry = malloc(sizeof(*entry)); assert(entry); memset(entry, 0, sizeof(*entry)); strncpy(entry->name, value, sizeof(entry->name)); dbg_printf(3, " - UUID Entry: %s\n", value); list_insert(&group->uuids, entry); } while (1); entry_idx = 0; do { snprintf(buf2, sizeof(buf2)-1, "%s/@ip[%d]", buf, ++entry_idx); if (sc_get(config, buf2, value, sizeof(value)) != 0) { break; } ++found; entry = malloc(sizeof(*entry)); assert(entry); memset(entry, 0, sizeof(*entry)); strncpy(entry->name, value, sizeof(entry->name)); dbg_printf(3, " - IP Entry: %s\n", value); list_insert(&group->ips, entry); } while (1); if (!found) free(group); else list_insert(&groups, group); } while (1); *perm_info = groups; return 0; } static const map_object_t static_map_obj = { .load = static_map_load, .check = static_map_check, .cleanup = static_map_cleanup, .info = NULL }; void * map_init(void) { map_object_t *o; o = malloc(sizeof(*o)); if (!o) return NULL; memset(o, 0, sizeof(*o)); memcpy(o, &static_map_obj, sizeof(*o)); return (void *)o; } void map_release(void *c) { map_object_t *o = (map_object_t *)c; static_map_cleanup(&o->info); free(c); } diff --git a/agents/virt/server/tcp.c b/agents/virt/server/tcp.c index d39f3579..3f8f0d7e 100644 --- a/agents/virt/server/tcp.c +++ b/agents/virt/server/tcp.c @@ -1,552 +1,552 @@ /* Copyright Red Hat, Inc. 2006-2012 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ #include "config.h" #include #include #include #include #include #include #include #include /* Local includes */ #include "xvm.h" #include "simple_auth.h" #include "options.h" #include "mcast.h" #include "tcp.h" #include "tcp_listener.h" #include "debug.h" #include "fdops.h" #include "list.h" #include "simpleconfig.h" #include "static_map.h" #include "server_plugin.h" #include "history.h" #define NAME "tcp" -#define TCP_VERSION "0.1" +#define TCP_VERSION "0.2" #define TCP_MAGIC 0xc3dff7a9 #define VALIDATE(info) \ do {\ if (!info || info->magic != TCP_MAGIC)\ return -EINVAL;\ } while(0) typedef struct _tcp_options { char *key_file; char *addr; int family; unsigned int port; unsigned int hash; unsigned int auth; unsigned int flags; } tcp_options; typedef struct _tcp_info { uint64_t magic; void *priv; map_object_t *map; history_info_t *history; char key[MAX_KEY_LEN]; tcp_options args; const fence_callbacks_t *cb; ssize_t key_len; int listen_sock; } tcp_info; struct tcp_hostlist_arg { map_object_t *map; const char *src; int fd; }; /* * See if we fenced this node recently (successfully) * If so, ignore the request for a few seconds. * * We purge our history when the entries time out. */ static int check_history(void *a, void *b) { fence_req_t *old = a, *current = b; if (old->request == current->request && old->seqno == current->seqno && !strcasecmp((const char *)old->domain, (const char *)current->domain)) { return 1; } return 0; } static int tcp_hostlist(const char *vm_name, const char *vm_uuid, int state, void *priv) { struct tcp_hostlist_arg *arg = (struct tcp_hostlist_arg *)priv; host_state_t hinfo; struct timeval tv; int ret; - if (map_check(arg->map, arg->src, vm_uuid) == 0) { + if (map_check2(arg->map, arg->src, vm_uuid, vm_name) == 0) { /* if we don't have access to fence this VM, * we should not see it in a hostlist either */ return 0; } strncpy((char *)hinfo.domain, vm_name, sizeof(hinfo.domain) - 1); strncpy((char *)hinfo.uuid, vm_uuid, sizeof(hinfo.uuid) - 1); hinfo.state = state; tv.tv_sec = 1; tv.tv_usec = 0; ret = _write_retry(arg->fd, &hinfo, sizeof(hinfo), &tv); if (ret == sizeof(hinfo)) return 0; return 1; } static int tcp_hostlist_begin(int fd) { struct timeval tv; char val = (char)RESP_HOSTLIST; tv.tv_sec = 1; tv.tv_usec = 0; return _write_retry(fd, &val, 1, &tv); } static int tcp_hostlist_end(int fd) { host_state_t hinfo; struct timeval tv; int ret; printf("Sending terminator packet\n"); memset(&hinfo, 0, sizeof(hinfo)); tv.tv_sec = 1; tv.tv_usec = 0; ret = _write_retry(fd, &hinfo, sizeof(hinfo), &tv); if (ret == sizeof(hinfo)) return 0; return 1; } static int do_fence_request_tcp(int fd, fence_req_t *req, tcp_info *info) { char ip_addr_src[1024]; char response = 1; struct tcp_hostlist_arg arg; int ret; /* Noops if auth == AUTH_NONE */ if (sock_response(fd, info->args.auth, info->key, info->key_len, 10) <= 0) { printf("Failed to respond to challenge\n"); close(fd); return -1; } ret = sock_challenge(fd, info->args.auth, info->key, info->key_len, 10); if (ret <= 0) { printf("Remote failed challenge\n"); close(fd); return -1; } dbg_printf(2, "Request %d seqno %d target %s\n", req->request, req->seqno, req->domain); switch(req->request) { case FENCE_NULL: response = info->cb->null((char *)req->domain, info->priv); break; case FENCE_ON: if (map_check(info->map, ip_addr_src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->on((char *)req->domain, ip_addr_src, req->seqno, info->priv); break; case FENCE_OFF: if (map_check(info->map, ip_addr_src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->off((char *)req->domain, ip_addr_src, req->seqno, info->priv); break; case FENCE_REBOOT: if (map_check(info->map, ip_addr_src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->reboot((char *)req->domain, ip_addr_src, req->seqno, info->priv); break; case FENCE_STATUS: if (map_check(info->map, ip_addr_src, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->status((char *)req->domain, info->priv); break; case FENCE_DEVSTATUS: response = info->cb->devstatus(info->priv); break; case FENCE_HOSTLIST: arg.map = info->map; arg.src = ip_addr_src; arg.fd = fd; tcp_hostlist_begin(arg.fd); response = info->cb->hostlist(tcp_hostlist, &arg, info->priv); tcp_hostlist_end(arg.fd); break; } dbg_printf(3, "Sending response to caller...\n"); if (_write_retry(fd, &response, 1, NULL) < 0) { perror("write"); } history_record(info->history, req); if (fd != -1) close(fd); return 1; } static int tcp_dispatch(listener_context_t c, struct timeval *timeout) { tcp_info *info; fence_req_t data; fd_set rfds; int n; int client_fd; int ret; struct timeval tv; if (timeout != NULL) memcpy(&tv, timeout, sizeof(tv)); else { tv.tv_sec = 1; tv.tv_usec = 0; } info = (tcp_info *)c; VALIDATE(info); FD_ZERO(&rfds); FD_SET(info->listen_sock, &rfds); n = select(info->listen_sock + 1, &rfds, NULL, NULL, timeout); if (n <= 0) { if (errno == EINTR || errno == EAGAIN) n = 0; else dbg_printf(2, "select: %s\n", strerror(errno)); return n; } client_fd = accept(info->listen_sock, NULL, NULL); if (client_fd < 0) { perror("accept"); return -1; } dbg_printf(3, "Accepted client...\n"); ret = _read_retry(client_fd, &data, sizeof(data), &tv); if (ret != sizeof(data)) { dbg_printf(3, "Invalid request (read %d bytes)\n", ret); close(client_fd); return 0; } swab_fence_req_t(&data); if (!verify_request(&data, info->args.hash, info->key, info->key_len)) { printf("Key mismatch; dropping client\n"); close(client_fd); return 0; } dbg_printf(3, "Request %d seqno %d domain %s\n", data.request, data.seqno, data.domain); if (history_check(info->history, &data) == 1) { printf("We just did this request; dropping client\n"); close(client_fd); return 0; } switch(info->args.auth) { case AUTH_NONE: case AUTH_SHA1: case AUTH_SHA256: case AUTH_SHA512: printf("Plain TCP request\n"); do_fence_request_tcp(client_fd, &data, info); break; default: printf("XXX Unhandled authentication\n"); } return 0; } static int tcp_config(config_object_t *config, tcp_options *args) { char value[1024]; int errors = 0; if (sc_get(config, "fence_virtd/@debug", value, sizeof(value))==0) dset(atoi(value)); if (sc_get(config, "listeners/tcp/@key_file", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for key_file\n", value); args->key_file = strdup(value); } else { args->key_file = strdup(DEFAULT_KEY_FILE); if (!args->key_file) { dbg_printf(1, "Failed to allocate memory\n"); return -1; } } args->hash = DEFAULT_HASH; if (sc_get(config, "listeners/tcp/@hash", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for hash\n", value); if (!strcasecmp(value, "none")) { args->hash = HASH_NONE; } else if (!strcasecmp(value, "sha1")) { args->hash = HASH_SHA1; } else if (!strcasecmp(value, "sha256")) { args->hash = HASH_SHA256; } else if (!strcasecmp(value, "sha512")) { args->hash = HASH_SHA512; } else { dbg_printf(1, "Unsupported hash: %s\n", value); ++errors; } } args->auth = DEFAULT_AUTH; if (sc_get(config, "listeners/tcp/@auth", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for auth\n", value); if (!strcasecmp(value, "none")) { args->hash = AUTH_NONE; } else if (!strcasecmp(value, "sha1")) { args->hash = AUTH_SHA1; } else if (!strcasecmp(value, "sha256")) { args->hash = AUTH_SHA256; } else if (!strcasecmp(value, "sha512")) { args->hash = AUTH_SHA512; } else { dbg_printf(1, "Unsupported auth: %s\n", value); ++errors; } } args->family = PF_INET; if (sc_get(config, "listeners/tcp/@family", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for family\n", value); if (!strcasecmp(value, "ipv4")) { args->family = PF_INET; } else if (!strcasecmp(value, "ipv6")) { args->family = PF_INET6; } else { dbg_printf(1, "Unsupported family: %s\n", value); ++errors; } } if (sc_get(config, "listeners/tcp/@address", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for address\n", value); args->addr = strdup(value); } else { if (args->family == PF_INET) { args->addr = strdup(IPV4_TCP_ADDR_DEFAULT); } else { args->addr = strdup(IPV6_TCP_ADDR_DEFAULT); } } if (!args->addr) { return -1; } args->port = DEFAULT_MCAST_PORT; if (sc_get(config, "listeners/tcp/@port", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for port\n", value); args->port = atoi(value); if (args->port <= 0) { dbg_printf(1, "Invalid port: %s\n", value); ++errors; } } return errors; } static int tcp_init(listener_context_t *c, const fence_callbacks_t *cb, config_object_t *config, map_object_t *map, void *priv) { tcp_info *info; int listen_sock, ret; /* Initialize NSS; required to do hashing, as silly as that sounds... */ if (NSS_NoDB_Init(NULL) != SECSuccess) { printf("Could not initialize NSS\n"); return 1; } info = calloc(1, sizeof(*info)); if (!info) return -1; info->priv = priv; info->cb = cb; info->map = map; ret = tcp_config(config, &info->args); if (ret < 0) perror("tcp_config"); else if (ret > 0) printf("%d errors found during configuration\n",ret); if (ret != 0) { if (info->args.key_file) free(info->args.key_file); if (info->args.addr) free(info->args.addr); free(info); return -1; } if (info->args.auth != AUTH_NONE || info->args.hash != HASH_NONE) { info->key_len = read_key_file(info->args.key_file, info->key, sizeof(info->key)); if (info->key_len < 0) { printf("Could not read %s; operating without " "authentication\n", info->args.key_file); info->args.auth = AUTH_NONE; info->args.hash = HASH_NONE; info->key_len = 0; } } if (info->args.family == PF_INET) { listen_sock = ipv4_listen(info->args.addr, info->args.port, 10); } else { listen_sock = ipv6_listen(info->args.addr, info->args.port, 10); } if (listen_sock < 0) { printf("Could not set up listen socket\n"); if (info->args.key_file) free(info->args.key_file); if (info->args.addr) free(info->args.addr); free(info); return -1; } info->magic = TCP_MAGIC; info->listen_sock = listen_sock; info->history = history_init(check_history, 10, sizeof(fence_req_t)); *c = (listener_context_t)info; return 0; } static int tcp_shutdown(listener_context_t c) { tcp_info *info = (tcp_info *)c; VALIDATE(info); info->magic = 0; history_wipe(info->history); free(info->history); free(info->args.key_file); free(info->args.addr); close(info->listen_sock); free(info); return 0; } static listener_plugin_t tcp_plugin = { .name = NAME, .version = TCP_VERSION, .init = tcp_init, .dispatch = tcp_dispatch, .cleanup = tcp_shutdown, }; double LISTENER_VER_SYM(void) { return PLUGIN_VERSION_LISTENER; } const listener_plugin_t * LISTENER_INFO_SYM(void) { return &tcp_plugin; } diff --git a/agents/virt/server/vsock.c b/agents/virt/server/vsock.c index 3ea26fb9..1b88fa51 100644 --- a/agents/virt/server/vsock.c +++ b/agents/virt/server/vsock.c @@ -1,565 +1,565 @@ /* Copyright Red Hat, Inc. 2017 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ #include "config.h" #include #include #include #include #include #include #include #include #include #include /* Local includes */ #include "list.h" #include "simpleconfig.h" #include "static_map.h" #include "server_plugin.h" #include "history.h" #include "xvm.h" #include "simple_auth.h" #include "options.h" #include "mcast.h" #include "tcp.h" #include "tcp_listener.h" #include "debug.h" #include "fdops.h" #define NAME "vsock" -#define VSOCK_VERSION "0.1" +#define VSOCK_VERSION "0.2" #define VSOCK_MAGIC 0xa32d27c1e #define VALIDATE(info) \ do {\ if (!info || info->magic != VSOCK_MAGIC)\ return -EINVAL;\ } while(0) typedef struct _vsock_options { char *key_file; int cid; unsigned int port; unsigned int hash; unsigned int auth; unsigned int flags; } vsock_options; typedef struct _vsock_info { uint64_t magic; void *priv; map_object_t *map; history_info_t *history; char key[MAX_KEY_LEN]; vsock_options args; const fence_callbacks_t *cb; ssize_t key_len; int listen_sock; } vsock_info; struct vsock_hostlist_arg { map_object_t *map; int cid; int fd; }; static int get_peer_cid(int fd, uint32_t *peer_cid) { struct sockaddr_vm svm; socklen_t len; int ret; if (!peer_cid) return -1; len = sizeof(svm); ret = getpeername(fd, (struct sockaddr *) &svm, &len); if (ret < 0) { printf("Error getting peer CID: %s\n", strerror(errno)); return -1; } *peer_cid = svm.svm_cid; return 0; } /* * See if we fenced this node recently (successfully) * If so, ignore the request for a few seconds. * * We purge our history when the entries time out. */ static int check_history(void *a, void *b) { fence_req_t *old = a, *current = b; if (old->request == current->request && old->seqno == current->seqno && !strcasecmp((const char *)old->domain, (const char *)current->domain)) { return 1; } return 0; } static int vsock_hostlist(const char *vm_name, const char *vm_uuid, int state, void *priv) { struct vsock_hostlist_arg *arg = (struct vsock_hostlist_arg *) priv; host_state_t hinfo; struct timeval tv; int ret; uint32_t peer_cid = 0; char peer_cid_str[24]; ret = get_peer_cid(arg->fd, &peer_cid); if (ret < 0) { printf("Unable to get peer CID: %s\n", strerror(errno)); peer_cid_str[0] = '\0'; } else snprintf(peer_cid_str, sizeof(peer_cid_str), "%u", peer_cid); /* Noops if auth == AUTH_NONE */ - if (map_check(arg->map, peer_cid_str, vm_uuid) == 0) { + if (map_check2(arg->map, peer_cid_str, vm_uuid, vm_name) == 0) { /* if we don't have access to fence this VM, * we should not see it in a hostlist either */ return 0; } strncpy((char *)hinfo.domain, vm_name, sizeof(hinfo.domain) - 1); strncpy((char *)hinfo.uuid, vm_uuid, sizeof(hinfo.uuid) - 1); hinfo.state = state; tv.tv_sec = 1; tv.tv_usec = 0; ret = _write_retry(arg->fd, &hinfo, sizeof(hinfo), &tv); if (ret == sizeof(hinfo)) return 0; return 1; } static int vsock_hostlist_begin(int fd) { struct timeval tv; char val = (char) RESP_HOSTLIST; tv.tv_sec = 1; tv.tv_usec = 0; return _write_retry(fd, &val, 1, &tv); } static int vsock_hostlist_end(int fd) { host_state_t hinfo; struct timeval tv; int ret; printf("Sending terminator packet\n"); memset(&hinfo, 0, sizeof(hinfo)); tv.tv_sec = 1; tv.tv_usec = 0; ret = _write_retry(fd, &hinfo, sizeof(hinfo), &tv); if (ret == sizeof(hinfo)) return 0; return 1; } static int do_fence_request_vsock(int fd, fence_req_t *req, vsock_info *info) { char response = 1; struct vsock_hostlist_arg arg; uint32_t peer_cid = 0; char peer_cid_str[24]; int ret; ret = get_peer_cid(fd, &peer_cid); if (ret < 0) { printf("Unable to get peer CID: %s\n", strerror(errno)); return -1; } snprintf(peer_cid_str, sizeof(peer_cid_str), "%u", peer_cid); /* Noops if auth == AUTH_NONE */ if (sock_response(fd, info->args.auth, info->key, info->key_len, 10) <= 0) { printf("CID %u Failed to respond to challenge\n", peer_cid); close(fd); return -1; } ret = sock_challenge(fd, info->args.auth, info->key, info->key_len, 10); if (ret <= 0) { printf("Remote CID %u failed challenge\n", peer_cid); close(fd); return -1; } dbg_printf(2, "Request %d seqno %d target %s from CID %u\n", req->request, req->seqno, req->domain, peer_cid); switch(req->request) { case FENCE_NULL: response = info->cb->null((char *)req->domain, info->priv); break; case FENCE_ON: if (map_check(info->map, peer_cid_str, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->on((char *)req->domain, peer_cid_str, req->seqno, info->priv); break; case FENCE_OFF: if (map_check(info->map, peer_cid_str, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->off((char *)req->domain, peer_cid_str, req->seqno, info->priv); break; case FENCE_REBOOT: if (map_check(info->map, peer_cid_str, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->reboot((char *)req->domain, peer_cid_str, req->seqno, info->priv); break; case FENCE_STATUS: if (map_check(info->map, peer_cid_str, (const char *)req->domain) == 0) { response = RESP_PERM; break; } response = info->cb->status((char *)req->domain, info->priv); break; case FENCE_DEVSTATUS: response = info->cb->devstatus(info->priv); break; case FENCE_HOSTLIST: arg.map = info->map; arg.fd = fd; vsock_hostlist_begin(arg.fd); response = info->cb->hostlist(vsock_hostlist, &arg, info->priv); vsock_hostlist_end(arg.fd); break; } dbg_printf(3, "Sending response to caller CID %u...\n", peer_cid); if (_write_retry(fd, &response, 1, NULL) < 0) perror("write"); history_record(info->history, req); if (fd != -1) close(fd); return 1; } static int vsock_dispatch(listener_context_t c, struct timeval *timeout) { vsock_info *info; fence_req_t data; fd_set rfds; int n; int client_fd; int ret; struct timeval tv; if (timeout != NULL) memcpy(&tv, timeout, sizeof(tv)); else { tv.tv_sec = 1; tv.tv_usec = 0; } info = (vsock_info *) c; VALIDATE(info); FD_ZERO(&rfds); FD_SET(info->listen_sock, &rfds); n = select(info->listen_sock + 1, &rfds, NULL, NULL, timeout); if (n <= 0) { if (errno == EINTR || errno == EAGAIN) n = 0; else dbg_printf(2, "select: %s\n", strerror(errno)); return n; } client_fd = accept(info->listen_sock, NULL, NULL); if (client_fd < 0) { perror("accept"); return -1; } dbg_printf(3, "Accepted vsock client...\n"); ret = _read_retry(client_fd, &data, sizeof(data), &tv); if (ret != sizeof(data)) { dbg_printf(3, "Invalid request (read %d bytes)\n", ret); close(client_fd); return 0; } swab_fence_req_t(&data); if (!verify_request(&data, info->args.hash, info->key, info->key_len)) { printf("Key mismatch; dropping client\n"); close(client_fd); return 0; } dbg_printf(3, "Request %d seqno %d domain %s\n", data.request, data.seqno, data.domain); if (history_check(info->history, &data) == 1) { printf("We just did this request; dropping client\n"); close(client_fd); return 0; } switch(info->args.auth) { case AUTH_NONE: case AUTH_SHA1: case AUTH_SHA256: case AUTH_SHA512: printf("VSOCK request\n"); do_fence_request_vsock(client_fd, &data, info); break; default: printf("XXX Unhandled authentication\n"); } return 0; } static int vsock_config(config_object_t *config, vsock_options *args) { char value[1024]; int errors = 0; if (sc_get(config, "fence_virtd/@debug", value, sizeof(value))==0) dset(atoi(value)); if (sc_get(config, "listeners/vsock/@key_file", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for key_file\n", value); args->key_file = strdup(value); } else { args->key_file = strdup(DEFAULT_KEY_FILE); if (!args->key_file) { dbg_printf(1, "Failed to allocate memory\n"); return -1; } } args->hash = DEFAULT_HASH; if (sc_get(config, "listeners/vsock/@hash", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for hash\n", value); if (!strcasecmp(value, "none")) { args->hash = HASH_NONE; } else if (!strcasecmp(value, "sha1")) { args->hash = HASH_SHA1; } else if (!strcasecmp(value, "sha256")) { args->hash = HASH_SHA256; } else if (!strcasecmp(value, "sha512")) { args->hash = HASH_SHA512; } else { dbg_printf(1, "Unsupported hash: %s\n", value); ++errors; } } args->auth = DEFAULT_AUTH; if (sc_get(config, "listeners/vsock/@auth", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for auth\n", value); if (!strcasecmp(value, "none")) { args->hash = AUTH_NONE; } else if (!strcasecmp(value, "sha1")) { args->hash = AUTH_SHA1; } else if (!strcasecmp(value, "sha256")) { args->hash = AUTH_SHA256; } else if (!strcasecmp(value, "sha512")) { args->hash = AUTH_SHA512; } else { dbg_printf(1, "Unsupported auth: %s\n", value); ++errors; } } args->port = DEFAULT_MCAST_PORT; if (sc_get(config, "listeners/vsock/@port", value, sizeof(value)-1) == 0) { dbg_printf(1, "Got %s for port\n", value); args->port = atoi(value); if (args->port <= 0) { dbg_printf(1, "Invalid port: %s\n", value); ++errors; } } return errors; } static int vsock_init(listener_context_t *c, const fence_callbacks_t *cb, config_object_t *config, map_object_t *map, void *priv) { vsock_info *info; int listen_sock, ret; struct sockaddr_vm svm; if (NSS_NoDB_Init(NULL) != SECSuccess) { printf("Could not initialize NSS\n"); return 1; } info = calloc(1, sizeof(*info)); if (!info) return -1; info->priv = priv; info->cb = cb; info->map = map; ret = vsock_config(config, &info->args); if (ret < 0) perror("vsock_config"); else if (ret > 0) printf("%d errors found during vsock listener configuration\n", ret); if (ret != 0) { if (info->args.key_file) free(info->args.key_file); free(info); return -1; } if (info->args.auth != AUTH_NONE || info->args.hash != HASH_NONE) { info->key_len = read_key_file(info->args.key_file, info->key, sizeof(info->key)); if (info->key_len < 0) { printf("Could not read %s; operating without " "authentication\n", info->args.key_file); info->args.auth = AUTH_NONE; info->args.hash = HASH_NONE; info->key_len = 0; } } listen_sock = socket(PF_VSOCK, SOCK_STREAM, 0); if (listen_sock < 0) goto out_fail; memset(&svm, 0, sizeof(svm)); svm.svm_family = AF_VSOCK; svm.svm_cid = VMADDR_CID_ANY; svm.svm_port = info->args.port; if (bind(listen_sock, (struct sockaddr *) &svm, sizeof(svm)) < 0) goto out_fail; if (listen(listen_sock, 1) < 0) goto out_fail; info->magic = VSOCK_MAGIC; info->listen_sock = listen_sock; info->history = history_init(check_history, 10, sizeof(fence_req_t)); *c = (listener_context_t)info; return 0; out_fail: printf("Could not set up listen socket: %s\n", strerror(errno)); if (listen_sock >= 0) close(listen_sock); if (info->args.key_file) free(info->args.key_file); free(info); return -1; } static int vsock_shutdown(listener_context_t c) { vsock_info *info = (vsock_info *)c; VALIDATE(info); info->magic = 0; history_wipe(info->history); free(info->history); free(info->args.key_file); close(info->listen_sock); free(info); return 0; } static listener_plugin_t vsock_plugin = { .name = NAME, .version = VSOCK_VERSION, .init = vsock_init, .dispatch = vsock_dispatch, .cleanup = vsock_shutdown, }; double LISTENER_VER_SYM(void) { return PLUGIN_VERSION_LISTENER; } const listener_plugin_t * LISTENER_INFO_SYM(void) { return &vsock_plugin; }