#!/bin/bash -X # From "http://fedoraproject.org/wiki/FCNewInit/Initscripts": # # Status Exit Codes # # 0 program is running or service is OK # 1 program is dead and /var/run pid file exists # 2 program is dead and /var/lock lock file exists # 3 program is not running # 4 program or service status is unknown # 5-99 reserved for future LSB use # 100-149 reserved for distribution use # 150-199 reserved for application use # 200-254 reserved # # Non-Status Exit Codes # # 0 action was successful # 1 generic or unspecified error (current practice) # 2 invalid or excess argument(s) # 3 unimplemented feature (for example, "reload") # 4 user had insufficient privilege # 5 program is not installed # 6 program is not configured # 7 program is not running # 8-99 reserved for future LSB use # 100-149 reserved for distribution use # 150-199 reserved for application use # 200-254 reserved # if [ -f /etc/pki/pki.conf ] ; then . /etc/pki/pki.conf fi # PKI subsystem-level directory and file values for locks lockfile="/var/lock/subsys/${SERVICE_NAME}" default_error=0 case $command in start|stop|restart|condrestart|force-restart|try-restart) # 1 generic or unspecified error (current practice) default_error=1 ;; reload) default_error=3 ;; status) # 4 program or service status is unknown default_error=4 ;; *) # 2 invalid argument(s) default_error=2 ;; esac # Enable nullglob, if set then shell pattern globs which do not match any # file returns the empty string rather than the unmodified glob pattern. shopt -s nullglob OS=`uname -s` ARCHITECTURE=`uname -i` # Check to insure that this script's original invocation directory # has not been deleted! CWD=`/bin/pwd > /dev/null 2>&1` if [ $? -ne 0 ] ; then echo "Cannot invoke '$PROG_NAME' from non-existent directory!" exit ${default_error} fi # Check to insure that this script's associated PKI # subsystem currently resides on this system. PKI_CA_PATH="/usr/share/pki/ca" PKI_KRA_PATH="/usr/share/pki/kra" PKI_OCSP_PATH="/usr/share/pki/ocsp" PKI_RA_PATH="/usr/share/pki/ra" PKI_TKS_PATH="/usr/share/pki/tks" PKI_TPS_PATH="/usr/share/pki/tps" if [ '${PKI_TYPE}' == "apache" ] ; then if [ ! -d ${PKI_RA_PATH} ] && [ ! -d ${PKI_TPS_PATH} ] ; then echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" if [ "${command}" != "status" ]; then # 5 program is not installed exit 5 else exit ${default_error} fi fi elif [ '${PKI_TYPE}' == "tomcat" ] ; then if [ ! -d ${PKI_CA_PATH} ] && [ ! -d ${PKI_KRA_PATH} ] && [ ! -d ${PKI_OCSP_PATH} ] && [ ! -d ${PKI_TKS_PATH} ] ; then echo "This machine is missing all PKI '${PKI_TYPE}' subsystems!" if [ "${command}" != "status" ]; then # 5 program is not installed exit 5 else exit ${default_error} fi fi fi # This script must be run as root! RV=0 if [ `id -u` -ne 0 ] ; then echo "Must be 'root' to execute '$PROG_NAME'!" if [ "${command}" != "status" ]; then # 4 user had insufficient privilege exit 4 else # 4 program or service status is unknown exit 4 fi fi PKI_INSTANCE_TYPES="apache tomcat" PKI_REGISTRY_ENTRIES="" PKI_SUBSYSTEMS="" TOTAL_PKI_REGISTRY_ENTRIES=0 TOTAL_UNCONFIGURED_PKI_ENTRIES=0 # Gather ALL registered instances of this PKI web server type for INSTANCE in ${PKI_REGISTRY}/*; do if [ -d "$INSTANCE" ] ; then for REGISTRY in ${INSTANCE}/*; do if [ -f "$REGISTRY" ] ; then PKI_REGISTRY_ENTRIES="${PKI_REGISTRY_ENTRIES} $REGISTRY" TOTAL_PKI_REGISTRY_ENTRIES=`expr ${TOTAL_PKI_REGISTRY_ENTRIES} + 1` fi done fi done # Execute the specified registered instance of this PKI web server type if [ -n "${pki_instance_id}" ]; then for INSTANCE in ${PKI_REGISTRY_ENTRIES}; do if [ "`basename ${INSTANCE}`" == "${pki_instance_id}" ]; then PKI_REGISTRY_ENTRIES="${INSTANCE}" TOTAL_PKI_REGISTRY_ENTRIES=1 break fi done fi usage() { echo -n "Usage: ${SERVICE_PROG} ${SERVICE_NAME}" echo -n "{start" echo -n "|stop" echo -n "|restart" echo -n "|condrestart" echo -n "|force-restart" echo -n "|try-restart" echo -n "|reload" echo -n "|status} " echo -n "[instance-name]" echo echo } usage_systemd() { echo -n "Usage: /usr/bin/pkidaemon " echo -n "{start" echo -n "|stop" echo -n "|restart" echo -n "|condrestart" echo -n "|force-restart" echo -n "|try-restart" echo -n "|reload" echo -n "|status} " echo -n "instance-type " echo -n "[instance-name]" echo echo } list_systemd_instance_types() { echo for PKI_INSTANCE_TYPE in $PKI_INSTANCE_TYPES; do echo " $PKI_INSTANCE_TYPE" done echo } list_instances() { echo for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do instance_name=`basename $PKI_REGISTRY_ENTRY` echo " $instance_name" done echo } list_systemd_instances() { echo for INSTANCE in /etc/sysconfig/pki/apache/*; do if [ -d "${INSTANCE}" ] ; then instance_name=`basename ${INSTANCE}` echo " $instance_name" fi done for INSTANCE in /etc/sysconfig/pki/tomcat/*; do if [ -d "${INSTANCE}" ] ; then instance_name=`basename ${INSTANCE}` echo " $instance_name" fi done echo } get_subsystems() { # Re-initialize PKI_SUBSYSTEMS for each instance PKI_SUBSYSTEMS="" case ${PKI_WEB_SERVER_TYPE} in tomcat) for SUBSYSTEM in ca kra ocsp tks; do if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then if [ '${PKI_SUBSYSTEMS}' == "" ] ; then PKI_SUBSYSTEMS="${SUBSYSTEM}" else PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" fi fi done ;; apache) for SUBSYSTEM in ra tps; do if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then if [ '${PKI_SUBSYSTEMS}' == "" ] ; then PKI_SUBSYSTEMS="${SUBSYSTEM}" else PKI_SUBSYSTEMS="${PKI_SUBSYSTEMS} ${SUBSYSTEM}" fi fi done ;; *) echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" exit ${default_error} ;; esac } # Check arguments if [ $SYSTEMD ]; then if [ $# -lt 2 ] ; then # [insufficient arguments] echo "$PROG_NAME: Insufficient arguments!" echo usage_systemd echo "where valid instance types include:" list_systemd_instance_types echo "and where valid instance names include:" list_systemd_instances exit 3 elif [ ${default_error} -eq 2 ] ; then # 2 invalid argument echo "$PROG_NAME: Invalid arguments!" echo usage_systemd echo "where valid instance types include:" list_systemd_instance_types echo "and where valid instance names include:" list_systemd_instances exit 2 elif [ $# -gt 3 ] ; then echo "$PROG_NAME: Excess arguments!" echo usage_systemd echo "where valid instance types include:" list_systemd_instance_types echo "and where valid instance names include:" list_systemd_instances if [ "${command}" != "status" ]; then # 2 excess arguments exit 2 else # 4 program or service status is unknown exit 4 fi fi else if [ $# -lt 1 ] ; then # 3 unimplemented feature (for example, "reload") # [insufficient arguments] echo "$PROG_NAME: Insufficient arguments!" echo usage echo "where valid instance names include:" list_instances exit 3 elif [ ${default_error} -eq 2 ] ; then # 2 invalid argument echo "$PROG_NAME: Invalid arguments!" echo usage echo "where valid instance names include:" list_instances exit 2 elif [ $# -gt 2 ] ; then echo "$PROG_NAME: Excess arguments!" echo usage echo "where valid instance names include:" list_instances if [ "${command}" != "status" ]; then # 2 excess arguments exit 2 else # 4 program or service status is unknown exit 4 fi fi fi # If an "instance" was supplied, check that it is a "valid" instance if [ -n "${pki_instance_id}" ]; then valid=0 for PKI_REGISTRY_ENTRY in $PKI_REGISTRY_ENTRIES; do instance_name=`basename $PKI_REGISTRY_ENTRY` if [ "${pki_instance_id}" == "${instance_name}" ]; then valid=1 break fi done if [ $valid -eq 0 ]; then if [ "${pki_instance_type}" != "apache" ] && [ "${pki_instance_type}" != "tomcat" ]; then echo -n "unknown instance type (${pki_instance_type})" else echo -n "${pki_instance_id} is an invalid '${PKI_TYPE}' instance" fi if [ ! $SYSTEMD ]; then echo_failure fi echo if [ "${command}" != "status" ]; then # 5 program is not installed exit 5 else # 4 program or service status is unknown exit 4 fi fi fi check_pki_configuration_status() { rv=0 case ${PKI_WEB_SERVER_TYPE} in tomcat) for SUBSYSTEM in ca kra ocsp tks; do if [ -d ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM} ]; then rv=`grep -c ^preop ${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg` rv=`expr ${rv} + 0` fi done ;; apache) # TBD ;; *) echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" exit ${default_error} ;; esac if [ $rv -ne 0 ] ; then echo " '${PKI_INSTANCE_ID}' must still be CONFIGURED!" echo " (see /var/log/${PKI_INSTANCE_ID}-install.log)" if [ "${command}" != "status" ]; then # 6 program is not configured rv=6 else # 4 program or service status is unknown rv=4 fi TOTAL_UNCONFIGURED_PKI_ENTRIES=`expr ${TOTAL_UNCONFIGURED_PKI_ENTRIES} + 1` elif [ -f ${RESTART_SERVER} ] ; then echo -n " Although '${PKI_INSTANCE_ID}' has been CONFIGURED, " echo -n "it must still be RESTARTED!" echo if [ "${command}" != "status" ]; then # 1 generic or unspecified error (current practice) rv=1 else # 4 program or service status is unknown rv=4 fi fi return $rv } get_pki_status_definitions() { case $PKI_WEB_SERVER_TYPE in tomcat) PKI_SERVER_XML_CONF=${PKI_INSTANCE_PATH}/conf/server.xml get_pki_status_definitions_tomcat return $? ;; ra) get_pki_status_definitions_ra return $? ;; tps) get_pki_status_definitions_tps return $? ;; *) echo "Unknown web server type ($PKI_WEB_SERVER_TYPE)" exit ${default_error} ;; esac } get_pki_status_definitions_ra() { # establish well-known strings total_ports=0 UNSECURE_PORT="" CLIENTAUTH_PORT="" NON_CLIENTAUTH_PORT="" # check to see that an instance-specific "httpd.conf" file exists if [ ! -f ${PKI_HTTPD_CONF} ] ; then echo "File '${PKI_HTTPD_CONF}' does not exist!" exit ${default_error} fi # check to see that an instance-specific "nss.conf" file exists if [ ! -f ${PKI_NSS_CONF} ] ; then echo "File '${PKI_NSS_CONF}' does not exist!" exit ${default_error} fi # Iterate over Listen statements for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do UNSECURE_PORT=$port if [ $total_ports -eq 0 ]; then echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" else echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" fi total_ports=`expr ${total_ports} + 1` done # Iterate over Listen statements for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do UNSECURE_PORT=$port if [ $total_ports -eq 1 ]; then CLIENTAUTH_PORT=$port echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}" fi if [ $total_ports -eq 2 ]; then NON_CLIENTAUTH_PORT=$port echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}" fi total_ports=`expr ${total_ports} + 1` done return 0; } get_pki_status_definitions_tps() { # establish well-known strings total_ports=0 UNSECURE_PORT="" CLIENTAUTH_PORT="" NON_CLIENTAUTH_PORT="" # check to see that an instance-specific "httpd.conf" file exists if [ ! -f ${PKI_HTTPD_CONF} ] ; then echo "File '${PKI_HTTPD_CONF}' does not exist!" exit ${default_error} fi # check to see that an instance-specific "nss.conf" file exists if [ ! -f ${PKI_NSS_CONF} ] ; then echo "File '${PKI_NSS_CONF}' does not exist!" exit ${default_error} fi # Iterate over Listen statements for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_HTTPD_CONF}`; do UNSECURE_PORT=$port if [ $total_ports -eq 0 ]; then echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" echo " (ESC Security Officer Enrollment)" echo " Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}/cgi-bin/home/index.cgi" echo " (ESC Phone Home)" else echo "ERROR: extra Unsecure Port = http://${PKI_SERVER_NAME}:${UNSECURE_PORT}" fi total_ports=`expr ${total_ports} + 1` done # Iterate over Listen statements for port in `sed -n 's/^[ \t]*Listen[ \t][ \t]*\([^ \t][^ \t]*\)/\1/p' ${PKI_NSS_CONF}`; do UNSECURE_PORT=$port if [ $total_ports -eq 1 ]; then CLIENTAUTH_PORT=$port echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" echo " (ESC Security Officer Workstation)" echo " Secure Clientauth Port = https://${PKI_SERVER_NAME}:${CLIENTAUTH_PORT}/tus" echo " (TPS Roles - Operator/Administrator/Agent)" fi if [ $total_ports -eq 2 ]; then NON_CLIENTAUTH_PORT=$port echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" echo " (ESC Security Officer Enrollment)" echo " Secure Non-Clientauth Port = https://${PKI_SERVER_NAME}:${NON_CLIENTAUTH_PORT}/cgi-bin/home/index.cgi" echo " (ESC Phone Home)" fi total_ports=`expr ${total_ports} + 1` done return 0; } get_pki_status_definitions_tomcat() { # establish well-known strings begin_pki_status_comment="" begin_ca_status_comment="" begin_kra_status_comment="" begin_ocsp_status_comment="" begin_tks_status_comment="" end_pki_status_comment="" total_ports=0 unsecure_port_statement="Unsecure Port" secure_agent_port_statement="Secure Agent Port" secure_ee_port_statement="Secure EE Port" secure_ee_client_auth_port_statement="EE Client Auth Port" secure_admin_port_statement="Secure Admin Port" pki_console_port_statement="PKI Console Port" tomcat_port_statement="Tomcat Port" # initialize looping variables pki_status_comment_found=0 display_pki_ca_status_banner=0 display_pki_kra_status_banner=0 display_pki_ocsp_status_banner=0 display_pki_tks_status_banner=0 process_pki_ca_status=0 process_pki_kra_status=0 process_pki_ocsp_status=0 process_pki_tks_status=0 # first check to see that an instance-specific "server.xml" file exists if [ ! -f ${PKI_SERVER_XML_CONF} ] ; then echo "File '${PKI_SERVER_XML_CONF}' does not exist!" exit ${default_error} fi # identify all PKI subsystems present within this PKI instance if [ -e ${PKI_INSTANCE_PATH}/ca ]; then display_pki_ca_status_banner=1 fi if [ -e ${PKI_INSTANCE_PATH}/kra ]; then display_pki_kra_status_banner=1 fi if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then display_pki_ocsp_status_banner=1 fi if [ -e ${PKI_INSTANCE_PATH}/tks ]; then display_pki_tks_status_banner=1 fi # read this instance-specific "server.xml" file line-by-line # to obtain the current PKI Status Definitions exec < ${PKI_SERVER_XML_CONF} while read line; do # first look for the well-known end PKI Status comment # (to turn off processing) if [ "$line" == "$end_pki_status_comment" ] ; then # always turn off processing TKS status at this point process_pki_tks_status=0 pki_status_comment_found=0 break; fi # then look for the well-known begin PKI Status comment # (to turn on processing) if [ "$line" == "$begin_pki_status_comment" ] ; then pki_status_comment_found=1 fi # once the well-known begin PKI Status comment has been found, # begin processing to obtain all of the PKI Status Definitions if [ $pki_status_comment_found -eq 1 ] ; then head=`echo "$line" | sed -e 's/^\([^=]*\)[ \t]*= .*$/\1/' -e 's/[ \t]*$//'` if [ "$line" == "$begin_ca_status_comment" ] ; then if [ $display_pki_ca_status_banner -eq 1 ] ; then # print CA Status Definition banner echo echo " [CA Status Definitions]" # turn on processing CA status at this point process_pki_ca_status=1 fi elif [ "$line" == "$begin_kra_status_comment" ] ; then # always turn off processing CA status at this point process_pki_ca_status=0 if [ $display_pki_kra_status_banner -eq 1 ] ; then # print DRM Status Definition banner echo echo " [DRM Status Definitions]" # turn on processing DRM status at this point process_pki_kra_status=1 fi elif [ "$line" == "$begin_ocsp_status_comment" ] ; then # always turn off processing DRM status at this point process_pki_kra_status=0 if [ $display_pki_ocsp_status_banner -eq 1 ] ; then # print OCSP Status Definition banner echo echo " [OCSP Status Definitions]" # turn on processing OCSP status at this point process_pki_ocsp_status=1 fi elif [ "$line" == "$begin_tks_status_comment" ] ; then # always turn off processing OCSP status at this point process_pki_ocsp_status=0 if [ $display_pki_tks_status_banner -eq 1 ] ; then # print TKS Status Definition banner echo echo " [TKS Status Definitions]" # turn on processing TKS status at this point process_pki_tks_status=1 fi elif [ $process_pki_ca_status -eq 1 ] || [ $process_pki_kra_status -eq 1 ] || [ $process_pki_ocsp_status -eq 1 ] || [ $process_pki_tks_status -eq 1 ] ; then # look for a PKI Status Definition and print it if [ "$head" == "$unsecure_port_statement" ] || [ "$head" == "$secure_agent_port_statement" ] || [ "$head" == "$secure_ee_port_statement" ] || [ "$head" == "$secure_admin_port_statement" ] || [ "$head" == "$secure_ee_client_auth_port_statement" ] || [ "$head" == "$pki_console_port_statement" ] || [ "$head" == "$tomcat_port_statement" ] ; then echo " $line" total_ports=`expr ${total_ports} + 1` fi fi fi done return 0; } get_pki_configuration_definitions() { # Obtain the PKI Subsystem Type line=`grep -e '^[ \t]*cs.type[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` pki_subsystem=`echo "${line}" | sed -e 's/^[^=]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` if [ "${line}" != "" ] ; then if [ "${pki_subsystem}" != "CA" ] && [ "${pki_subsystem}" != "KRA" ] && [ "${pki_subsystem}" != "OCSP" ] && [ "${pki_subsystem}" != "TKS" ] && [ "${pki_subsystem}" != "RA" ] && [ "${pki_subsystem}" != "TPS" ] then return ${default_error} fi if [ "${pki_subsystem}" == "KRA" ] ; then # Rename "KRA" to "DRM" pki_subsystem="DRM" fi else return ${default_error} fi # If "${pki_subsystem}" is a CA, DRM, OCSP, or TKS, # check to see if "${pki_subsystem}" is a "Clone" pki_clone="" if [ "${pki_subsystem}" == "CA" ] || [ "${pki_subsystem}" == "DRM" ] || [ "${pki_subsystem}" == "OCSP" ] || [ "${pki_subsystem}" == "TKS" ] then line=`grep -e '^[ \t]*subsystem.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` if [ "${line}" != "" ] ; then pki_clone=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` if [ "${pki_clone}" != "Clone" ] ; then # Reset "${pki_clone}" to be empty pki_clone="" fi else return ${default_error} fi fi # If "${pki_subsystem}" is a CA, and is NOT a "Clone", check to # see "${pki_subsystem}" is a "Root" or a "Subordinate" CA pki_hierarchy="" if [ "${pki_subsystem}" == "CA" ] && [ "${pki_clone}" != "Clone" ] then line=`grep -e '^[ \t]*hierarchy.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` if [ "${line}" != "" ] ; then pki_hierarchy=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` else return ${default_error} fi fi # If ${pki_subsystem} is a CA, check to # see if it is also a Security Domain pki_security_domain="" if [ "${pki_subsystem}" == "CA" ] ; then line=`grep -e '^[ \t]*securitydomain.select[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` if [ "${line}" != "" ] ; then pki_security_domain=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` if [ "${pki_security_domain}" == "new" ] ; then # Set a fixed value for "${pki_security_domain}" pki_security_domain="(Security Domain)" else # Reset "${pki_security_domain}" to be empty pki_security_domain="" fi else return ${default_error} fi fi # Always obtain this PKI instance's "registered" # security domain information pki_security_domain_name="" pki_security_domain_hostname="" pki_security_domain_https_admin_port="" line=`grep -e '^[ \t]*securitydomain.name[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` if [ "${line}" != "" ] ; then pki_security_domain_name=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` else return ${default_error} fi line=`grep -e '^[ \t]*securitydomain.host[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` if [ "${line}" != "" ] ; then pki_security_domain_hostname=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` else return ${default_error} fi line=`grep -e '^[ \t]*securitydomain.httpsadminport[ \t]*=' ${PKI_SUBSYSTEM_CONFIGURATION_FILE}` if [ "${line}" != "" ] ; then pki_security_domain_https_admin_port=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'` else return ${default_error} fi # Compose the "PKI Instance Name" Status Line pki_instance_name="PKI Instance Name: ${PKI_INSTANCE_ID}" # Compose the "PKI Subsystem Type" Status Line header="PKI Subsystem Type: " if [ "${pki_clone}" != "" ] ; then if [ "${pki_security_domain}" != "" ]; then # Possible Values: # # "CA Clone (Security Domain)" # data="${pki_subsystem} ${pki_clone} ${pki_security_domain}" else # Possible Values: # # "CA Clone" # "DRM Clone" # "OCSP Clone" # "TKS Clone" # data="${pki_subsystem} ${pki_clone}" fi elif [ "${pki_hierarchy}" != "" ] ; then if [ "${pki_security_domain}" != "" ]; then # Possible Values: # # "Root CA (Security Domain)" # "Subordinate CA (Security Domain)" # data="${pki_hierarchy} ${pki_subsystem} ${pki_security_domain}" else # Possible Values: # # "Root CA" # "Subordinate CA" # data="${pki_hierarchy} ${pki_subsystem}" fi else # Possible Values: # # "DRM" # "OCSP" # "RA" # "TKS" # "TPS" # data="${pki_subsystem}" fi pki_subsystem_type="${header} ${data}" # Compose the "Registered PKI Security Domain Information" Status Line header="Name: " registered_pki_security_domain_name="${header} ${pki_security_domain_name}" header="URL: " if [ "${pki_security_domain_hostname}" != "" ] && [ "${pki_security_domain_https_admin_port}" != "" ] then data="https://${pki_security_domain_hostname}:${pki_security_domain_https_admin_port}" else return ${default_error} fi registered_pki_security_domain_url="${header} ${data}" # Print the "PKI Subsystem Type" Status Line echo echo " [${pki_subsystem} Configuration Definitions]" echo " ${pki_instance_name}" # Print the "PKI Subsystem Type" Status Line echo echo " ${pki_subsystem_type}" # Print the "Registered PKI Security Domain Information" Status Line echo echo " Registered PKI Security Domain Information:" echo " ==========================================================================" echo " ${registered_pki_security_domain_name}" echo " ${registered_pki_security_domain_url}" echo " ==========================================================================" return 0 } display_configuration_information() { result=0 check_pki_configuration_status rv=$? if [ $rv -eq 0 ] ; then get_pki_status_definitions rv=$? if [ $rv -ne 0 ] ; then result=$rv echo echo "${PKI_INSTANCE_ID} Status Definitions not found" else get_subsystems for SUBSYSTEM in ${PKI_SUBSYSTEMS}; do PKI_SUBSYSTEM_CONFIGURATION_FILE="${PKI_INSTANCE_PATH}/conf/${SUBSYSTEM}/CS.cfg" get_pki_configuration_definitions rv=$? if [ $rv -ne 0 ] ; then result=$rv echo echo "${PKI_INSTANCE_ID} Configuration Definitions not found for ${SUBSYSTEM}" fi done fi fi return $result } display_instance_status_systemd() { echo -n "Status for ${PKI_INSTANCE_ID}: " systemctl status "$PKI_SYSTEMD_TARGET@$PKI_INSTANCE_ID.service" > /dev/null 2>&1 rv=$? if [ $rv -eq 0 ] ; then echo "$PKI_INSTANCE_ID is running .." display_configuration_information else echo "$PKI_INSTANCE_ID is stopped" fi return $rv } display_instance_status() { # Verify there is an initscript for this instance if [ ! -f $PKI_INSTANCE_INITSCRIPT ]; then # 4 program or service status is unknown return 4 fi # Invoke the initscript for this instance $PKI_INSTANCE_INITSCRIPT status rv=$? if [ $rv -eq 0 ] ; then display_configuration_information fi return $rv } make_symlink() { symlink="${1}" target="${2}" user="${3}" group="${4}" rv=0 echo "INFO: Attempting to create '${symlink}' -> '${target}' . . ." # Check to make certain that the expected target exists. # # NOTE: The symbolic link does NOT exist at this point. # if [ -e ${target} ]; then # Check that the expected target is fully resolvable! if [ ! `readlink -qe ${target}` ]; then # Issue an ERROR that the target to which the # symbolic link is expected to point is NOT fully resolvable! echo "ERROR: Failed making '${symlink}' -> '${target}'"\ "since target '${target}' is NOT fully resolvable!" rv=1 else # Attempt to create a symbolic link and 'chown' it. ln -s ${target} ${symlink} rv=$? if [ $rv -eq 0 ]; then # NOTE: Ignore 'chown' errors. chown -h ${user}:${group} ${symlink} echo "SUCCESS: Created '${symlink}' -> '${target}'" else echo "ERROR: Failed to create '${symlink}' -> '${target}'!" rv=1 fi fi else # Issue an ERROR that the target to which the # symbolic link is expected to point does NOT exist. echo "ERROR: Failed making '${symlink}' -> '${target}'"\ "since target '${target}' does NOT exist!" rv=1 fi return $rv } check_symlinks() { # declare -p symlinks path="${1}" user="${2}" group="${3}" rv=0 # process key/value pairs (symlink/target) in the associative array for key in "${!symlinks[@]}" do symlink="${path}/${key}" target=${symlinks[${key}]} if [ -e ${symlink} ]; then if [ -h ${symlink} ]; then current_target=`readlink ${symlink}` # Verify that the current target to which the # symlink points is the expected target if [ ${current_target} == ${target} ]; then # Check to make certain that the expected target exists. if [ -e ${target} ]; then # Check that the expected target is fully resolvable! if [ ! `readlink -qe ${target}` ]; then # Issue an ERROR that the target to which the # symbolic link is expected to point is NOT # fully resolvable! echo "WARNING: Symbolic link '${symlink}'"\ "exists, but is a dangling symlink!"\ echo "ERROR: Unable to create"\ "'${symlink}' -> '${target}'"\ "since target '${target}' is NOT fully"\ "resolvable!" rv=1 else # ALWAYS run 'chown' on an existing '${symlink}' # that points to a fully resolvable '${target}' # # NOTE: Ignore 'chown' errors. # chown -h ${user}:${group} ${symlink} # echo "SUCCESS: '${symlink}' -> '${target}'" fi else # Issue an ERROR that the target to which the # symbolic link is expected to point does NOT exist. echo "WARNING: Symbolic link '${symlink}'"\ "exists, but is a dangling symlink!"\ echo "ERROR: Unable to create"\ "'${symlink}' -> '${target}'"\ "since target '${target}' does NOT exist!" rv=1 fi else # Attempt to remove this symbolic link and # issue a WARNING that a new symbolic link is # being created to point to the expected target # rather than the current target to which it # points. echo "WARNING: Attempting to change symbolic link"\ "'${symlink}' to point to target '${target}'"\ "INSTEAD of current target '${current_target}'!" rm ${symlink} rv=$? if [ $rv -ne 0 ]; then echo "ERROR: Failed to remove"\ "'${symlink}' -> '${current_target}'!" rv=1 else echo "INFO: Removed"\ "'${symlink}' -> '${current_target}'!" # Attempt to create the symbolic link and chown it. make_symlink ${symlink} ${target} ${user} ${group} rv=$? fi fi elif [ -f ${symlink} ]; then # Issue a WARNING that the administrator may have replaced # the symbolic link with a file for debugging purposes. echo "WARNING: '${symlink}' exists but is NOT a symbolic link!" else # Issue an ERROR that the symbolic link has been replaced # by something unusable (such as a directory). echo "ERROR: '${symlink}' exists but is NOT a symbolic link!" rv=1 fi else # Issue a WARNING that this symbolic link does not exist. echo "WARNING: Symbolic link '${symlink}' does NOT exist!" # Attempt to create the symbolic link and chown it. make_symlink ${symlink} ${target} ${user} ${group} rv=$? fi done return $rv } # Detect and correct any missing or incorrect symlinks. # # Use the following command to locate PKI 'instance' symlinks: # # find ${PKI_INSTANCE_PATH} -type l | sort | xargs file # verify_symlinks() { # declare associative arrays declare -A base_symlinks declare -A root_symlinks declare -A ca_symlinks declare -A kra_symlinks declare -A ocsp_symlinks declare -A tks_symlinks declare -A common_jar_symlinks declare -A ca_jar_symlinks declare -A kra_jar_symlinks declare -A ocsp_jar_symlinks declare -A tks_jar_symlinks declare -A systemd_symlinks # Dogtag 10 Conditional Variables if [ ${ARCHITECTURE} == "x86_64" ]; then jni_dir="/usr/lib64/java" else jni_dir="/usr/lib/java" fi # Dogtag 10 Symbolic Link Target Variables java_dir="/usr/share/java" pki_systemd_service="pki-${PKI_WEB_SERVER_TYPE}d@.service" systemd_dir="/lib/systemd/system" # Dogtag 10 Symbolic Link Variables pki_common_jar_dir="${PKI_INSTANCE_PATH}/common/lib" pki_registry_dir="/etc/sysconfig/pki/${PKI_WEB_SERVER_TYPE}/${PKI_INSTANCE_ID}" pki_systemd_dir="/etc/systemd/system/pki-tomcatd.target.wants" pki_systemd_link="pki-${PKI_WEB_SERVER_TYPE}d@${PKI_INSTANCE_ID}.service" pki_ca_jar_dir="${PKI_INSTANCE_PATH}/webapps/ca/WEB-INF/lib" pki_kra_jar_dir="${PKI_INSTANCE_PATH}/webapps/kra/WEB-INF/lib" pki_ocsp_jar_dir="${PKI_INSTANCE_PATH}/webapps/ocsp/WEB-INF/lib" pki_tks_jar_dir="${PKI_INSTANCE_PATH}/webapps/tks/WEB-INF/lib" # '${PKI_INSTANCE_PATH}' symlinks base_symlinks=( [alias]=/etc/pki/${PKI_INSTANCE_ID}/alias [bin]=/usr/share/tomcat/bin [conf]=/etc/pki/${PKI_INSTANCE_ID} [logs]=/var/log/pki/${PKI_INSTANCE_ID}) # '${PKI_INSTANCE_PATH}' symlinks (root:root ownership) root_symlinks[${PKI_INSTANCE_ID}]=/usr/sbin/tomcat-sysd # '${PKI_INSTANCE_PATH}/ca' symlinks ca_symlinks=( [alias]=${PKI_INSTANCE_PATH}/alias [conf]=/etc/pki/${PKI_INSTANCE_ID}/ca [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ca [registry]=${pki_registry_dir} [webapps]=${PKI_INSTANCE_PATH}/webapps) # '${pki_ca_jar_dir}' symlinks ca_jar_symlinks=( [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar [pki-cms.jar]=${java_dir}/pki/pki-cms.jar [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar [pki-ca.jar]=${java_dir}/pki/pki-ca.jar) # '${PKI_INSTANCE_PATH}/kra' symlinks kra_symlinks=( [alias]=${PKI_INSTANCE_PATH}/alias [conf]=/etc/pki/${PKI_INSTANCE_ID}/kra [logs]=/var/log/pki/${PKI_INSTANCE_ID}/kra [registry]=${pki_registry_dir} [webapps]=${PKI_INSTANCE_PATH}/webapps) # '${pki_kra_jar_dir}' symlinks kra_jar_symlinks=( [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar [pki-cms.jar]=${java_dir}/pki/pki-cms.jar [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar [pki-kra.jar]=${java_dir}/pki/pki-kra.jar) # '${PKI_INSTANCE_PATH}/ocsp' symlinks ocsp_symlinks=( [alias]=${PKI_INSTANCE_PATH}/alias [conf]=/etc/pki/${PKI_INSTANCE_ID}/ocsp [logs]=/var/log/pki/${PKI_INSTANCE_ID}/ocsp [registry]=${pki_registry_dir} [webapps]=${PKI_INSTANCE_PATH}/webapps) # '${pki_ocsp_jar_dir}' symlinks ocsp_jar_symlinks=( [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar [pki-cms.jar]=${java_dir}/pki/pki-cms.jar [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar [pki-ocsp.jar]=${java_dir}/pki/pki-ocsp.jar) # '${PKI_INSTANCE_PATH}/tks' symlinks tks_symlinks=( [alias]=${PKI_INSTANCE_PATH}/alias [conf]=/etc/pki/${PKI_INSTANCE_ID}/tks [logs]=/var/log/pki/${PKI_INSTANCE_ID}/tks [registry]=${pki_registry_dir} [webapps]=${PKI_INSTANCE_PATH}/webapps) # '${pki_tks_jar_dir}' symlinks tks_jar_symlinks=( [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar [pki-cms.jar]=${java_dir}/pki/pki-cms.jar [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar [pki-tks.jar]=${java_dir}/pki/pki-tks.jar) # '${pki_common_jar_dir}' symlinks common_jar_symlinks=( [apache-commons-codec.jar]=${java_dir}/commons-codec.jar [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar [httpcore.jar]=${java_dir}/httpcomponents/httpcore.jar [javassist.jar]=${java_dir}/javassist.jar [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar [jettison.jar]=${java_dir}/jettison.jar [jss4.jar]=${jni_dir}/jss4.jar [ldapjdk.jar]=${java_dir}/ldapjdk.jar [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar [resteasy-jettison-provider.jar]=${RESTEASY_LIB}/resteasy-jettison-provider.jar [scannotation.jar]=${java_dir}/scannotation.jar [tomcatjss.jar]=${java_dir}/tomcatjss.jar [velocity.jar]=${java_dir}/velocity.jar [xerces-j2.jar]=${java_dir}/xerces-j2.jar [xml-commons-apis.jar]=${java_dir}/xml-commons-apis.jar [xml-commons-resolver.jar]=${java_dir}/xml-commons-resolver.jar) if [ -e ${PKI_INSTANCE_PATH}/tks ]; then common_jar_symlinks[symkey.jar]=${jni_dir}/symkey.jar fi # '${pki_systemd_dir}' symlinks systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service} # Detect and correct 'Tomcat' symbolic links # # (1) convert the specified associative array into a string # (2) create a new global 'symlinks' associative array from this # specified string which will be used by the "check_symlinks()" # subroutine # (3) call "check_symlinks()" with the appropriate arguments to # detect and correct this specified associative array; # "check_symlinks()" returns 0 on success and 1 on failure # if [ ${PKI_WEB_SERVER_TYPE} == 'tomcat' ]; then # Detect and correct 'base_symlinks' base_symlinks_string=$(declare -p base_symlinks) eval "declare -A symlinks=${base_symlinks_string#*=}" check_symlinks ${PKI_INSTANCE_PATH} ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi # Detect and correct 'root_symlinks' root_symlinks_string=$(declare -p root_symlinks) eval "declare -A symlinks=${root_symlinks_string#*=}" check_symlinks ${PKI_INSTANCE_PATH} "root" "root" rv=$? if [ $rv -ne 0 ]; then return $rv fi if [ -e ${PKI_INSTANCE_PATH}/ca ]; then # Detect and correct 'ca_symlinks' ca_symlinks_string=$(declare -p ca_symlinks) eval "declare -A symlinks=${ca_symlinks_string#*=}" check_symlinks ${PKI_INSTANCE_PATH}/ca ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi # Detect and correct 'ca_jar_symlinks' ca_jar_symlinks_string=$(declare -p ca_jar_symlinks) eval "declare -A symlinks=${ca_jar_symlinks_string#*=}" check_symlinks ${pki_ca_jar_dir} ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi fi if [ -e ${PKI_INSTANCE_PATH}/kra ]; then # Detect and correct 'kra_symlinks' kra_symlinks_string=$(declare -p kra_symlinks) eval "declare -A symlinks=${kra_symlinks_string#*=}" check_symlinks ${PKI_INSTANCE_PATH}/kra ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi # Detect and correct 'kra_jar_symlinks' kra_jar_symlinks_string=$(declare -p kra_jar_symlinks) eval "declare -A symlinks=${kra_jar_symlinks_string#*=}" check_symlinks ${pki_kra_jar_dir} ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi fi if [ -e ${PKI_INSTANCE_PATH}/ocsp ]; then # Detect and correct 'ocsp_symlinks' ocsp_symlinks_string=$(declare -p ocsp_symlinks) eval "declare -A symlinks=${ocsp_symlinks_string#*=}" check_symlinks ${PKI_INSTANCE_PATH}/ocsp ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi # Detect and correct 'ocsp_jar_symlinks' ocsp_jar_symlinks_string=$(declare -p ocsp_jar_symlinks) eval "declare -A symlinks=${ocsp_jar_symlinks_string#*=}" check_symlinks ${pki_ocsp_jar_dir} ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi fi if [ -e ${PKI_INSTANCE_PATH}/tks ]; then # Detect and correct 'tks_symlinks' tks_symlinks_string=$(declare -p tks_symlinks) eval "declare -A symlinks=${tks_symlinks_string#*=}" check_symlinks ${PKI_INSTANCE_PATH}/tks ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi # Detect and correct 'tks_jar_symlinks' tks_jar_symlinks_string=$(declare -p tks_jar_symlinks) eval "declare -A symlinks=${tks_jar_symlinks_string#*=}" check_symlinks ${pki_tks_jar_dir} ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi fi # Detect and correct 'common_jar_symlinks' common_jar_symlinks_string=$(declare -p common_jar_symlinks) eval "declare -A symlinks=${common_jar_symlinks_string#*=}" check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi # Detect and correct 'systemd_symlinks' systemd_symlinks_string=$(declare -p systemd_symlinks) eval "declare -A symlinks=${systemd_symlinks_string#*=}" check_symlinks ${pki_systemd_dir} ${PKI_USER} ${PKI_GROUP} rv=$? if [ $rv -ne 0 ]; then return $rv fi fi return 0 } start_instance() { rv=0 if [ -f ${RESTART_SERVER} ] ; then rm -f ${RESTART_SERVER} fi # Verify symbolic links (detecting and correcting them if possible) verify_symlinks rv=$? if [ $rv -ne 0 ] ; then return $rv fi # Invoke the initscript for this instance case $PKI_WEB_SERVER_TYPE in tomcat) # Generate catalina.policy dynamically. cat /usr/share/pki/server/conf/catalina.policy \ /usr/share/tomcat/conf/catalina.policy \ /usr/share/pki/server/conf/pki.policy \ /var/lib/pki/$PKI_INSTANCE_ID/conf/custom.policy > \ /var/lib/pki/$PKI_INSTANCE_ID/conf/catalina.policy # We must export the service name so that the systemd version # of the tomcat init script knows which instance specific # configuration file to source. export SERVICE_NAME=$PKI_INSTANCE_ID $PKI_INSTANCE_INITSCRIPT start rv=$? ;; apache) $PKI_INSTANCE_INITSCRIPT start rv=$? ;; esac if [ $rv -ne 0 ] ; then return $rv fi # On Tomcat subsystems, make certain that the service has started case $PKI_WEB_SERVER_TYPE in tomcat) count=0 tries=30 port=${PKI_UNSECURE_PORT} while [ $count -lt $tries ] do netstat -antl | grep ${port} > /dev/null netrv=$? if [ $netrv -eq 0 ] ; then break; fi sleep 1 let count=$count+1; done if [ $netrv -ne 0 ] ; then return 1 fi ;; esac if [ $rv -eq 0 ] ; then # From the PKI point of view a returned error code of 6 implies # that the program is not "configured". An error code of 1 implies # that the program was "configured" but must still be restarted. # # If the return code is 6 return this value unchanged to the # calling routine so that the total number of configuration errors # may be counted. Other return codes are ignored. # check_pki_configuration_status rv=$? if [ $rv -eq 6 ]; then # 6 program is not configured return 6 else # 0 success return 0 fi fi return $rv } stop_instance() { rv=0 export SERVICE_NAME=$PKI_INSTANCE_ID # Invoke the initscript for this instance $PKI_INSTANCE_INITSCRIPT stop rv=$? # On Tomcat subsystems, always remove the "pki subsystem identity" symlinks # that were previously associated with the Tomcat 'pid' and 'lock' files. case $PKI_WEB_SERVER_TYPE in tomcat) if [ -f ${PKI_PIDFILE} ]; then rm -f ${PKI_PIDFILE} fi ;; esac return $rv } start() { error_rv=0 rv=0 config_errors=0 errors=0 if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then echo echo "ERROR: No '${PKI_TYPE}' instances installed!" # 5 program is not installed return 5 fi if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ]; then echo "BEGIN STARTING '${PKI_TYPE}' INSTANCES:" fi # Start every PKI instance of this type that isn't already running for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do # Source values associated with this particular PKI instance [ -f ${PKI_REGISTRY_ENTRY} ] && . ${PKI_REGISTRY_ENTRY} [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo start_instance rv=$? if [ $rv = 6 ] ; then # Since at least ONE configuration error exists, then there # is at least ONE unconfigured instance from the PKI point # of view. # # However, it must still be considered that the # instance is "running" from the point of view of other # OS programs such as 'chkconfig'. # # Therefore, ignore non-zero return codes resulting # from configuration errors. # config_errors=`expr $config_errors + 1` rv=0 elif [ $rv != 0 ] ; then errors=`expr $errors + 1` error_rv=$rv fi done if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt ${errors} ] ; then touch ${lockfile} chmod 00600 ${lockfile} fi # ONLY print a "WARNING" message if multiple # instances are being examined if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then # NOTE: "bad" return code(s) OVERRIDE configuration errors! if [ ${errors} -eq 1 ]; then # Since only ONE error exists, return that "bad" error code. rv=${error_rv} elif [ ${errors} -gt 1 ]; then # Since MORE than ONE error exists, return an OVERALL status # of "1 generic or unspecified error (current practice)" rv=1 fi if [ ${errors} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances failed to start!" echo fi if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances MUST be configured!" echo fi echo echo "FINISHED STARTING '${PKI_TYPE}' INSTANCE(S)." fi return $rv } stop() { error_rv=0 rv=0 errors=0 if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then echo echo "ERROR: No '${PKI_TYPE}' instances installed!" # 5 program is not installed return 5 fi if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" fi # Shutdown every PKI instance of this type that is running for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do # Source values associated with this particular PKI instance [ -f ${PKI_REGISTRY_ENTRY} ] && . ${PKI_REGISTRY_ENTRY} [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo stop_instance rv=$? if [ $rv != 0 ] ; then errors=`expr $errors + 1` error_rv=$rv fi done if [ ${errors} -eq 0 ] ; then rm -f ${lockfile} fi # ONLY print a "WARNING" message if multiple # instances are being examined if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then if [ ${errors} -eq 1 ]; then # Since only ONE error exists, return that "bad" error code. rv=${error_rv} elif [ ${errors} -gt 1 ]; then # Since MORE than ONE error exists, return an OVERALL status # of "1 generic or unspecified error (current practice)" rv=1 fi if [ ${errors} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances were " echo -n "unsuccessfully stopped!" echo fi echo echo "FINISHED SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S)." fi return $rv } restart() { stop sleep 2 start return $? } registry_status() { error_rv=0 rv=0 errors=0 if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -eq 0 ]; then echo echo "ERROR: No '${PKI_TYPE}' instances installed!" # 4 program or service status is unknown return 4 fi if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then echo "REPORT STATUS OF '${PKI_TYPE}' INSTANCE(S):" fi # Obtain status of every PKI instance of this type for PKI_REGISTRY_ENTRY in ${PKI_REGISTRY_ENTRIES}; do # Source values associated with this particular PKI instance [ -f ${PKI_REGISTRY_ENTRY} ] && . ${PKI_REGISTRY_ENTRY} [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] && echo case $PKI_WEB_SERVER_TYPE in tomcat) if [ $SYSTEMD ]; then display_instance_status_systemd else display_instance_status fi rv=$? ;; apache) display_instance_status rv=$? ;; esac if [ $rv -ne 0 ] ; then errors=`expr $errors + 1` error_rv=$rv fi done # ONLY print a "WARNING" message if multiple # instances are being examined if [ ${TOTAL_PKI_REGISTRY_ENTRIES} -gt 1 ] ; then if [ ${errors} -eq 1 ]; then # Since only ONE error exists, return that "bad" error code. rv=${error_rv} elif [ ${errors} -gt 1 ]; then # Since MORE than ONE error exists, return an OVERALL status # of "4 - program or service status is unknown" rv=4 fi if [ ${errors} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${errors} of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances reported status failures!" echo fi if [ ${TOTAL_UNCONFIGURED_PKI_ENTRIES} -ge 1 ]; then echo echo -n "WARNING: " echo -n "${TOTAL_UNCONFIGURED_PKI_ENTRIES} " echo -n "of ${TOTAL_PKI_REGISTRY_ENTRIES} " echo -n "'${PKI_TYPE}' instances MUST be configured!" echo fi echo echo "FINISHED REPORTING STATUS OF '${PKI_TYPE}' INSTANCE(S)." fi return $rv } span class="hl ppc">#include <fcntl.h> #include <unistd.h> #include <sys/stat.h> /* required for HP UX */ #include <errno.h> #include <pthread.h> #include "rsyslog.h" #include "stringbuf.h" #include "srUtils.h" #include "obj.h" #include "stream.h" #include "unicode-helper.h" #include "module-template.h" #include <sys/prctl.h> /* static data */ DEFobjStaticHelpers DEFobjCurrIf(zlibw) /* forward definitions */ static rsRetVal strmFlush(strm_t *pThis); static rsRetVal strmWrite(strm_t *pThis, uchar *pBuf, size_t lenBuf); static rsRetVal strmCloseFile(strm_t *pThis); static void *asyncWriterThread(void *pPtr); /* methods */ /* Try to resolve a size limit situation. This is used to support custom-file size handlers * for omfile. It first runs the command, and then checks if we are still above the size * treshold. Note that this works only with single file names, NOT with circular names. * Note that pszCurrFName can NOT be taken from pThis, because the stream is closed when * we are called (and that destroys pszCurrFName, as there is NO CURRENT file name!). So * we need to receive the name as a parameter. * initially wirtten 2005-06-21, moved to this class & updates 2009-06-01, both rgerhards */ static rsRetVal resolveFileSizeLimit(strm_t *pThis, uchar *pszCurrFName) { uchar *pParams; uchar *pCmd; uchar *p; off_t actualFileSize; rsRetVal localRet; DEFiRet; ISOBJ_TYPE_assert(pThis, strm); assert(pszCurrFName != NULL); if(pThis->pszSizeLimitCmd == NULL) { ABORT_FINALIZE(RS_RET_NON_SIZELIMITCMD); /* nothing we can do in this case... */ } /* we first check if we have command line parameters. We assume this, * when we have a space in the program name. If we find it, everything after * the space is treated as a single argument. */ CHKmalloc(pCmd = ustrdup(pThis->pszSizeLimitCmd)); for(p = pCmd ; *p && *p != ' ' ; ++p) { /* JUST SKIP */ } if(*p == ' ') { *p = '\0'; /* pretend string-end */ pParams = p+1; } else pParams = NULL; /* the execProg() below is probably not great, but at least is is * fairly secure now. Once we change the way file size limits are * handled, we should also revisit how this command is run (and * with which parameters). rgerhards, 2007-07-20 */ execProg(pCmd, 1, pParams); free(pCmd); localRet = getFileSize(pszCurrFName, &actualFileSize); if(localRet == RS_RET_OK && actualFileSize >= pThis->iSizeLimit) { ABORT_FINALIZE(RS_RET_SIZELIMITCMD_DIDNT_RESOLVE); /* OK, it didn't work out... */ } else if(localRet != RS_RET_FILE_NOT_FOUND) { /* file not found is OK, the command may have moved away the file */ ABORT_FINALIZE(localRet); } finalize_it: if(iRet != RS_RET_OK) { if(iRet == RS_RET_SIZELIMITCMD_DIDNT_RESOLVE) dbgprintf("file size limit cmd for file '%s' did no resolve situation\n", pszCurrFName); else dbgprintf("file size limit cmd for file '%s' failed with code %d.\n", pszCurrFName, iRet); pThis->bDisabled = 1; } RETiRet; } /* Check if the file has grown beyond the configured omfile iSizeLimit * and, if so, initiate processing. */ static rsRetVal doSizeLimitProcessing(strm_t *pThis) { uchar *pszCurrFName = NULL; DEFiRet; ISOBJ_TYPE_assert(pThis, strm); ASSERT(pThis->iSizeLimit != 0); ASSERT(pThis->fd != -1); if(pThis->iCurrOffs >= pThis->iSizeLimit) { /* strmClosefile() destroys the current file name, so we * need to preserve it. */ CHKmalloc(pszCurrFName = ustrdup(pThis->pszCurrFName)); CHKiRet(strmCloseFile(pThis)); CHKiRet(resolveFileSizeLimit(pThis, pszCurrFName)); } finalize_it: free(pszCurrFName); RETiRet; } /* now, we define type-specific handlers. The provide a generic functionality, * but for this specific type of strm. The mapping to these handlers happens during * strm construction. Later on, handlers are called by pointers present in the * strm instance object. */ /* do the physical open() call on a file. */ static rsRetVal doPhysOpen(strm_t *pThis) { int iFlags = 0; DEFiRet; ISOBJ_TYPE_assert(pThis, strm); /* compute which flags we need to provide to open */ switch(pThis->tOperationsMode) { case STREAMMODE_READ: iFlags = O_CLOEXEC | O_NOCTTY | O_RDONLY; break; case STREAMMODE_WRITE: /* legacy mode used inside queue engine */ iFlags = O_CLOEXEC | O_NOCTTY | O_WRONLY | O_CREAT; break; case STREAMMODE_WRITE_TRUNC: iFlags = O_CLOEXEC | O_NOCTTY | O_WRONLY | O_CREAT | O_TRUNC; break; case STREAMMODE_WRITE_APPEND: iFlags = O_CLOEXEC | O_NOCTTY | O_WRONLY | O_CREAT | O_APPEND; break; default:assert(0); break; } pThis->fd = open((char*)pThis->pszCurrFName, iFlags, pThis->tOpenMode); if(pThis->fd == -1) { int ierrnoSave = errno; dbgoprint((obj_t*) pThis, "open error %d, file '%s'\n", errno, pThis->pszCurrFName); if(ierrnoSave == ENOENT) ABORT_FINALIZE(RS_RET_FILE_NOT_FOUND); else ABORT_FINALIZE(RS_RET_IO_ERROR); } else { if(!ustrcmp(pThis->pszCurrFName, UCHAR_CONSTANT(_PATH_CONSOLE)) || isatty(pThis->fd)) { DBGPRINTF("file %d is a tty-type file\n", pThis->fd); pThis->bIsTTY = 1; } else { pThis->bIsTTY = 0; } } finalize_it: RETiRet; } /* open a strm file * It is OK to call this function when the stream is already open. In that * case, it returns immediately with RS_RET_OK */ static rsRetVal strmOpenFile(strm_t *pThis) { DEFiRet; ASSERT(pThis != NULL); if(pThis->fd != -1) ABORT_FINALIZE(RS_RET_OK); if(pThis->pszFName == NULL) ABORT_FINALIZE(RS_RET_FILE_PREFIX_MISSING); if(pThis->sType == STREAMTYPE_FILE_CIRCULAR) { CHKiRet(genFileName(&pThis->pszCurrFName, pThis->pszDir, pThis->lenDir, pThis->pszFName, pThis->lenFName, pThis->iCurrFNum, pThis->iFileNumDigits)); } else { if(pThis->pszDir == NULL) { if((pThis->pszCurrFName = (uchar*) strdup((char*) pThis->pszFName)) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY); } else { CHKiRet(genFileName(&pThis->pszCurrFName, pThis->pszDir, pThis->lenDir, pThis->pszFName, pThis->lenFName, -1, 0)); } } CHKiRet(doPhysOpen(pThis)); pThis->iCurrOffs = 0; if(pThis->tOperationsMode == STREAMMODE_WRITE_APPEND) { /* we need to obtain the current offset */ off_t offset; CHKiRet(getFileSize(pThis->pszCurrFName, &offset)); pThis->iCurrOffs = offset; } dbgoprint((obj_t*) pThis, "opened file '%s' for %s as %d\n", pThis->pszCurrFName, (pThis->tOperationsMode == STREAMMODE_READ) ? "READ" : "WRITE", pThis->fd); finalize_it: RETiRet; } /* close a strm file * Note that the bDeleteOnClose flag is honored. If it is set, the file will be * deleted after close. This is in support for the qRead thread. */ static rsRetVal strmCloseFile(strm_t *pThis) { DEFiRet; ASSERT(pThis != NULL); ASSERT(pThis->fd != -1); dbgoprint((obj_t*) pThis, "file %d closing\n", pThis->fd); if(pThis->tOperationsMode != STREAMMODE_READ) strmFlush(pThis); close(pThis->fd); pThis->fd = -1; if(pThis->fdDir != -1) { /* close associated directory handle, if it is open */ close(pThis->fdDir); pThis->fdDir = -1; } if(pThis->bDeleteOnClose) { if(unlink((char*) pThis->pszCurrFName) == -1) { char errStr[1024]; int err = errno; rs_strerror_r(err, errStr, sizeof(errStr)); DBGPRINTF("error %d unlinking '%s' - ignored: %s\n", errno, pThis->pszCurrFName, errStr); } } pThis->iCurrOffs = 0; /* we are back at begin of file */ if(pThis->pszCurrFName != NULL) { free(pThis->pszCurrFName); /* no longer needed in any case (just for open) */ pThis->pszCurrFName = NULL; } RETiRet; } /* switch to next strm file * This method must only be called if we are in a multi-file mode! */ static rsRetVal strmNextFile(strm_t *pThis) { DEFiRet; ASSERT(pThis != NULL); ASSERT(pThis->iMaxFiles != 0); ASSERT(pThis->fd != -1); CHKiRet(strmCloseFile(pThis)); /* we do modulo operation to ensure we obey the iMaxFile property. This will always * result in a file number lower than iMaxFile, so it if wraps, the name is back to * 0, which results in the first file being overwritten. Not desired for queues, so * make sure their iMaxFiles is large enough. But it is well-desired for other * use cases, e.g. a circular output log file. -- rgerhards, 2008-01-10 */ pThis->iCurrFNum = (pThis->iCurrFNum + 1) % pThis->iMaxFiles; finalize_it: RETiRet; } /* handle the eof case for monitored files. * If we are monitoring a file, someone may have rotated it. In this case, we * also need to close it and reopen it under the same name. * rgerhards, 2008-02-13 */ static rsRetVal strmHandleEOFMonitor(strm_t *pThis) { DEFiRet; struct stat statOpen; struct stat statName; ISOBJ_TYPE_assert(pThis, strm); /* find inodes of both current descriptor as well as file now in file * system. If they are different, the file has been rotated (or * otherwise rewritten). We also check the size, because the inode * does not change if the file is truncated (this, BTW, is also a case * where we actually loose log lines, because we can not do anything * against truncation...). We do NOT rely on the time of last * modificaton because that may not be available under all * circumstances. -- rgerhards, 2008-02-13 */ if(fstat(pThis->fd, &statOpen) == -1) ABORT_FINALIZE(RS_RET_IO_ERROR); if(stat((char*) pThis->pszCurrFName, &statName) == -1) ABORT_FINALIZE(RS_RET_IO_ERROR); if(statOpen.st_ino == statName.st_ino && pThis->iCurrOffs == statName.st_size) { ABORT_FINALIZE(RS_RET_EOF); } else { /* we had a file change! */ CHKiRet(strmCloseFile(pThis)); CHKiRet(strmOpenFile(pThis)); } finalize_it: RETiRet; } /* handle the EOF case of a stream * The EOF case is somewhat complicated, as the proper action depends on the * mode the stream is in. If there are multiple files (circular logs, most * important use case is queue files!), we need to close the current file and * try to open the next one. * rgerhards, 2008-02-13 */ static rsRetVal strmHandleEOF(strm_t *pThis) { DEFiRet; ISOBJ_TYPE_assert(pThis, strm); switch(pThis->sType) { case STREAMTYPE_FILE_SINGLE: ABORT_FINALIZE(RS_RET_EOF); break; case STREAMTYPE_FILE_CIRCULAR: /* we have multiple files and need to switch to the next one */ /* TODO: think about emulating EOF in this case (not yet needed) */ dbgoprint((obj_t*) pThis, "file %d EOF\n", pThis->fd); CHKiRet(strmNextFile(pThis)); break; case STREAMTYPE_FILE_MONITOR: CHKiRet(strmHandleEOFMonitor(pThis)); break; } finalize_it: RETiRet; } /* read the next buffer from disk * rgerhards, 2008-02-13 */ static rsRetVal strmReadBuf(strm_t *pThis) { DEFiRet; int bRun; long iLenRead; ISOBJ_TYPE_assert(pThis, strm); /* We need to try read at least twice because we may run into EOF and need to switch files. */ bRun = 1; while(bRun) { /* first check if we need to (re)open the file. We may have switched to a new one in * circular mode or it may have been rewritten (rotated) if we monitor a file * rgerhards, 2008-02-13 */ CHKiRet(strmOpenFile(pThis)); iLenRead = read(pThis->fd, pThis->pIOBuf, pThis->sIOBufSize); dbgoprint((obj_t*) pThis, "file %d read %ld bytes\n", pThis->fd, iLenRead); if(iLenRead == 0) { CHKiRet(strmHandleEOF(pThis)); } else if(iLenRead < 0) ABORT_FINALIZE(RS_RET_IO_ERROR); else { /* good read */ pThis->iBufPtrMax = iLenRead; bRun = 0; /* exit loop */ } } /* if we reach this point, we had a good read */ pThis->iBufPtr = 0; finalize_it: RETiRet; } /* logically "read" a character from a file. What actually happens is that * data is taken from the buffer. Only if the buffer is full, data is read * directly from file. In that case, a read is performed blockwise. * rgerhards, 2008-01-07 * NOTE: needs to be enhanced to support sticking with a strm entry (if not * deleted). */ static rsRetVal strmReadChar(strm_t *pThis, uchar *pC) { DEFiRet; ASSERT(pThis != NULL); ASSERT(pC != NULL); /* DEV debug only: dbgoprint((obj_t*) pThis, "strmRead index %d, max %d\n", pThis->iBufPtr, pThis->iBufPtrMax); */ if(pThis->iUngetC != -1) { /* do we have an "unread" char that we need to provide? */ *pC = pThis->iUngetC; ++pThis->iCurrOffs; /* one more octet read */ pThis->iUngetC = -1; ABORT_FINALIZE(RS_RET_OK); } /* do we need to obtain a new buffer? */ if(pThis->iBufPtr >= pThis->iBufPtrMax) { CHKiRet(strmReadBuf(pThis)); } /* if we reach this point, we have data available in the buffer */ *pC = pThis->pIOBuf[pThis->iBufPtr++]; ++pThis->iCurrOffs; /* one more octet read */ finalize_it: RETiRet; } /* unget a single character just like ungetc(). As with that call, there is only a single * character buffering capability. * rgerhards, 2008-01-07 */ static rsRetVal strmUnreadChar(strm_t *pThis, uchar c) { ASSERT(pThis != NULL); ASSERT(pThis->iUngetC == -1); pThis->iUngetC = c; --pThis->iCurrOffs; /* one less octet read - NOTE: this can cause problems if we got a file change and immediately do an unread and the file is on a buffer boundary and the stream is then persisted. With the queue, this can not happen as an Unread is only done on record begin, which is never split accross files. For other cases we accept the very remote risk. -- rgerhards, 2008-01-12 */ return RS_RET_OK; } /* read a line from a strm file. A line is terminated by LF. The LF is read, but it * is not returned in the buffer (it is discared). The caller is responsible for * destruction of the returned CStr object! -- rgerhards, 2008-01-07 * rgerhards, 2008-03-27: I now use the ppCStr directly, without any interim * string pointer. The reason is that this function my be called by inputs, which * are pthread_killed() upon termination. So if we use their native pointer, they * can cleanup (but only then). */ static rsRetVal strmReadLine(strm_t *pThis, cstr_t **ppCStr) { DEFiRet; uchar c; ASSERT(pThis != NULL); ASSERT(ppCStr != NULL); CHKiRet(cstrConstruct(ppCStr)); /* now read the line */ CHKiRet(strmReadChar(pThis, &c)); while(c != '\n') { CHKiRet(cstrAppendChar(*ppCStr, c)); CHKiRet(strmReadChar(pThis, &c)); } CHKiRet(cstrFinalize(*ppCStr)); finalize_it: if(iRet != RS_RET_OK && *ppCStr != NULL) cstrDestruct(ppCStr); RETiRet; } /* Standard-Constructor for the strm object */ BEGINobjConstruct(strm) /* be sure to specify the object type also in END macro! */ pThis->iCurrFNum = 1; pThis->fd = -1; pThis->fdDir = -1; pThis->iUngetC = -1; pThis->sType = STREAMTYPE_FILE_SINGLE; pThis->sIOBufSize = glblGetIOBufSize(); pThis->tOpenMode = 0600; ENDobjConstruct(strm) /* ConstructionFinalizer * rgerhards, 2008-01-09 */ static rsRetVal strmConstructFinalize(strm_t *pThis) { rsRetVal localRet; int i; DEFiRet; ASSERT(pThis != NULL); pThis->iBufPtrMax = 0; /* results in immediate read request */ if(pThis->iZipLevel) { /* do we need a zip buf? */ localRet = objUse(zlibw, LM_ZLIBW_FILENAME); if(localRet != RS_RET_OK) { pThis->iZipLevel = 0; DBGPRINTF("stream was requested with zip mode, but zlibw module unavailable (%d) - using " "without zip\n", localRet); } else { /* we use the same size as the original buf, as we would like * to make sure we can write out everyting with a SINGLE api call! */ CHKmalloc(pThis->pZipBuf = (Bytef*) malloc(sizeof(uchar) * pThis->sIOBufSize)); } } /* if we are aset to sync, we must obtain a file handle to the directory for fsync() purposes */ if(pThis->bSync && !pThis->bIsTTY) { pThis->fdDir = open((char*)pThis->pszDir, O_RDONLY | O_CLOEXEC | O_NOCTTY); if(pThis->fdDir == -1) { char errStr[1024]; int err = errno; rs_strerror_r(err, errStr, sizeof(errStr)); DBGPRINTF("error %d opening directory file for fsync() use - fsync for directory disabled: %s\n", errno, errStr); } } dbgprintf("TTT: before checks: iFlushInterval %d, bAsyncWrite %d\n", pThis->iFlushInterval, pThis->bAsyncWrite); /* if we have a flush interval, we need to do async writes in any case */ if(pThis->iFlushInterval != 0) { pThis->bAsyncWrite = 1; } dbgprintf("TTT: after checks: iFlushInterval %d, bAsyncWrite %d\n", pThis->iFlushInterval, pThis->bAsyncWrite); /* if we work asynchronously, we need a couple of synchronization objects */ if(pThis->bAsyncWrite) { pthread_mutex_init(&pThis->mut, 0); pthread_cond_init(&pThis->notFull, 0); pthread_cond_init(&pThis->notEmpty, 0); pthread_cond_init(&pThis->isEmpty, 0); pThis->iCnt = pThis->iEnq = pThis->iDeq = 0; for(i = 0 ; i < STREAM_ASYNC_NUMBUFS ; ++i) { CHKmalloc(pThis->asyncBuf[i].pBuf = (uchar*) malloc(sizeof(uchar) * pThis->sIOBufSize)); } //pThis->pIOBuf = pThis->ioBuf[0]; pThis->bStopWriter = 0; // TODO: detached thread? if(pthread_create(&pThis->writerThreadID, NULL, asyncWriterThread, pThis) != 0) dbgprintf("ERROR: stream %p cold not create writer thread\n", pThis); // TODO: remove that below later! CHKmalloc(pThis->pIOBuf = (uchar*) malloc(sizeof(uchar) * pThis->sIOBufSize)); } else { /* we work synchronously, so we need to alloc a fixed pIOBuf */ CHKmalloc(pThis->pIOBuf = (uchar*) malloc(sizeof(uchar) * pThis->sIOBufSize)); } finalize_it: RETiRet; } /* stop the writer thread (we MUST be runnnig asynchronously when this method * is called!) -- rgerhards, 2009-07-06 */ static inline void stopWriter(strm_t *pThis) { BEGINfunc d_pthread_mutex_lock(&pThis->mut); pThis->bStopWriter = 1; pthread_cond_signal(&pThis->notEmpty); d_pthread_cond_wait(&pThis->isEmpty, &pThis->mut); d_pthread_mutex_unlock(&pThis->mut); pthread_join(pThis->writerThreadID, NULL); ENDfunc } /* destructor for the strm object */ BEGINobjDestruct(strm) /* be sure to specify the object type also in END and CODESTART macros! */ int i; CODESTARTobjDestruct(strm) if(pThis->tOperationsMode != STREAMMODE_READ) strmFlush(pThis); /* ... then free resources */ if(pThis->fd != -1) strmCloseFile(pThis); if(pThis->iZipLevel) { /* do we need a zip buf? */ objRelease(zlibw, LM_ZLIBW_FILENAME); } free(pThis->pszDir); free(pThis->pZipBuf); free(pThis->pszCurrFName); free(pThis->pszFName); if(pThis->bAsyncWrite) { stopWriter(pThis); pthread_mutex_destroy(&pThis->mut); pthread_cond_destroy(&pThis->notFull); pthread_cond_destroy(&pThis->notEmpty); pthread_cond_destroy(&pThis->isEmpty); for(i = 0 ; i < STREAM_ASYNC_NUMBUFS ; ++i) { free(pThis->asyncBuf[i].pBuf); } } else { free(pThis->pIOBuf); } ENDobjDestruct(strm) /* check if we need to open a new file (in output mode only). * The decision is based on file size AND record delimition state. * This method may also be called on a closed file, in which case * it immediately returns. */ static rsRetVal strmCheckNextOutputFile(strm_t *pThis) { DEFiRet; if(pThis->fd == -1) FINALIZE; if(pThis->iCurrOffs >= pThis->iMaxFileSize) { dbgoprint((obj_t*) pThis, "max file size %ld reached for %d, now %ld - starting new file\n", (long) pThis->iMaxFileSize, pThis->fd, (long) pThis->iCurrOffs); CHKiRet(strmNextFile(pThis)); } finalize_it: RETiRet; } /* try to recover a tty after a write error. This may have happend * due to vhangup(), and, if so, we can simply re-open it. */ #ifdef linux # define ERR_TTYHUP EIO #else # define ERR_TTYHUP EBADF #endif static rsRetVal tryTTYRecover(strm_t *pThis, int err) { DEFiRet; ISOBJ_TYPE_assert(pThis, strm); if(err == ERR_TTYHUP) { close(pThis->fd); CHKiRet(doPhysOpen(pThis)); } finalize_it: RETiRet; } #undef ER_TTYHUP /* issue write() api calls until either the buffer is completely * written or an error occured (it may happen that multiple writes * are required, what is perfectly legal. On exit, *pLenBuf contains * the number of bytes actually written. * rgerhards, 2009-06-08 */ static rsRetVal doWriteCall(strm_t *pThis, uchar *pBuf, size_t *pLenBuf) { ssize_t lenBuf; ssize_t iTotalWritten; ssize_t iWritten; char *pWriteBuf; DEFiRet; ISOBJ_TYPE_assert(pThis, strm); lenBuf = *pLenBuf; pWriteBuf = (char*) pBuf; iTotalWritten = 0; do { iWritten = write(pThis->fd, pWriteBuf, lenBuf); if(iWritten < 0) { char errStr[1024]; int err = errno; rs_strerror_r(err, errStr, sizeof(errStr)); DBGPRINTF("log file (%d) write error %d: %s\n", pThis->fd, err, errStr); if(err == EINTR) { /*NO ERROR, just continue */; } else { if(pThis->bIsTTY) { CHKiRet(tryTTYRecover(pThis, err)); } else { ABORT_FINALIZE(RS_RET_IO_ERROR); /* Would it make sense to cover more error cases? So far, I * do not see good reason to do so. */ } } } /* advance buffer to next write position */ iTotalWritten += iWritten; lenBuf -= iWritten; pWriteBuf += iWritten; } while(lenBuf > 0); /* Warning: do..while()! */ dbgoprint((obj_t*) pThis, "file %d write wrote %d bytes\n", pThis->fd, (int) iWritten); finalize_it: *pLenBuf = iTotalWritten; RETiRet; } #include <stdio.h> /* This is the writer thread for asynchronous mode. * -- rgerhards, 2009-07-06 */ static void* asyncWriterThread(void *pPtr) { int iDeq; size_t iWritten; strm_t *pThis = (strm_t*) pPtr; ISOBJ_TYPE_assert(pThis, strm); BEGINfunc if(prctl(PR_SET_NAME, "rs:asyn strmwr", 0, 0, 0) != 0) { DBGPRINTF("prctl failed, not setting thread name for '%s'\n", "stream writer"); } fprintf(stderr, "async stream writer thread started\n");fflush(stderr); dbgprintf("TTT: writer thread startup\n"); while(1) { /* loop broken inside */ d_pthread_mutex_lock(&pThis->mut); while(pThis->iCnt == 0) { dbgprintf("TTT: writer thread empty queue, stopWriter=%d\n", pThis->bStopWriter); if(pThis->bStopWriter) { pthread_cond_signal(&pThis->isEmpty); d_pthread_mutex_unlock(&pThis->mut); goto finalize_it; /* break main loop */ } d_pthread_cond_wait(&pThis->notEmpty, &pThis->mut); } iDeq = pThis->iDeq++ % STREAM_ASYNC_NUMBUFS; iWritten = pThis->asyncBuf[iDeq].lenBuf; doWriteCall(pThis, pThis->asyncBuf[iDeq].pBuf, &iWritten); // TODO: error check!!!!! 2009-07-06 --pThis->iCnt; if(pThis->iCnt < STREAM_ASYNC_NUMBUFS) { pthread_cond_signal(&pThis->notFull); } d_pthread_mutex_unlock(&pThis->mut); } finalize_it: dbgprintf("TTT: writer thread shutdown\n"); ENDfunc return NULL; /* to keep pthreads happy */ } /* This function is called to "do" an async write call, what primarily means that * the data is handed over to the writer thread (which will then do the actual write * in parallel. -- rgerhards, 2009-07-06 */ static inline rsRetVal doAsyncWriteCall(strm_t *pThis, uchar *pBuf, size_t *pLenBuf) { int iEnq; DEFiRet; ISOBJ_TYPE_assert(pThis, strm); d_pthread_mutex_lock(&pThis->mut); while(pThis->iCnt >= STREAM_ASYNC_NUMBUFS) d_pthread_cond_wait(&pThis->notFull, &pThis->mut); iEnq = pThis->iEnq++ % STREAM_ASYNC_NUMBUFS; // TODO: optimize, memcopy only for getting it initially going! //pThis->asyncBuf[iEnq].pBuf = pBuf; memcpy(pThis->asyncBuf[iEnq].pBuf, pBuf, *pLenBuf); pThis->asyncBuf[iEnq].lenBuf = *pLenBuf; if(++pThis->iCnt == 1) pthread_cond_signal(&pThis->notEmpty); d_pthread_mutex_unlock(&pThis->mut); finalize_it: RETiRet; } /* sync the file to disk, so that any unwritten data is persisted. This * also syncs the directory and thus makes sure that the file survives * fatal failure. Note that we do NOT return an error status if the * sync fails. Doing so would probably cause more trouble than it * is worth (read: data loss may occur where we otherwise might not * have it). -- rgerhards, 2009-06-08 */ static rsRetVal syncFile(strm_t *pThis) { int ret; DEFiRet; if(pThis->bIsTTY) FINALIZE; /* TTYs can not be synced */ DBGPRINTF("syncing file %d\n", pThis->fd); ret = fdatasync(pThis->fd); if(ret != 0) { char errStr[1024]; int err = errno; rs_strerror_r(err, errStr, sizeof(errStr)); DBGPRINTF("sync failed for file %d with error (%d): %s - ignoring\n", pThis->fd, err, errStr); } if(pThis->fdDir != -1) { ret = fsync(pThis->fdDir); } finalize_it: RETiRet; } /* physically write to the output file. the provided data is ready for * writing (e.g. zipped if we are requested to do that). * Note that if the write() API fails, we do not reset any pointers, but return * an error code. That means we may redo work in the next iteration. * rgerhards, 2009-06-04 */ static rsRetVal strmPhysWrite(strm_t *pThis, uchar *pBuf, size_t lenBuf) { size_t iWritten; DEFiRet; ISOBJ_TYPE_assert(pThis, strm); if(pThis->fd == -1) CHKiRet(strmOpenFile(pThis)); iWritten = lenBuf; if(pThis->bAsyncWrite) { CHKiRet(doAsyncWriteCall(pThis, pBuf, &iWritten)); } else { CHKiRet(doWriteCall(pThis, pBuf, &iWritten)); } pThis->iBufPtr = 0; pThis->iCurrOffs += iWritten; /* update user counter, if provided */ if(pThis->pUsrWCntr != NULL) *pThis->pUsrWCntr += iWritten; if(pThis->bSync) { CHKiRet(syncFile(pThis)); } if(pThis->sType == STREAMTYPE_FILE_CIRCULAR) { CHKiRet(strmCheckNextOutputFile(pThis)); } else if(pThis->iSizeLimit != 0) { CHKiRet(doSizeLimitProcessing(pThis)); } finalize_it: RETiRet; } /* write the output buffer in zip mode * This means we compress it first and then do a physical write. * Note that we always do a full deflateInit ... deflate ... deflateEnd * sequence. While this is not optimal, we need to do it because we need * to ensure that the file is readable even when we are aborted. Doing the * full sequence brings us as far towards this goal as possible (and not * doing it would be a total failure). It may be worth considering to * add a config switch so that the user can decide the risk he is ready * to take, but so far this is not yet implemented (not even requested ;)). * rgerhards, 2009-06-04 */ static rsRetVal doZipWrite(strm_t *pThis, uchar *pBuf, size_t lenBuf) { z_stream zstrm; int zRet; /* zlib return state */ DEFiRet; assert(pThis != NULL); assert(pBuf != NULL); /* allocate deflate state */ zstrm.zalloc = Z_NULL; zstrm.zfree = Z_NULL; zstrm.opaque = Z_NULL; /* see note in file header for the params we use with deflateInit2() */ zRet = zlibw.DeflateInit2(&zstrm, pThis->iZipLevel, Z_DEFLATED, 31, 9, Z_DEFAULT_STRATEGY); if(zRet != Z_OK) { dbgprintf("error %d returned from zlib/deflateInit2()\n", zRet); ABORT_FINALIZE(RS_RET_ZLIB_ERR); } /* now doing the compression */ zstrm.avail_in = lenBuf; zstrm.next_in = (Bytef*) pBuf; /* run deflate() on input until output buffer not full, finish compression if all of source has been read in */ do { dbgprintf("in deflate() loop, avail_in %d, total_in %ld\n", zstrm.avail_in, zstrm.total_in); zstrm.avail_out = pThis->sIOBufSize; zstrm.next_out = pThis->pZipBuf; zRet = zlibw.Deflate(&zstrm, Z_FINISH); /* no bad return value */ dbgprintf("after deflate, ret %d, avail_out %d\n", zRet, zstrm.avail_out); assert(zRet != Z_STREAM_ERROR); /* state not clobbered */ CHKiRet(strmPhysWrite(pThis, (uchar*)pThis->pZipBuf, pThis->sIOBufSize - zstrm.avail_out)); } while (zstrm.avail_out == 0); assert(zstrm.avail_in == 0); /* all input will be used */ zRet = zlibw.DeflateEnd(&zstrm); if(zRet != Z_OK) { dbgprintf("error %d returned from zlib/deflateEnd()\n", zRet); ABORT_FINALIZE(RS_RET_ZLIB_ERR); } finalize_it: RETiRet; } /* write memory buffer to a stream object. * To support direct writes of large objects, this method may be called * with a buffer pointing to some region other than the stream buffer itself. * However, in that case the stream buffer must be empty (strmFlush() has to * be called before), because we would otherwise mess up with the sequence * inside the stream. -- rgerhards, 2008-01-10 */ static rsRetVal strmWriteInternal(strm_t *pThis, uchar *pBuf, size_t lenBuf) { DEFiRet; ASSERT(pThis != NULL); ASSERT(pBuf == pThis->pIOBuf || pThis->iBufPtr == 0); if(pThis->iZipLevel) { CHKiRet(doZipWrite(pThis, pBuf, lenBuf)); } else { /* write without zipping */ CHKiRet(strmPhysWrite(pThis, pBuf, lenBuf)); } finalize_it: RETiRet; } /* flush stream output buffer to persistent storage. This can be called at any time * and is automatically called when the output buffer is full. * rgerhards, 2008-01-10 */ static rsRetVal strmFlush(strm_t *pThis) { DEFiRet; ASSERT(pThis != NULL); dbgoprint((obj_t*) pThis, "file %d flush, buflen %ld\n", pThis->fd, (long) pThis->iBufPtr); if(pThis->tOperationsMode != STREAMMODE_READ && pThis->iBufPtr > 0) { iRet = strmWriteInternal(pThis, pThis->pIOBuf, pThis->iBufPtr); } RETiRet; } /* seek a stream to a specific location. Pending writes are flushed, read data * is invalidated. * rgerhards, 2008-01-12 */ static rsRetVal strmSeek(strm_t *pThis, off_t offs) { DEFiRet; ISOBJ_TYPE_assert(pThis, strm); if(pThis->fd == -1) strmOpenFile(pThis); else strmFlush(pThis); int i; dbgoprint((obj_t*) pThis, "file %d seek, pos %ld\n", pThis->fd, (long) offs); i = lseek(pThis->fd, offs, SEEK_SET); // TODO: check error! pThis->iCurrOffs = offs; /* we are now at *this* offset */ pThis->iBufPtr = 0; /* buffer invalidated */ RETiRet; } /* seek to current offset. This is primarily a helper to readjust the OS file * pointer after a strm object has been deserialized. */ static rsRetVal strmSeekCurrOffs(strm_t *pThis) { DEFiRet; ISOBJ_TYPE_assert(pThis, strm); iRet = strmSeek(pThis, pThis->iCurrOffs); RETiRet; } /* write a *single* character to a stream object -- rgerhards, 2008-01-10 */ static rsRetVal strmWriteChar(strm_t *pThis, uchar c) { DEFiRet; ASSERT(pThis != NULL); /* if the buffer is full, we need to flush before we can write */ if(pThis->iBufPtr == pThis->sIOBufSize) { CHKiRet(strmFlush(pThis)); } /* we now always have space for one character, so we simply copy it */ *(pThis->pIOBuf + pThis->iBufPtr) = c; pThis->iBufPtr++; finalize_it: RETiRet; } /* write an integer value (actually a long) to a stream object */ static rsRetVal strmWriteLong(strm_t *pThis, long i) { DEFiRet; uchar szBuf[32]; ASSERT(pThis != NULL); CHKiRet(srUtilItoA((char*)szBuf, sizeof(szBuf), i)); CHKiRet(strmWrite(pThis, szBuf, strlen((char*)szBuf))); finalize_it: RETiRet; } /* write memory buffer to a stream object */ static rsRetVal strmWrite(strm_t *pThis, uchar *pBuf, size_t lenBuf) { DEFiRet; size_t iPartial; ASSERT(pThis != NULL); ASSERT(pBuf != NULL); dbgprintf("strmWrite(%p, '%65.65s', %ld);, disabled %d, sizelim %ld, size %lld\n", pThis, pBuf,lenBuf, pThis->bDisabled, pThis->iSizeLimit, pThis->iCurrOffs); if(pThis->bDisabled) ABORT_FINALIZE(RS_RET_STREAM_DISABLED); /* check if the to-be-written data is larger than our buffer size */ if(lenBuf >= pThis->sIOBufSize) { /* it is - so we do a direct write, that is most efficient. * TODO: is it really? think about disk block sizes! */ CHKiRet(strmFlush(pThis)); /* we need to flush first!!! */ CHKiRet(strmWriteInternal(pThis, pBuf, lenBuf)); } else { /* data fits into a buffer - we just need to see if it * fits into the current buffer... */ if(pThis->iBufPtr + lenBuf > pThis->sIOBufSize) { /* nope, so we must split it */ iPartial = pThis->sIOBufSize - pThis->iBufPtr; /* this fits in current buf */ if(iPartial > 0) { /* the buffer was exactly full, can not write anything! */ memcpy(pThis->pIOBuf + pThis->iBufPtr, pBuf, iPartial); pThis->iBufPtr += iPartial; } CHKiRet(strmFlush(pThis)); /* get a new buffer for rest of data */ memcpy(pThis->pIOBuf, pBuf + iPartial, lenBuf - iPartial); pThis->iBufPtr = lenBuf - iPartial; } else { /* we have space, so we simply copy over the string */ memcpy(pThis->pIOBuf + pThis->iBufPtr, pBuf, lenBuf); pThis->iBufPtr += lenBuf; } } finalize_it: RETiRet; } /* property set methods */ /* simple ones first */ DEFpropSetMeth(strm, bDeleteOnClose, int) DEFpropSetMeth(strm, iMaxFileSize, int) DEFpropSetMeth(strm, iFileNumDigits, int) DEFpropSetMeth(strm, tOperationsMode, int) DEFpropSetMeth(strm, tOpenMode, mode_t) DEFpropSetMeth(strm, sType, strmType_t) DEFpropSetMeth(strm, iZipLevel, int) DEFpropSetMeth(strm, bSync, int) DEFpropSetMeth(strm, sIOBufSize, size_t) DEFpropSetMeth(strm, iSizeLimit, off_t) DEFpropSetMeth(strm, iFlushInterval, int) DEFpropSetMeth(strm, pszSizeLimitCmd, uchar*) static rsRetVal strmSetiMaxFiles(strm_t *pThis, int iNewVal) { pThis->iMaxFiles = iNewVal; pThis->iFileNumDigits = getNumberDigits(iNewVal); return RS_RET_OK; } /* set the stream's file prefix * The passed-in string is duplicated. So if the caller does not need * it any longer, it must free it. * rgerhards, 2008-01-09 */ static rsRetVal strmSetFName(strm_t *pThis, uchar *pszName, size_t iLenName) { DEFiRet; ASSERT(pThis != NULL); ASSERT(pszName != NULL); if(iLenName < 1) ABORT_FINALIZE(RS_RET_FILE_PREFIX_MISSING); if(pThis->pszFName != NULL) free(pThis->pszFName); if((pThis->pszFName = malloc(sizeof(uchar) * (iLenName + 1))) == NULL) ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY); memcpy(pThis->pszFName, pszName, iLenName + 1); /* always think about the \0! */ pThis->lenFName = iLenName; finalize_it: RETiRet; } /* set the stream's directory * The passed-in string is duplicated. So if the caller does not need * it any longer, it must free it. * rgerhards, 2008-01-09