/**
* Drop privileges.
*
*/
static ods_status
engine_privdrop(engine_type* engine)
{
ods_status status = ODS_STATUS_OK;
uid_t uid = -1;
gid_t gid = -1;
ods_log_assert(engine);
ods_log_assert(engine->config);
ods_log_debug("[%s] drop privileges", engine_str);
if (engine->config->username && engine->config->group) {
ods_log_verbose("[%s] drop privileges to user %s, group %s",
engine_str, engine->config->username, engine->config->group);
} else if (engine->config->username) {
ods_log_verbose("[%s] drop privileges to user %s", engine_str,
engine->config->username);
} else if (engine->config->group) {
ods_log_verbose("[%s] drop privileges to group %s", engine_str,
engine->config->group);
}
if (engine->config->chroot) {
ods_log_verbose("[%s] chroot to %s", engine_str,
engine->config->chroot);
}
status = privdrop(engine->config->username, engine->config->group,
engine->config->chroot, &uid, &gid);
engine->uid = uid;
engine->gid = gid;
privclose(engine->config->username, engine->config->group);
return status;
}
/**
* Update serial.
*
*/
ods_status
zone_update_serial(zone_type* zone)
{
ods_status status = ODS_STATUS_OK;
rrset_type* rrset = NULL;
rr_type* soa = NULL;
ldns_rr* rr = NULL;
ldns_rdf* soa_rdata = NULL;
ods_log_assert(zone);
ods_log_assert(zone->apex);
ods_log_assert(zone->name);
ods_log_assert(zone->db);
ods_log_assert(zone->signconf);
if (zone->db->serial_updated) {
/* already done, unmark and return ok */
ods_log_debug("[%s] zone %s soa serial already up to date",
zone_str, zone->name);
zone->db->serial_updated = 0;
return ODS_STATUS_OK;
}
rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_SOA);
ods_log_assert(rrset);
ods_log_assert(rrset->rrs);
ods_log_assert(rrset->rrs[0].rr);
rr = ldns_rr_clone(rrset->rrs[0].rr);
if (!rr) {
ods_log_error("[%s] unable to update zone %s soa serial: failed to "
"clone soa rr", zone_str, zone->name);
return ODS_STATUS_ERR;
}
status = namedb_update_serial(zone->db, zone->signconf->soa_serial,
zone->db->inbserial);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to update zone %s soa serial: %s",
zone_str, zone->name, ods_status2str(status));
ldns_rr_free(rr);
return status;
}
ods_log_verbose("[%s] zone %s set soa serial to %u", zone_str,
zone->name, zone->db->intserial);
soa_rdata = ldns_rr_set_rdf(rr,
ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
zone->db->intserial), SE_SOA_RDATA_SERIAL);
if (soa_rdata) {
ldns_rdf_deep_free(soa_rdata);
soa_rdata = NULL;
} else {
ods_log_error("[%s] unable to update zone %s soa serial: failed to "
"replace soa serial rdata", zone_str, zone->name);
ldns_rr_free(rr);
return ODS_STATUS_ERR;
}
soa = rrset_add_rr(rrset, rr);
ods_log_assert(soa);
rrset_diff(rrset, 0, 0);
zone->db->serial_updated = 0;
return ODS_STATUS_OK;
}
/**
* Worker working with...
*
*/
static void
worker_working_with(worker_type* worker, task_id with, task_id next,
const char* str, const char* name, task_id* what, time_t* when)
{
worker->working_with = with;
ods_log_verbose("[%s[%i]] %s zone %s", worker2str(worker->type),
worker->thread_num, str, name);
*what = next;
*when = time_now();
return;
}
/**
* Handle notify.
*
*/
static void
notify_handle_zone(netio_type* ATTR_UNUSED(netio),
netio_handler_type* handler, netio_events_type event_types)
{
notify_type* notify = NULL;
xfrhandler_type* xfrhandler = NULL;
zone_type* zone = NULL;
if (!handler) {
return;
}
notify = (notify_type*) handler->user_data;
ods_log_assert(notify);
xfrhandler = (xfrhandler_type*) notify->xfrhandler;
zone = (zone_type*) notify->zone;
ods_log_assert(xfrhandler);
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_debug("[%s] handle notify for zone %s", notify_str, zone->name);
if (notify->is_waiting) {
ods_log_debug("[%s] already waiting, skipping notify for zone %s",
notify_str, zone->name);
ods_log_assert(notify->handler.fd == -1);
return;
}
if (event_types & NETIO_EVENT_READ) {
ods_log_debug("[%s] read notify ok for zone %s", notify_str,
zone->name);
ods_log_assert(notify->handler.fd != -1);
if (notify_udp_read_packet(notify)) {
if (notify_handle_reply(notify)) {
notify_next(notify);
}
}
} else if(event_types & NETIO_EVENT_TIMEOUT) {
ods_log_debug("[%s] notify timeout for zone %s", notify_str,
zone->name);
/* timeout, try again */
}
/* see if notify is still enabled */
if (notify->secondary) {
ods_log_assert(notify->secondary->address);
notify->retry++;
if (notify->retry > NOTIFY_MAX_RETRY) {
ods_log_verbose("[%s] notify max retry for zone %s, %s unreachable",
notify_str, zone->name, notify->secondary->address);
notify_next(notify);
} else {
notify_send(notify);
}
}
return;
}
/**
* Process DNSKEY.
*
*/
static void
adapi_process_dnskey(zone_type* zone, ldns_rr* rr)
{
uint32_t tmp = 0;
ods_log_assert(rr);
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_assert(zone->signconf);
tmp = (uint32_t) duration2time(zone->signconf->dnskey_ttl);
ods_log_verbose("[%s] zone %s set dnskey ttl to %u",
adapi_str, zone->name, tmp);
ldns_rr_set_ttl(rr, tmp);
}
/**
* Start engine.
*
*/
engine_type *
engine_start(const char* cfgfile, int cmdline_verbosity, int daemonize,
int info)
{
engine_type* engine = NULL;
int use_syslog = 0;
ods_status status = ODS_STATUS_OK;
ods_log_assert(cfgfile);
ods_log_init(NULL, use_syslog, cmdline_verbosity);
ods_log_verbose("[%s] starting enforcer", engine_str);
/* initialize */
xmlInitGlobals();
xmlInitParser();
xmlInitThreads();
engine = engine_create();
if (!engine) {
ods_fatal_exit("[%s] create failed", engine_str);
return NULL;
}
engine->daemonize = daemonize;
/* config */
engine->config = engine_config(engine->allocator, cfgfile,
cmdline_verbosity);
status = engine_config_check(engine->config);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] cfgfile %s has errors", engine_str, cfgfile);
engine_stop(engine);
return NULL;
}
if (info) {
engine_config_print(stdout, engine->config); /* for debugging */
engine_stop(engine);
return NULL;
}
/* open log */
ods_log_init(engine->config->log_filename, engine->config->use_syslog,
engine->config->verbosity);
/* setup */
tzset(); /* for portability */
/* initialize protobuf and protobuf-orm */
ods_protobuf_initialize();
ods_orm_initialize();
return engine;
}
static int
run_flush(int sockfd, cmdhandler_ctx_type* context, const char *cmd)
{
engine_type* engine = getglobalcontext(context);
(void)cmd;
ods_log_debug("[%s] flush tasks command", module_str);
ods_log_assert(engine);
ods_log_assert(engine->taskq);
schedule_flush(engine->taskq);
client_printf(sockfd, "All tasks scheduled immediately.\n");
ods_log_verbose("[cmdhandler] all tasks scheduled immediately");
return 0;
}
/**
* Read a zonelist file.
*
*/
static ods_status
zonelist_read(zonelist_type* zl, const char* zlfile)
{
const char* rngfile = ODS_SE_RNGDIR "/zonelist.rng";
ods_status status = ODS_STATUS_OK;
ods_log_assert(zlfile);
ods_log_verbose("[%s] read file %s", zl_str, zlfile);
status = parse_file_check(zlfile, rngfile);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to read file: parse error in %s", zl_str,
zlfile);
return status;
}
return parse_zonelist_zones((struct zonelist_struct*) zl, zlfile);
}
/**
* Load signer configuration for zone.
*
*/
ods_status
zone_load_signconf(zone_type* zone, signconf_type** new_signconf)
{
ods_status status = ODS_STATUS_OK;
signconf_type* signconf = NULL;
char* datestamp = NULL;
if (!zone || !zone->name || !zone->signconf) {
return ODS_STATUS_ASSERT_ERR;
}
if (!zone->signconf_filename) {
ods_log_warning("[%s] zone %s has no signconf filename, treat as "
"insecure?", zone_str, zone->name);
return ODS_STATUS_INSECURE;
}
status = signconf_update(&signconf, zone->signconf_filename,
zone->signconf->last_modified);
if (status == ODS_STATUS_OK) {
if (!signconf) {
/* this is unexpected */
ods_log_alert("[%s] unable to load signconf for zone %s: signconf "
"status ok but no signconf stored", zone_str, zone->name);
return ODS_STATUS_ASSERT_ERR;
}
(void)time_datestamp(signconf->last_modified, "%Y-%m-%d %T",
&datestamp);
ods_log_debug("[%s] zone %s signconf file %s is modified since %s",
zone_str, zone->name, zone->signconf_filename,
datestamp?datestamp:"Unknown");
free((void*)datestamp);
*new_signconf = signconf;
} else if (status == ODS_STATUS_UNCHANGED) {
(void)time_datestamp(zone->signconf->last_modified,
"%Y-%m-%d %T", &datestamp);
ods_log_verbose("[%s] zone %s signconf file %s is unchanged since "
"%s", zone_str, zone->name, zone->signconf_filename,
datestamp?datestamp:"Unknown");
free((void*)datestamp);
} else {
ods_log_error("[%s] unable to load signconf for zone %s: signconf %s "
"%s", zone_str, zone->name, zone->signconf_filename,
ods_status2str(status));
}
return status;
}
/**
* Send notify.
*
*/
void
notify_send(notify_type* notify)
{
xfrhandler_type* xfrhandler = NULL;
zone_type* zone = NULL;
ods_log_assert(notify);
ods_log_assert(notify->secondary);
ods_log_assert(notify->secondary->address);
xfrhandler = (xfrhandler_type*) notify->xfrhandler;
zone = (zone_type*) notify->zone;
ods_log_assert(xfrhandler);
ods_log_assert(zone);
ods_log_assert(zone->name);
if (notify->handler.fd != -1) {
close(notify->handler.fd);
}
notify->handler.fd = -1;
notify->timeout.tv_sec = notify_time(notify) + NOTIFY_RETRY_TIMEOUT;
buffer_pkt_notify(xfrhandler->packet, zone->apex, LDNS_RR_CLASS_IN);
notify->query_id = buffer_pkt_id(xfrhandler->packet);
buffer_pkt_set_aa(xfrhandler->packet);
/* add current SOA to answer section */
if (notify->soa) {
if (buffer_write_rr(xfrhandler->packet, notify->soa)) {
buffer_pkt_set_ancount(xfrhandler->packet, 1);
}
}
if (notify->secondary->tsig) {
notify_tsig_sign(notify, xfrhandler->packet);
}
buffer_flip(xfrhandler->packet);
notify->handler.fd = notify_send_udp(notify, xfrhandler->packet);
if (notify->handler.fd == -1) {
ods_log_error("[%s] unable to send notify retry %u for zone %s to "
"%s: notify_send_udp() failed", notify_str, notify->retry,
zone->name, notify->secondary->address);
return;
}
ods_log_verbose("[%s] notify retry %u for zone %s sent to %s", notify_str,
notify->retry, zone->name, notify->secondary->address);
return;
}
/**
* Initialize logging.
*
*/
void
ods_log_init(const char *filename, int use_syslog, int verbosity)
{
#ifdef HAVE_SYSLOG_H
int facility;
#endif /* HAVE_SYSLOG_H */
ods_log_verbose("[%s] switching log to %s verbosity %i (log level %i)",
log_str, use_syslog?"syslog":(filename&&filename[0]?filename:"stderr"),
verbosity, verbosity+2);
if (logfile && logfile != stderr) {
ods_fclose(logfile);
}
log_level = verbosity + 2;
#ifdef HAVE_SYSLOG_H
if(logging_to_syslog) {
closelog();
logging_to_syslog = 0;
}
if(use_syslog) {
facility = ods_log_get_facility(filename);
openlog(MY_PACKAGE_TARNAME, LOG_NDELAY, facility);
logging_to_syslog = 1;
return;
}
#endif /* HAVE_SYSLOG_H */
if(filename && filename[0]) {
logfile = ods_fopen(filename, NULL, "a");
if (logfile) {
ods_log_debug("[%s] new logfile %s", log_str, filename);
return;
}
logfile = stderr;
ods_log_warning("[%s] cannot open %s for appending, logging to "
"stderr", log_str, filename);
} else {
logfile = stderr;
}
return;
}
/**
* Reschedule task for zone.
*
*/
ods_status
zone_reschedule_task(zone_type* zone, schedule_type* taskq, task_id what)
{
task_type* task = NULL;
ods_status status = ODS_STATUS_OK;
ods_log_assert(taskq);
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_assert(zone->task);
ods_log_debug("[%s] reschedule task for zone %s", zone_str, zone->name);
lock_basic_lock(&taskq->schedule_lock);
task = unschedule_task(taskq, (task_type*) zone->task);
if (task != NULL) {
if (task->what != what) {
task->halted = task->what;
task->halted_when = task->when;
task->interrupt = what;
}
/** Only reschedule if what to do is lower than what was scheduled. */
if (task->what > what) {
task->what = what;
}
task->when = time_now();
status = schedule_task(taskq, task, 0);
} else {
/* task not queued, being worked on? */
ods_log_verbose("[%s] unable to reschedule task for zone %s now: "
"task is not queued (task will be rescheduled when it is put "
"back on the queue)", zone_str, zone->name);
task = (task_type*) zone->task;
task->interrupt = what;
/* task->halted(_when) set by worker */
}
lock_basic_unlock(&taskq->schedule_lock);
zone->task = task;
return status;
}
/**
* Perform task.
*
*/
static void
worker_perform_task(worker_type* worker)
{
engine_type* engine = NULL;
zone_type* zone = NULL;
task_type* task = NULL;
task_id what = TASK_NONE;
time_t when = 0;
time_t never = (3600*24*365);
ods_status status = ODS_STATUS_OK;
int backup = 0;
time_t start = 0;
time_t end = 0;
if (!worker || !worker->task || !worker->task->zone || !worker->engine) {
return;
}
engine = (engine_type*) worker->engine;
task = (task_type*) worker->task;
zone = (zone_type*) worker->task->zone;
ods_log_debug("[%s[%i]] perform task %s for zone %s at %u",
worker2str(worker->type), worker->thread_num, task_what2str(task->what),
task_who2str(task), (uint32_t) worker->clock_in);
/* do what you have been told to do */
switch (task->what) {
case TASK_SIGNCONF:
/* perform 'load signconf' task */
worker_working_with(worker, TASK_SIGNCONF, TASK_READ,
"configure", task_who2str(task), &what, &when);
status = tools_signconf(zone);
if (status == ODS_STATUS_UNCHANGED) {
if (!zone->signconf->last_modified) {
ods_log_debug("[%s[%i]] no signconf.xml for zone %s yet",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
status = ODS_STATUS_ERR;
}
}
if (status == ODS_STATUS_UNCHANGED) {
if (task->halted != TASK_NONE && task->halted != TASK_SIGNCONF) {
goto task_perform_continue;
}
status = ODS_STATUS_OK;
} else if (status == ODS_STATUS_OK) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
} else {
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
}
/* break; */
case TASK_READ:
/* perform 'read input adapter' task */
worker_working_with(worker, TASK_READ, TASK_SIGN,
"read", task_who2str(task), &what, &when);
task->what = TASK_READ;
if (!zone->signconf->last_modified) {
ods_log_debug("[%s[%i]] no signconf.xml for zone %s yet",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
status = ODS_STATUS_ERR;
} else {
lhsm_check_connection((void*)engine);
status = tools_input(zone);
}
if (status == ODS_STATUS_UNCHANGED) {
ods_log_verbose("[%s[%i]] zone %s unsigned data not changed, "
"continue", worker2str(worker->type), worker->thread_num,
task_who2str(task));
status = ODS_STATUS_OK;
}
if (status == ODS_STATUS_OK) {
if (task->interrupt > TASK_SIGNCONF) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
}
} else {
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
}
/* break; */
case TASK_SIGN:
/* perform 'sign' task */
worker_working_with(worker, TASK_SIGN, TASK_WRITE,
"sign", task_who2str(task), &what, &when);
task->what = TASK_SIGN;
status = zone_update_serial(zone);
if (status == ODS_STATUS_OK) {
if (task->interrupt > TASK_SIGNCONF) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
}
} else {
ods_log_error("[%s[%i]] unable to sign zone %s: "
"failed to increment serial",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
}
/* start timer */
start = time(NULL);
if (zone->stats) {
lock_basic_lock(&zone->stats->stats_lock);
if (!zone->stats->start_time) {
zone->stats->start_time = start;
}
zone->stats->sig_count = 0;
zone->stats->sig_soa_count = 0;
zone->stats->sig_reuse = 0;
zone->stats->sig_time = 0;
lock_basic_unlock(&zone->stats->stats_lock);
}
/* check the HSM connection before queuing sign operations */
lhsm_check_connection((void*)engine);
/* queue menial, hard signing work */
worker_queue_zone(worker, engine->signq, zone);
ods_log_deeebug("[%s[%i]] wait until drudgers are finished "
"signing zone %s", worker2str(worker->type), worker->thread_num,
task_who2str(task));
/* sleep until work is done */
worker_sleep_unless(worker, 0);
/* stop timer */
end = time(NULL);
status = worker_check_jobs(worker, task);
worker_clear_jobs(worker);
if (status == ODS_STATUS_OK && zone->stats) {
lock_basic_lock(&zone->stats->stats_lock);
zone->stats->sig_time = (end-start);
lock_basic_unlock(&zone->stats->stats_lock);
}
if (status != ODS_STATUS_OK) {
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
} else {
if (task->interrupt > TASK_SIGNCONF) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
}
}
/* break; */
case TASK_WRITE:
/* perform 'write to output adapter' task */
worker_working_with(worker, TASK_WRITE, TASK_SIGN,
"write", task_who2str(task), &what, &when);
task->what = TASK_WRITE;
status = tools_output(zone, engine);
if (status == ODS_STATUS_OK) {
if (task->interrupt > TASK_SIGNCONF) {
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
}
} else {
/* clear signatures? */
if (task->halted == TASK_NONE) {
goto task_perform_fail;
}
goto task_perform_continue;
}
zone->db->is_processed = 1;
if (zone->signconf &&
duration2time(zone->signconf->sig_resign_interval)) {
what = TASK_SIGN;
when = worker->clock_in +
duration2time(zone->signconf->sig_resign_interval);
} else {
ods_log_error("[%s[%i]] unable to retrieve resign interval "
"for zone %s: duration2time() failed",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
ods_log_info("[%s[%i]] defaulting to 1H resign interval for "
"zone %s", worker2str(worker->type), worker->thread_num,
task_who2str(task));
what = TASK_SIGN;
when = worker->clock_in + 3600;
}
backup = 1;
break;
case TASK_NONE:
worker->working_with = TASK_NONE;
/* no task */
ods_log_warning("[%s[%i]] none task for zone %s",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
when = time_now() + never;
break;
default:
worker->working_with = TASK_NONE;
/* unknown task */
ods_log_warning("[%s[%i]] unknown task, trying full sign zone %s",
worker2str(worker->type), worker->thread_num,
task_who2str(task));
what = TASK_SIGNCONF;
when = time_now();
break;
}
/* no error */
task->backoff = 0;
if (task->interrupt != TASK_NONE && task->interrupt != what) {
ods_log_debug("[%s[%i]] interrupt task %s for zone %s",
worker2str(worker->type), worker->thread_num,
task_what2str(what), task_who2str(task));
task->halted = what;
task->halted_when = when;
task->what = task->interrupt;
task->when = time_now();
} else {
ods_log_debug("[%s[%i]] next task %s for zone %s",
worker2str(worker->type), worker->thread_num,
task_what2str(what), task_who2str(task));
task->what = what;
task->when = when;
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
task->halted_when = 0;
}
/* backup the last successful run */
if (backup) {
status = zone_backup2(zone);
if (status != ODS_STATUS_OK) {
ods_log_warning("[%s[%i]] unable to backup zone %s: %s",
worker2str(worker->type), worker->thread_num,
task_who2str(task), ods_status2str(status));
/* just a warning */
status = ODS_STATUS_OK;
}
backup = 0;
}
return;
task_perform_fail:
if (status != ODS_STATUS_XFR_NOT_READY) {
/* other statuses is critical, and we know it is not ODS_STATUS_OK */
ods_log_crit("[%s[%i]] CRITICAL: failed to sign zone %s: %s",
worker2str(worker->type), worker->thread_num,
task_who2str(task), ods_status2str(status));
}
/* in case of failure, also mark zone processed (for single run usage) */
zone->db->is_processed = 1;
if (task->backoff) {
task->backoff *= 2;
} else {
task->backoff = 60;
}
if (task->backoff > ODS_SE_MAX_BACKOFF) {
task->backoff = ODS_SE_MAX_BACKOFF;
}
ods_log_info("[%s[%i]] backoff task %s for zone %s with %u seconds",
worker2str(worker->type), worker->thread_num,
task_what2str(task->what), task_who2str(task), task->backoff);
task->when = time_now() + task->backoff;
return;
task_perform_continue:
ods_log_info("[%s[%i]] continue task %s for zone %s",
worker2str(worker->type), worker->thread_num,
task_what2str(task->halted), task_who2str(task));
task->what = task->halted;
task->when = task->halted_when;
task->interrupt = TASK_NONE;
task->halted = TASK_NONE;
task->halted_when = 0;
return;
}
/**
* Read IXFR from file.
*
*/
static ods_status
addns_read_file(FILE* fd, zone_type* zone)
{
ldns_rr* rr = NULL;
uint32_t new_serial = 0;
uint32_t old_serial = 0;
uint32_t tmp_serial = 0;
ldns_rdf* prev = NULL;
ldns_rdf* orig = NULL;
ldns_rdf* dname = NULL;
uint32_t ttl = 0;
size_t rr_count = 0;
ods_status result = ODS_STATUS_OK;
ldns_status status = LDNS_STATUS_OK;
char line[SE_ADFILE_MAXLINE];
unsigned is_axfr = 0;
unsigned del_mode = 0;
unsigned soa_seen = 0;
unsigned line_update_interval = 100000;
unsigned line_update = line_update_interval;
unsigned l = 0;
ods_log_assert(fd);
ods_log_assert(zone);
/* $ORIGIN <zone name> */
dname = adapi_get_origin(zone);
if (!dname) {
ods_log_error("[%s] error getting default value for $ORIGIN",
adapter_str);
return ODS_STATUS_ERR;
}
orig = ldns_rdf_clone(dname);
if (!orig) {
ods_log_error("[%s] error setting default value for $ORIGIN",
adapter_str);
return ODS_STATUS_ERR;
}
/* $TTL <default ttl> */
ttl = adapi_get_ttl(zone);
/* read RRs */
while ((rr = addns_read_rr(fd, line, &orig, &prev, &ttl, &status, &l))
!= NULL) {
/* check status */
if (status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RR at line %i (%s): %s",
adapter_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
break;
}
/* debug update */
if (l > line_update) {
ods_log_debug("[%s] ...at line %i: %s", adapter_str, l, line);
line_update += line_update_interval;
}
/* first RR: check if SOA and correct zone & serialno */
if (rr_count == 0) {
rr_count++;
if (ldns_rr_get_type(rr) != LDNS_RR_TYPE_SOA) {
ods_log_error("[%s] bad xfr, first rr is not soa",
adapter_str);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
break;
}
soa_seen++;
if (ldns_dname_compare(ldns_rr_owner(rr), zone->apex)) {
ods_log_error("[%s] bad xfr, soa dname not equal to zone "
"dname %s", adapter_str, zone->name);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
break;
}
tmp_serial =
ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
old_serial = adapi_get_serial(zone);
if (!util_serial_gt(tmp_serial, old_serial)) {
ods_log_info("[%s] zone %s is already up to date, have "
"serial %u, got serial %u", adapter_str, zone->name,
old_serial, tmp_serial);
new_serial = tmp_serial;
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_UNCHANGED;
break;
}
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_OK;
continue;
}
/* second RR: if not soa, this is an AXFR */
if (rr_count == 1) {
if (ldns_rr_get_type(rr) != LDNS_RR_TYPE_SOA) {
ods_log_verbose("[%s] detected axfr serial=%u for zone %s",
adapter_str, tmp_serial, zone->name);
new_serial = tmp_serial;
is_axfr = 1;
del_mode = 0;
} else {
ods_log_verbose("[%s] detected ixfr serial=%u for zone %s",
adapter_str, tmp_serial, zone->name);
new_serial = tmp_serial;
tmp_serial =
ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
ldns_rr_free(rr);
rr = NULL;
rr_count++;
if (tmp_serial < new_serial) {
del_mode = 1;
result = ODS_STATUS_OK;
continue;
} else {
ods_log_error("[%s] bad xfr for zone %s, bad soa serial",
adapter_str, zone->name);
result = ODS_STATUS_ERR;
break;
}
}
}
/* soa means swap */
rr_count++;
if (ldns_rr_get_type(rr) == LDNS_RR_TYPE_SOA) {
if (!is_axfr) {
tmp_serial =
ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
if (tmp_serial <= new_serial) {
if (tmp_serial == new_serial) {
soa_seen++;
}
del_mode = !del_mode;
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_OK;
continue;
} else {
ods_log_assert(tmp_serial > new_serial);
ods_log_error("[%s] bad xfr for zone %s, bad soa serial",
adapter_str, zone->name);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_ERR;
break;
}
} else {
/* for axfr */
soa_seen++;
}
}
/* [add to/remove from] the zone */
if (!is_axfr && del_mode) {
ods_log_debug("[%s] delete RR #%i at line %i: %s",
adapter_str, rr_count, l, line);
result = adapi_del_rr(zone, rr, 0);
ldns_rr_free(rr);
rr = NULL;
} else {
ods_log_debug("[%s] add RR #%i at line %i: %s",
adapter_str, rr_count, l, line);
result = adapi_add_rr(zone, rr, 0);
}
if (result == ODS_STATUS_UNCHANGED) {
ods_log_debug("[%s] skipping RR at line %i (%s): %s",
adapter_str, l, del_mode?"not found":"duplicate", line);
ldns_rr_free(rr);
rr = NULL;
result = ODS_STATUS_OK;
continue;
} else if (result != ODS_STATUS_OK) {
ods_log_error("[%s] error %s RR at line %i: %s",
adapter_str, del_mode?"deleting":"adding", l, line);
ldns_rr_free(rr);
rr = NULL;
break;
}
}
/* and done */
if (orig) {
ldns_rdf_deep_free(orig);
orig = NULL;
}
if (prev) {
ldns_rdf_deep_free(prev);
prev = NULL;
}
if (result == ODS_STATUS_OK && status != LDNS_STATUS_OK) {
ods_log_error("[%s] error reading RR at line %i (%s): %s",
adapter_str, l, ldns_get_errorstr_by_id(status), line);
result = ODS_STATUS_ERR;
}
/* check the number of SOAs seen */
if (result == ODS_STATUS_OK) {
if ((is_axfr && soa_seen != 2) || (!is_axfr && soa_seen != 3)) {
ods_log_error("[%s] bad %s, wrong number of SOAs (%u)",
adapter_str, is_axfr?"axfr":"ixfr", soa_seen);
result = ODS_STATUS_ERR;
}
}
/* input zone ok, set inbound serial and apply differences */
if (result == ODS_STATUS_OK || result == ODS_STATUS_UNCHANGED) {
adapi_set_serial(zone, new_serial);
if (is_axfr) {
adapi_trans_full(zone);
} else {
adapi_trans_diff(zone);
}
if (result == ODS_STATUS_UNCHANGED) {
result = ODS_STATUS_OK;
}
}
return result;
}
/**
* Write zone to output adapter.
*
*/
ods_status
tools_output(zone_type* zone, engine_type* engine)
{
ods_status status = ODS_STATUS_OK;
ods_log_assert(engine);
ods_log_assert(engine->config);
ods_log_assert(zone);
ods_log_assert(zone->db);
ods_log_assert(zone->name);
ods_log_assert(zone->signconf);
ods_log_assert(zone->adoutbound);
/* prepare */
if (zone->stats) {
pthread_mutex_lock(&zone->stats->stats_lock);
if (zone->stats->sort_done == 0 &&
(zone->stats->sig_count <= zone->stats->sig_soa_count)) {
ods_log_verbose("[%s] skip write zone %s serial %u (zone not "
"changed)", tools_str, zone->name?zone->name:"(null)",
zone->db->intserial);
stats_clear(zone->stats);
pthread_mutex_unlock(&zone->stats->stats_lock);
zone->db->intserial =
zone->db->outserial;
return ODS_STATUS_OK;
}
pthread_mutex_unlock(&zone->stats->stats_lock);
}
/* Output Adapter */
status = adapter_write((void*)zone);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to write zone %s: adapter failed (%s)",
tools_str, zone->name, ods_status2str(status));
return status;
}
zone->db->outserial = zone->db->intserial;
zone->db->is_initialized = 1;
zone->db->have_serial = 1;
pthread_mutex_lock(&zone->ixfr->ixfr_lock);
ixfr_purge(zone->ixfr, zone->name);
pthread_mutex_unlock(&zone->ixfr->ixfr_lock);
/* kick the nameserver */
if (zone->notify_ns) {
int pid_status;
pid_t pid, wpid;
ods_log_verbose("[%s] notify nameserver: %s", tools_str,
zone->notify_ns);
/** fork */
switch ((pid = fork())) {
case -1: /* error */
ods_log_error("[%s] notify nameserver failed: unable to fork "
"(%s)", tools_str, strerror(errno));
return ODS_STATUS_FORK_ERR;
case 0: /* child */
/** close fds */
ods_closeall(0);
/** execv */
execvp(zone->notify_ns, zone->notify_args);
/** error */
ods_log_error("[%s] notify nameserver failed: execv() failed "
"(%s)", tools_str, strerror(errno));
exit(1);
break;
default: /* parent */
ods_log_debug("[%s] notify nameserver process forked",
tools_str);
/** wait for completion */
while((wpid = waitpid(pid, &pid_status, 0)) <= 0) {
if (errno != EINTR) {
break;
}
}
if (wpid == -1) {
ods_log_error("[%s] notify nameserver failed: waitpid() "
"failed (%s)", tools_str, strerror(errno));
} else if (!WIFEXITED(pid_status)) {
ods_log_error("[%s] notify nameserver failed: notify "
"command did not terminate normally", tools_str);
} else {
ods_log_verbose("[%s] notify nameserver ok", tools_str);
}
break;
}
}
/* log stats */
if (zone->stats) {
pthread_mutex_lock(&zone->stats->stats_lock);
zone->stats->end_time = time(NULL);
ods_log_debug("[%s] log stats for zone %s serial %u", tools_str,
zone->name?zone->name:"(null)", (unsigned) zone->db->outserial);
stats_log(zone->stats, zone->name, zone->db->outserial,
zone->signconf->nsec_type);
stats_clear(zone->stats);
pthread_mutex_unlock(&zone->stats->stats_lock);
}
if (engine->dnshandler) {
ods_log_debug("[%s] forward a notify", tools_str);
dnshandler_fwd_notify(engine->dnshandler, (uint8_t*) ODS_SE_NOTIFY_CMD,
strlen(ODS_SE_NOTIFY_CMD));
}
return status;
}
/**
* Start engine.
*
*/
void
engine_start(const char* cfgfile, int cmdline_verbosity, int daemonize,
int info, int single_run)
{
engine_type* engine = NULL;
int use_syslog = 0;
ods_status zl_changed = ODS_STATUS_UNCHANGED;
ods_status status = ODS_STATUS_OK;
int close_hsm = 0;
ods_log_assert(cfgfile);
ods_log_init(NULL, use_syslog, cmdline_verbosity);
ods_log_verbose("[%s] starting signer", engine_str);
/* initialize */
xmlInitGlobals();
xmlInitParser();
xmlInitThreads();
engine = engine_create();
if (!engine) {
ods_fatal_exit("[%s] create failed", engine_str);
return;
}
engine->daemonize = daemonize;
/* config */
engine->config = engine_config(engine->allocator, cfgfile,
cmdline_verbosity);
status = engine_config_check(engine->config);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] cfgfile %s has errors", engine_str, cfgfile);
goto earlyexit;
}
if (info) {
engine_config_print(stdout, engine->config); /* for debugging */
goto earlyexit;
}
/* check pidfile */
if (!util_check_pidfile(engine->config->pid_filename)) {
exit(1);
}
/* open log */
ods_log_init(engine->config->log_filename, engine->config->use_syslog,
engine->config->verbosity);
/* setup */
tzset(); /* for portability */
status = engine_setup(engine);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] setup failed: %s", engine_str,
ods_status2str(status));
engine->need_to_exit = 1;
if (status != ODS_STATUS_WRITE_PIDFILE_ERR) {
/* command handler had not yet been started */
engine->cmdhandler_done = 1;
}
} else {
/* setup ok, mark hsm open */
close_hsm = 1;
}
/* run */
while (engine->need_to_exit == 0) {
/* update zone list */
lock_basic_lock(&engine->zonelist->zl_lock);
zl_changed = zonelist_update(engine->zonelist,
engine->config->zonelist_filename);
engine->zonelist->just_removed = 0;
engine->zonelist->just_added = 0;
engine->zonelist->just_updated = 0;
lock_basic_unlock(&engine->zonelist->zl_lock);
/* start/reload */
if (engine->need_to_reload) {
ods_log_info("[%s] signer reloading", engine_str);
engine->need_to_reload = 0;
} else {
ods_log_info("[%s] signer started", engine_str);
zl_changed = engine_recover(engine);
}
if (zl_changed == ODS_STATUS_OK ||
zl_changed == ODS_STATUS_UNCHANGED) {
engine_update_zones(engine, zl_changed);
}
engine_run(engine, single_run);
}
/* shutdown */
ods_log_info("[%s] signer shutdown", engine_str);
if (close_hsm) {
ods_log_verbose("[%s] close hsm", engine_str);
hsm_close();
}
if (!engine->cmdhandler_done) {
engine_stop_xfrhandler(engine);
engine_stop_dnshandler(engine);
engine_stop_cmdhandler(engine);
}
earlyexit:
if (engine && engine->config) {
if (engine->config->pid_filename) {
(void)unlink(engine->config->pid_filename);
}
if (engine->config->clisock_filename) {
(void)unlink(engine->config->clisock_filename);
}
}
tsig_handler_cleanup();
engine_cleanup(engine);
engine = NULL;
ods_log_close();
xmlCleanupParser();
xmlCleanupGlobals();
xmlCleanupThreads();
return;
}
/**
* Set up engine.
*
*/
static ods_status
engine_setup(engine_type* engine)
{
ods_status status = ODS_STATUS_OK;
struct sigaction action;
int result = 0;
int sockets[2] = {0,0};
ods_log_debug("[%s] setup signer engine", engine_str);
if (!engine || !engine->config) {
return ODS_STATUS_ASSERT_ERR;
}
/* set edns */
edns_init(&engine->edns, EDNS_MAX_MESSAGE_LEN);
/* create command handler (before chowning socket file) */
engine->cmdhandler = cmdhandler_create(engine->allocator,
engine->config->clisock_filename);
if (!engine->cmdhandler) {
return ODS_STATUS_CMDHANDLER_ERR;
}
engine->dnshandler = dnshandler_create(engine->allocator,
engine->config->interfaces);
engine->xfrhandler = xfrhandler_create(engine->allocator);
if (!engine->xfrhandler) {
return ODS_STATUS_XFRHANDLER_ERR;
}
if (engine->dnshandler) {
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets) == -1) {
return ODS_STATUS_XFRHANDLER_ERR;
}
engine->xfrhandler->dnshandler.fd = sockets[0];
engine->dnshandler->xfrhandler.fd = sockets[1];
status = dnshandler_listen(engine->dnshandler);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] setup: unable to listen to sockets (%s)",
engine_str, ods_status2str(status));
}
}
/* privdrop */
engine->uid = privuid(engine->config->username);
engine->gid = privgid(engine->config->group);
/* TODO: does piddir exists? */
/* remove the chown stuff: piddir? */
ods_chown(engine->config->pid_filename, engine->uid, engine->gid, 1);
ods_chown(engine->config->clisock_filename, engine->uid, engine->gid, 0);
ods_chown(engine->config->working_dir, engine->uid, engine->gid, 0);
if (engine->config->log_filename && !engine->config->use_syslog) {
ods_chown(engine->config->log_filename, engine->uid, engine->gid, 0);
}
if (engine->config->working_dir &&
chdir(engine->config->working_dir) != 0) {
ods_log_error("[%s] setup: unable to chdir to %s (%s)", engine_str,
engine->config->working_dir, strerror(errno));
return ODS_STATUS_CHDIR_ERR;
}
if (engine_privdrop(engine) != ODS_STATUS_OK) {
return ODS_STATUS_PRIVDROP_ERR;
}
/* daemonize */
if (engine->daemonize) {
switch ((engine->pid = fork())) {
case -1: /* error */
ods_log_error("[%s] setup: unable to fork daemon (%s)",
engine_str, strerror(errno));
return ODS_STATUS_FORK_ERR;
case 0: /* child */
break;
default: /* parent */
engine_cleanup(engine);
engine = NULL;
xmlCleanupParser();
xmlCleanupGlobals();
xmlCleanupThreads();
exit(0);
}
if (setsid() == -1) {
ods_log_error("[%s] setup: unable to setsid daemon (%s)",
engine_str, strerror(errno));
return ODS_STATUS_SETSID_ERR;
}
}
engine->pid = getpid();
ods_log_verbose("[%s] running as pid %lu", engine_str,
(unsigned long) engine->pid);
/* catch signals */
signal_set_engine(engine);
action.sa_handler = signal_handler;
sigfillset(&action.sa_mask);
action.sa_flags = 0;
sigaction(SIGTERM, &action, NULL);
sigaction(SIGHUP, &action, NULL);
sigaction(SIGINT, &action, NULL);
sigaction(SIGILL, &action, NULL);
sigaction(SIGUSR1, &action, NULL);
sigaction(SIGALRM, &action, NULL);
sigaction(SIGCHLD, &action, NULL);
action.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &action, NULL);
/* set up hsm */ /* LEAK */
result = lhsm_open(engine->config->cfg_filename);
if (result != HSM_OK) {
return ODS_STATUS_HSM_ERR;
}
/* create workers/drudgers */
engine_create_workers(engine);
engine_create_drudgers(engine);
/* start cmd/dns/xfr handlers */
engine_start_cmdhandler(engine);
engine_start_dnshandler(engine);
engine_start_xfrhandler(engine);
tsig_handler_init(engine->allocator);
/* write pidfile */
if (util_write_pidfile(engine->config->pid_filename, engine->pid) == -1) {
hsm_close();
return ODS_STATUS_WRITE_PIDFILE_ERR;
}
/* setup done */
return ODS_STATUS_OK;
}
/**
* Configure engine.
*
*/
engineconfig_type*
engine_config(allocator_type* allocator, const char* cfgfile,
int cmdline_verbosity)
{
engineconfig_type* ecfg;
const char* rngfile = ODS_SE_RNGDIR "/conf.rng";
FILE* cfgfd = NULL;
if (!allocator) {
ods_log_error("[%s] failed to read: no allocator available", conf_str);
return NULL;
}
ods_log_assert(allocator);
if (!cfgfile) {
ods_log_error("[%s] failed to read: no filename given", conf_str);
return NULL;
}
ods_log_assert(cfgfile);
ods_log_verbose("[%s] read cfgfile: %s", conf_str, cfgfile);
ecfg = (engineconfig_type*) allocator_alloc(allocator,
sizeof(engineconfig_type));
if (!ecfg) {
ods_log_error("[%s] failed to read: allocator failed", conf_str);
return NULL;
}
ecfg->allocator = allocator;
/* check syntax (slows down parsing configuration file) */
if (parse_file_check(cfgfile, rngfile) != ODS_STATUS_OK) {
ods_log_error("[%s] failed to read: unable to parse file %s",
conf_str, cfgfile);
return NULL;
}
/* open cfgfile */
cfgfd = ods_fopen(cfgfile, NULL, "r");
if (cfgfd) {
/* get values */
ecfg->cfg_filename = allocator_strdup(allocator, cfgfile);
ecfg->policy_filename = parse_conf_policy_filename(allocator,
cfgfile);
ecfg->zonelist_filename = parse_conf_zonelist_filename(allocator,
cfgfile);
ecfg->zonefetch_filename = parse_conf_zonefetch_filename(allocator,
cfgfile);
ecfg->log_filename = parse_conf_log_filename(allocator, cfgfile);
ecfg->pid_filename = parse_conf_pid_filename(allocator, cfgfile);
ecfg->delegation_signer_submit_command =
parse_conf_delegation_signer_submit_command(allocator, cfgfile);
ecfg->delegation_signer_retract_command =
parse_conf_delegation_signer_retract_command(allocator, cfgfile);
ecfg->clisock_filename = parse_conf_clisock_filename(allocator,
cfgfile);
ecfg->working_dir = parse_conf_working_dir(allocator, cfgfile);
ecfg->username = parse_conf_username(allocator, cfgfile);
ecfg->group = parse_conf_group(allocator, cfgfile);
ecfg->chroot = parse_conf_chroot(allocator, cfgfile);
ecfg->datastore = parse_conf_datastore(allocator, cfgfile);
ecfg->db_host = parse_conf_db_host(allocator,cfgfile);
ecfg->db_username = parse_conf_db_username(allocator,cfgfile);
ecfg->db_password = parse_conf_db_password(allocator,cfgfile);
ecfg->use_syslog = parse_conf_use_syslog(cfgfile);
ecfg->num_worker_threads = parse_conf_worker_threads(cfgfile);
ecfg->manual_keygen = parse_conf_manual_keygen(cfgfile);
/* If any verbosity has been specified at cmd line we will use that */
if (cmdline_verbosity > 0) {
ecfg->verbosity = cmdline_verbosity;
}
else {
ecfg->verbosity = parse_conf_verbosity(cfgfile);
}
ecfg->db_port = parse_conf_db_port(cfgfile);
ecfg->automatic_keygen_duration =
parse_conf_automatic_keygen_period(cfgfile);
/* done */
ods_fclose(cfgfd);
return ecfg;
}
ods_log_error("[%s] failed to read: unable to open file %s", conf_str,
cfgfile);
return NULL;
}
/**
* Process SOA.
*
*/
static ods_status
adapi_process_soa(zone_type* zone, ldns_rr* rr, int add, int backup)
{
uint32_t tmp = 0;
ldns_rdf* soa_rdata = NULL;
ods_status status = ODS_STATUS_OK;
ods_log_assert(rr);
ods_log_assert(zone);
ods_log_assert(zone->name);
ods_log_assert(zone->signconf);
if (backup) {
/* no need to do processing */
return ODS_STATUS_OK;
}
if (zone->signconf->soa_ttl) {
tmp = (uint32_t) duration2time(zone->signconf->soa_ttl);
ods_log_verbose("[%s] zone %s set soa ttl to %u",
adapi_str, zone->name, tmp);
ldns_rr_set_ttl(rr, tmp);
}
if (zone->signconf->soa_min) {
tmp = (uint32_t) duration2time(zone->signconf->soa_min);
ods_log_verbose("[%s] zone %s set soa minimum to %u",
adapi_str, zone->name, tmp);
soa_rdata = ldns_rr_set_rdf(rr,
ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, tmp),
SE_SOA_RDATA_MINIMUM);
if (soa_rdata) {
ldns_rdf_deep_free(soa_rdata);
soa_rdata = NULL;
} else {
ods_log_error("[%s] unable to %s soa to zone %s: failed to replace "
"soa minimum rdata", adapi_str, add?"add":"delete",
zone->name);
return ODS_STATUS_ASSERT_ERR;
}
}
if (!add) {
/* we are done */
return ODS_STATUS_OK;
}
tmp = ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
status = namedb_update_serial(zone->db, zone->name,
zone->signconf->soa_serial, tmp);
if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to add soa to zone %s: failed to replace "
"soa serial rdata (%s)", adapi_str, zone->name,
ods_status2str(status));
if (status == ODS_STATUS_CONFLICT_ERR) {
ods_log_error("[%s] If this is the result of a key rollover, "
"please increment the serial in the unsigned zone %s",
adapi_str, zone->name);
}
return status;
}
ods_log_verbose("[%s] zone %s set soa serial to %u", adapi_str,
zone->name, zone->db->intserial);
soa_rdata = ldns_rr_set_rdf(rr, ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
zone->db->intserial), SE_SOA_RDATA_SERIAL);
if (soa_rdata) {
ldns_rdf_deep_free(soa_rdata);
soa_rdata = NULL;
} else {
ods_log_error("[%s] unable to add soa to zone %s: failed to replace "
"soa serial rdata", adapi_str, zone->name);
return ODS_STATUS_ERR;
}
zone->db->serial_updated = 1;
return ODS_STATUS_OK;
}
/**
* Set up engine and return the setup status.
*
*/
static ods_status
engine_setup_and_return_status(engine_type* engine)
{
struct sigaction action;
int result = 0;
int fd;
ods_log_debug("[%s] enforcer setup", engine_str);
if (!engine || !engine->config) {
return ODS_STATUS_ASSERT_ERR;
}
/* create command handler (before chowning socket file) */
engine->cmdhandler = cmdhandler_create(engine->allocator,
engine->config->clisock_filename);
if (!engine->cmdhandler) {
ods_log_error("[%s] create command handler to %s failed",
engine_str, engine->config->clisock_filename);
return ODS_STATUS_CMDHANDLER_ERR;
}
/* privdrop */
engine->uid = privuid(engine->config->username);
engine->gid = privgid(engine->config->group);
/* TODO: does piddir exists? */
/* remove the chown stuff: piddir? */
ods_chown(engine->config->pid_filename, engine->uid, engine->gid, 1);
ods_chown(engine->config->clisock_filename, engine->uid, engine->gid, 0);
ods_chown(engine->config->working_dir, engine->uid, engine->gid, 0);
if (engine->config->log_filename && !engine->config->use_syslog) {
ods_chown(engine->config->log_filename, engine->uid, engine->gid, 0);
}
if (engine->config->working_dir &&
chdir(engine->config->working_dir) != 0) {
ods_log_error("[%s] chdir to %s failed: %s", engine_str,
engine->config->working_dir, strerror(errno));
return ODS_STATUS_CHDIR_ERR;
}
if (engine_privdrop(engine) != ODS_STATUS_OK) {
ods_log_error("[%s] unable to drop privileges", engine_str);
return ODS_STATUS_PRIVDROP_ERR;
}
/* daemonize */
if (engine->daemonize) {
switch ((engine->pid = fork())) {
case -1: /* error */
ods_log_error("[%s] unable to fork daemon: %s",
engine_str, strerror(errno));
return ODS_STATUS_FORK_ERR;
case 0: /* child */
if ((fd = open("/dev/null", O_RDWR, 0)) != -1) {
(void)dup2(fd, STDIN_FILENO);
(void)dup2(fd, STDOUT_FILENO);
(void)dup2(fd, STDERR_FILENO);
if (fd > 2) (void)close(fd);
}
break;
default: /* parent */
engine_cleanup(engine);
engine = NULL;
xmlCleanupParser();
xmlCleanupGlobals();
xmlCleanupThreads();
exit(0);
}
if (setsid() == -1) {
ods_log_error("[%s] unable to setsid daemon (%s)",
engine_str, strerror(errno));
return ODS_STATUS_SETSID_ERR;
}
}
engine->pid = getpid();
ods_log_verbose("[%s] running as pid %lu", engine_str,
(unsigned long) engine->pid);
/* catch signals */
signal_set_engine(engine);
action.sa_handler = signal_handler;
sigfillset(&action.sa_mask);
action.sa_flags = 0;
sigaction(SIGHUP, &action, NULL);
sigaction(SIGTERM, &action, NULL);
/* set up hsm */ /* LEAK */
result = hsm_open(engine->config->cfg_filename, hsm_prompt_pin, NULL);
if (result != HSM_OK) {
ods_log_error("[%s] error initializing libhsm (errno %i)",
engine_str, result);
return ODS_STATUS_HSM_ERR;
}
/* create workers */
engine_create_workers(engine);
engine_create_drudgers(engine);
/* start command handler */
engine_start_cmdhandler(engine);
/* write pidfile */
if (util_write_pidfile(engine->config->pid_filename, engine->pid) == -1) {
hsm_close();
ods_log_error("[%s] unable to write pid file", engine_str);
return ODS_STATUS_WRITE_PIDFILE_ERR;
}
return ODS_STATUS_OK;
}
