diff options
Diffstat (limited to 'src/shutdown')
-rw-r--r-- | src/shutdown/meson.build | 5 | ||||
-rw-r--r-- | src/shutdown/shutdown.c | 625 | ||||
-rw-r--r-- | src/shutdown/umount.c | 843 | ||||
-rw-r--r-- | src/shutdown/umount.h | 32 |
4 files changed, 1505 insertions, 0 deletions
diff --git a/src/shutdown/meson.build b/src/shutdown/meson.build new file mode 100644 index 0000000..ebf0bed --- /dev/null +++ b/src/shutdown/meson.build @@ -0,0 +1,5 @@ +systemd_shutdown_sources = files(''' + shutdown.c + umount.c + umount.h +'''.split()) diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c new file mode 100644 index 0000000..0d07865 --- /dev/null +++ b/src/shutdown/shutdown.c @@ -0,0 +1,625 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <errno.h> +#include <getopt.h> +#include <linux/reboot.h> +#include <stdbool.h> +#include <stdlib.h> +#include <sys/mman.h> +#include <sys/mount.h> +#include <sys/reboot.h> +#include <sys/stat.h> +#include <unistd.h> + +#include "alloc-util.h" +#include "async.h" +#include "binfmt-util.h" +#include "cgroup-setup.h" +#include "cgroup-util.h" +#include "def.h" +#include "exec-util.h" +#include "fd-util.h" +#include "fileio.h" +#include "killall.h" +#include "log.h" +#include "parse-util.h" +#include "process-util.h" +#include "reboot-util.h" +#include "rlimit-util.h" +#include "signal-util.h" +#include "string-util.h" +#include "switch-root.h" +#include "sysctl-util.h" +#include "terminal-util.h" +#include "umount.h" +#include "util.h" +#include "virt.h" +#include "watchdog.h" + +#define SYNC_PROGRESS_ATTEMPTS 3 +#define SYNC_TIMEOUT_USEC (10*USEC_PER_SEC) + +static char* arg_verb; +static uint8_t arg_exit_code; +static usec_t arg_timeout = DEFAULT_TIMEOUT_USEC; + +static int parse_argv(int argc, char *argv[]) { + enum { + ARG_LOG_LEVEL = 0x100, + ARG_LOG_TARGET, + ARG_LOG_COLOR, + ARG_LOG_LOCATION, + ARG_LOG_TIME, + ARG_EXIT_CODE, + ARG_TIMEOUT, + }; + + static const struct option options[] = { + { "log-level", required_argument, NULL, ARG_LOG_LEVEL }, + { "log-target", required_argument, NULL, ARG_LOG_TARGET }, + { "log-color", optional_argument, NULL, ARG_LOG_COLOR }, + { "log-location", optional_argument, NULL, ARG_LOG_LOCATION }, + { "log-time", optional_argument, NULL, ARG_LOG_TIME }, + { "exit-code", required_argument, NULL, ARG_EXIT_CODE }, + { "timeout", required_argument, NULL, ARG_TIMEOUT }, + {} + }; + + int c, r; + + assert(argc >= 1); + assert(argv); + + /* "-" prevents getopt from permuting argv[] and moving the verb away + * from argv[1]. Our interface to initrd promises it'll be there. */ + while ((c = getopt_long(argc, argv, "-", options, NULL)) >= 0) + switch (c) { + + case ARG_LOG_LEVEL: + r = log_set_max_level_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log level %s, ignoring: %m", optarg); + + break; + + case ARG_LOG_TARGET: + r = log_set_target_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log target %s, ignoring: %m", optarg); + + break; + + case ARG_LOG_COLOR: + + if (optarg) { + r = log_show_color_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log color setting %s, ignoring: %m", optarg); + } else + log_show_color(true); + + break; + + case ARG_LOG_LOCATION: + if (optarg) { + r = log_show_location_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log location setting %s, ignoring: %m", optarg); + } else + log_show_location(true); + + break; + + case ARG_LOG_TIME: + + if (optarg) { + r = log_show_time_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log time setting %s, ignoring: %m", optarg); + } else + log_show_time(true); + + break; + + case ARG_EXIT_CODE: + r = safe_atou8(optarg, &arg_exit_code); + if (r < 0) + log_error_errno(r, "Failed to parse exit code %s, ignoring: %m", optarg); + + break; + + case ARG_TIMEOUT: + r = parse_sec(optarg, &arg_timeout); + if (r < 0) + log_error_errno(r, "Failed to parse shutdown timeout %s, ignoring: %m", optarg); + + break; + + case '\001': + if (!arg_verb) + arg_verb = optarg; + else + log_error("Excess arguments, ignoring"); + break; + + case '?': + return -EINVAL; + + default: + assert_not_reached("Unhandled option code."); + } + + if (!arg_verb) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Verb argument missing."); + + return 0; +} + +static int switch_root_initramfs(void) { + if (mount("/run/initramfs", "/run/initramfs", NULL, MS_BIND, NULL) < 0) + return log_error_errno(errno, "Failed to mount bind /run/initramfs on /run/initramfs: %m"); + + if (mount(NULL, "/run/initramfs", NULL, MS_PRIVATE, NULL) < 0) + return log_error_errno(errno, "Failed to make /run/initramfs private mount: %m"); + + /* switch_root with MS_BIND, because there might still be processes lurking around, which have open file descriptors. + * /run/initramfs/shutdown will take care of these. + * Also do not detach the old root, because /run/initramfs/shutdown needs to access it. + */ + return switch_root("/run/initramfs", "/oldroot", false, MS_BIND); +} + +/* Read the following fields from /proc/meminfo: + * + * NFS_Unstable + * Writeback + * Dirty + * + * Return true if the sum of these fields is greater than the previous + * value input. For all other issues, report the failure and indicate that + * the sync is not making progress. + */ +static int sync_making_progress(unsigned long long *prev_dirty) { + _cleanup_fclose_ FILE *f = NULL; + unsigned long long val = 0; + int ret; + + f = fopen("/proc/meminfo", "re"); + if (!f) + return log_warning_errno(errno, "Failed to open /proc/meminfo: %m"); + + for (;;) { + _cleanup_free_ char *line = NULL; + unsigned long long ull = 0; + int q; + + q = read_line(f, LONG_LINE_MAX, &line); + if (q < 0) + return log_warning_errno(q, "Failed to parse /proc/meminfo: %m"); + if (q == 0) + break; + + if (!first_word(line, "NFS_Unstable:") && !first_word(line, "Writeback:") && !first_word(line, "Dirty:")) + continue; + + errno = 0; + if (sscanf(line, "%*s %llu %*s", &ull) != 1) { + if (errno != 0) + log_warning_errno(errno, "Failed to parse /proc/meminfo: %m"); + else + log_warning("Failed to parse /proc/meminfo"); + + return false; + } + + val += ull; + } + + ret = *prev_dirty > val; + *prev_dirty = val; + return ret; +} + +static void sync_with_progress(void) { + unsigned long long dirty = ULLONG_MAX; + unsigned checks; + pid_t pid; + int r; + + BLOCK_SIGNALS(SIGCHLD); + + /* Due to the possibility of the sync operation hanging, we fork a child process and monitor + * the progress. If the timeout lapses, the assumption is that the particular sync stalled. */ + + r = asynchronous_sync(&pid); + if (r < 0) { + log_error_errno(r, "Failed to fork sync(): %m"); + return; + } + + log_info("Syncing filesystems and block devices."); + + /* Start monitoring the sync operation. If more than + * SYNC_PROGRESS_ATTEMPTS lapse without progress being made, + * we assume that the sync is stalled */ + for (checks = 0; checks < SYNC_PROGRESS_ATTEMPTS; checks++) { + r = wait_for_terminate_with_timeout(pid, SYNC_TIMEOUT_USEC); + if (r == 0) + /* Sync finished without error. + * (The sync itself does not return an error code) */ + return; + else if (r == -ETIMEDOUT) { + /* Reset the check counter if the "Dirty" value is + * decreasing */ + if (sync_making_progress(&dirty) > 0) + checks = 0; + } else { + log_error_errno(r, "Failed to sync filesystems and block devices: %m"); + return; + } + } + + /* Only reached in the event of a timeout. We should issue a kill + * to the stray process. */ + log_error("Syncing filesystems and block devices - timed out, issuing SIGKILL to PID "PID_FMT".", pid); + (void) kill(pid, SIGKILL); +} + +static int read_current_sysctl_printk_log_level(void) { + _cleanup_free_ char *sysctl_printk_vals = NULL, *sysctl_printk_curr = NULL; + int current_lvl; + const char *p; + int r; + + r = sysctl_read("kernel/printk", &sysctl_printk_vals); + if (r < 0) + return log_debug_errno(r, "Cannot read sysctl kernel.printk: %m"); + + p = sysctl_printk_vals; + r = extract_first_word(&p, &sysctl_printk_curr, NULL, 0); + if (r < 0) + return log_debug_errno(r, "Failed to split out kernel printk priority: %m"); + if (r == 0) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Short read while reading kernel.printk sysctl"); + + r = safe_atoi(sysctl_printk_curr, ¤t_lvl); + if (r < 0) + return log_debug_errno(r, "Failed to parse kernel.printk sysctl: %s", sysctl_printk_vals); + + return current_lvl; +} + +static void bump_sysctl_printk_log_level(int min_level) { + int current_lvl, r; + + /* Set the logging level to be able to see messages with log level smaller or equal to min_level */ + + current_lvl = read_current_sysctl_printk_log_level(); + if (current_lvl < 0 || current_lvl >= min_level + 1) + return; + + r = sysctl_writef("kernel/printk", "%i", min_level + 1); + if (r < 0) + log_debug_errno(r, "Failed to bump kernel.printk to %i: %m", min_level + 1); +} + +int main(int argc, char *argv[]) { + bool need_umount, need_swapoff, need_loop_detach, need_dm_detach, need_md_detach, in_container, use_watchdog = false, can_initrd; + _cleanup_free_ char *cgroup = NULL; + char *arguments[3], *watchdog_device; + int cmd, r, umount_log_level = LOG_INFO; + static const char* const dirs[] = {SYSTEM_SHUTDOWN_PATH, NULL}; + + /* The log target defaults to console, but the original systemd process will pass its log target in through a + * command line argument, which will override this default. Also, ensure we'll never log to the journal or + * syslog, as these logging daemons are either already dead or will die very soon. */ + + log_set_target(LOG_TARGET_CONSOLE); + log_set_prohibit_ipc(true); + log_parse_environment(); + + r = parse_argv(argc, argv); + if (r < 0) + goto error; + + log_open(); + + umask(0022); + + if (getpid_cached() != 1) { + log_error("Not executed by init (PID 1)."); + r = -EPERM; + goto error; + } + + if (streq(arg_verb, "reboot")) + cmd = RB_AUTOBOOT; + else if (streq(arg_verb, "poweroff")) + cmd = RB_POWER_OFF; + else if (streq(arg_verb, "halt")) + cmd = RB_HALT_SYSTEM; + else if (streq(arg_verb, "kexec")) + cmd = LINUX_REBOOT_CMD_KEXEC; + else if (streq(arg_verb, "exit")) + cmd = 0; /* ignored, just checking that arg_verb is valid */ + else { + log_error("Unknown action '%s'.", arg_verb); + r = -EINVAL; + goto error; + } + + (void) cg_get_root_path(&cgroup); + in_container = detect_container() > 0; + + /* If the logging messages are going to KMSG, and if we are not running from a container, then try to + * update the sysctl kernel.printk current value in order to see "info" messages; This current log + * level is not updated if already big enough. + */ + if (!in_container && + IN_SET(log_get_target(), + LOG_TARGET_AUTO, + LOG_TARGET_JOURNAL_OR_KMSG, + LOG_TARGET_SYSLOG_OR_KMSG, + LOG_TARGET_KMSG)) + bump_sysctl_printk_log_level(LOG_WARNING); + + use_watchdog = getenv("WATCHDOG_USEC"); + watchdog_device = getenv("WATCHDOG_DEVICE"); + if (watchdog_device) { + r = watchdog_set_device(watchdog_device); + if (r < 0) + log_warning_errno(r, "Failed to set watchdog device to %s, ignoring: %m", + watchdog_device); + } + + /* Lock us into memory */ + (void) mlockall(MCL_CURRENT|MCL_FUTURE); + + /* Synchronize everything that is not written to disk yet at this point already. This is a good idea so that + * slow IO is processed here already and the final process killing spree is not impacted by processes + * desperately trying to sync IO to disk within their timeout. Do not remove this sync, data corruption will + * result. */ + if (!in_container) + sync_with_progress(); + + disable_coredumps(); + disable_binfmt(); + + log_info("Sending SIGTERM to remaining processes..."); + broadcast_signal(SIGTERM, true, true, arg_timeout); + + log_info("Sending SIGKILL to remaining processes..."); + broadcast_signal(SIGKILL, true, false, arg_timeout); + + need_umount = !in_container; + need_swapoff = !in_container; + need_loop_detach = !in_container; + need_dm_detach = !in_container; + need_md_detach = !in_container; + can_initrd = !in_container && !in_initrd() && access("/run/initramfs/shutdown", X_OK) == 0; + + /* Unmount all mountpoints, swaps, and loopback devices */ + for (;;) { + bool changed = false; + + if (use_watchdog) + (void) watchdog_ping(); + + /* Let's trim the cgroup tree on each iteration so + that we leave an empty cgroup tree around, so that + container managers get a nice notify event when we + are down */ + if (cgroup) + (void) cg_trim(SYSTEMD_CGROUP_CONTROLLER, cgroup, false); + + if (need_umount) { + log_info("Unmounting file systems."); + r = umount_all(&changed, umount_log_level); + if (r == 0) { + need_umount = false; + log_info("All filesystems unmounted."); + } else if (r > 0) + log_info("Not all file systems unmounted, %d left.", r); + else + log_error_errno(r, "Failed to unmount file systems: %m"); + } + + if (need_swapoff) { + log_info("Deactivating swaps."); + r = swapoff_all(&changed); + if (r == 0) { + need_swapoff = false; + log_info("All swaps deactivated."); + } else if (r > 0) + log_info("Not all swaps deactivated, %d left.", r); + else + log_error_errno(r, "Failed to deactivate swaps: %m"); + } + + if (need_loop_detach) { + log_info("Detaching loop devices."); + r = loopback_detach_all(&changed, umount_log_level); + if (r == 0) { + need_loop_detach = false; + log_info("All loop devices detached."); + } else if (r > 0) + log_info("Not all loop devices detached, %d left.", r); + else + log_error_errno(r, "Failed to detach loop devices: %m"); + } + + if (need_md_detach) { + log_info("Stopping MD devices."); + r = md_detach_all(&changed, umount_log_level); + if (r == 0) { + need_md_detach = false; + log_info("All MD devices stopped."); + } else if (r > 0) + log_info("Not all MD devices stopped, %d left.", r); + else + log_error_errno(r, "Failed to stop MD devices: %m"); + } + + if (need_dm_detach) { + log_info("Detaching DM devices."); + r = dm_detach_all(&changed, umount_log_level); + if (r == 0) { + need_dm_detach = false; + log_info("All DM devices detached."); + } else if (r > 0) + log_info("Not all DM devices detached, %d left.", r); + else + log_error_errno(r, "Failed to detach DM devices: %m"); + } + + if (!need_umount && !need_swapoff && !need_loop_detach && !need_dm_detach + && !need_md_detach) { + log_info("All filesystems, swaps, loop devices, MD devices and DM devices detached."); + /* Yay, done */ + break; + } + + if (!changed && umount_log_level == LOG_INFO && !can_initrd) { + /* There are things we cannot get rid of. Loop one more time + * with LOG_ERR to inform the user. Note that we don't need + * to do this if there is a initrd to switch to, because that + * one is likely to get rid of the remounting mounts. If not, + * it will log about them. */ + umount_log_level = LOG_ERR; + continue; + } + + /* If in this iteration we didn't manage to + * unmount/deactivate anything, we simply give up */ + if (!changed) { + log_info("Cannot finalize remaining%s%s%s%s%s continuing.", + need_umount ? " file systems," : "", + need_swapoff ? " swap devices," : "", + need_loop_detach ? " loop devices," : "", + need_dm_detach ? " DM devices," : "", + need_md_detach ? " MD devices," : ""); + break; + } + + log_debug("Couldn't finalize remaining %s%s%s%s%s trying again.", + need_umount ? " file systems," : "", + need_swapoff ? " swap devices," : "", + need_loop_detach ? " loop devices," : "", + need_dm_detach ? " DM devices," : "", + need_md_detach ? " MD devices," : ""); + } + + /* We're done with the watchdog. */ + watchdog_free_device(); + + arguments[0] = NULL; + arguments[1] = arg_verb; + arguments[2] = NULL; + (void) execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments, NULL, EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS); + + (void) rlimit_nofile_safe(); + + if (can_initrd) { + r = switch_root_initramfs(); + if (r >= 0) { + argv[0] = (char*) "/shutdown"; + + (void) setsid(); + (void) make_console_stdio(); + + log_info("Successfully changed into root pivot.\n" + "Returning to initrd..."); + + execv("/shutdown", argv); + log_error_errno(errno, "Failed to execute shutdown binary: %m"); + } else + log_error_errno(r, "Failed to switch root to \"/run/initramfs\": %m"); + } + + if (need_umount || need_swapoff || need_loop_detach || need_dm_detach || need_md_detach) + log_error("Failed to finalize%s%s%s%s%s ignoring.", + need_umount ? " file systems," : "", + need_swapoff ? " swap devices," : "", + need_loop_detach ? " loop devices," : "", + need_dm_detach ? " DM devices," : "", + need_md_detach ? " MD devices," : ""); + + /* The kernel will automatically flush ATA disks and suchlike on reboot(), but the file systems need to be + * sync'ed explicitly in advance. So let's do this here, but not needlessly slow down containers. Note that we + * sync'ed things already once above, but we did some more work since then which might have caused IO, hence + * let's do it once more. Do not remove this sync, data corruption will result. */ + if (!in_container) + sync_with_progress(); + + if (streq(arg_verb, "exit")) { + if (in_container) + return arg_exit_code; + + cmd = RB_POWER_OFF; /* We cannot exit() on the host, fallback on another method. */ + } + + switch (cmd) { + + case LINUX_REBOOT_CMD_KEXEC: + + if (!in_container) { + /* We cheat and exec kexec to avoid doing all its work */ + log_info("Rebooting with kexec."); + + r = safe_fork("(sd-kexec)", FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_WAIT, NULL); + if (r == 0) { + const char * const args[] = { + KEXEC, "-e", NULL + }; + + /* Child */ + + execv(args[0], (char * const *) args); + + /* execv failed (kexec binary missing?), so try simply reboot(RB_KEXEC) */ + (void) reboot(cmd); + _exit(EXIT_FAILURE); + } + + /* If we are still running, then the kexec can't have worked, let's fall through */ + } + + cmd = RB_AUTOBOOT; + _fallthrough_; + + case RB_AUTOBOOT: + (void) reboot_with_parameter(REBOOT_LOG); + log_info("Rebooting."); + break; + + case RB_POWER_OFF: + log_info("Powering off."); + break; + + case RB_HALT_SYSTEM: + log_info("Halting system."); + break; + + default: + assert_not_reached("Unknown magic"); + } + + (void) reboot(cmd); + if (errno == EPERM && in_container) { + /* If we are in a container, and we lacked + * CAP_SYS_BOOT just exit, this will kill our + * container for good. */ + log_info("Exiting container."); + return EXIT_SUCCESS; + } + + r = log_error_errno(errno, "Failed to invoke reboot(): %m"); + + error: + log_emergency_errno(r, "Critical error while doing system shutdown: %m"); + freeze(); +} diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c new file mode 100644 index 0000000..3a72a13 --- /dev/null +++ b/src/shutdown/umount.c @@ -0,0 +1,843 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <errno.h> +#include <fcntl.h> +#include <linux/dm-ioctl.h> +#include <linux/major.h> +#include <linux/raid/md_u.h> +#include <linux/loop.h> +#include <sys/mount.h> +#include <sys/swap.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> + +#include "sd-device.h" + +#include "alloc-util.h" +#include "blockdev-util.h" +#include "def.h" +#include "device-util.h" +#include "escape.h" +#include "fd-util.h" +#include "fs-util.h" +#include "fstab-util.h" +#include "libmount-util.h" +#include "mount-setup.h" +#include "mount-util.h" +#include "mountpoint-util.h" +#include "path-util.h" +#include "process-util.h" +#include "signal-util.h" +#include "string-util.h" +#include "strv.h" +#include "umount.h" +#include "util.h" +#include "virt.h" + +static void mount_point_free(MountPoint **head, MountPoint *m) { + assert(head); + assert(m); + + LIST_REMOVE(mount_point, *head, m); + + free(m->path); + free(m->remount_options); + free(m); +} + +void mount_points_list_free(MountPoint **head) { + assert(head); + + while (*head) + mount_point_free(head, *head); +} + +int mount_points_list_get(const char *mountinfo, MountPoint **head) { + _cleanup_(mnt_free_tablep) struct libmnt_table *table = NULL; + _cleanup_(mnt_free_iterp) struct libmnt_iter *iter = NULL; + int r; + + assert(head); + + r = libmount_parse(mountinfo, NULL, &table, &iter); + if (r < 0) + return log_error_errno(r, "Failed to parse %s: %m", mountinfo ?: "/proc/self/mountinfo"); + + for (;;) { + struct libmnt_fs *fs; + const char *path, *fstype; + _cleanup_free_ char *options = NULL; + unsigned long remount_flags = 0u; + _cleanup_free_ char *remount_options = NULL; + bool try_remount_ro; + _cleanup_free_ MountPoint *m = NULL; + + r = mnt_table_next_fs(table, iter, &fs); + if (r == 1) + break; + if (r < 0) + return log_error_errno(r, "Failed to get next entry from %s: %m", mountinfo ?: "/proc/self/mountinfo"); + + path = mnt_fs_get_target(fs); + if (!path) + continue; + + fstype = mnt_fs_get_fstype(fs); + + /* Combine the generic VFS options with the FS-specific + * options. Duplicates are not a problem here, because the only + * options that should come up twice are typically ro/rw, which + * are turned into MS_RDONLY or the inversion of it. + * + * Even if there are duplicates later in mount_option_mangle() + * they shouldn't hurt anyways as they override each other. + */ + if (!strextend_with_separator(&options, ",", + mnt_fs_get_vfs_options(fs), + NULL)) + return log_oom(); + if (!strextend_with_separator(&options, ",", + mnt_fs_get_fs_options(fs), + NULL)) + return log_oom(); + + /* Ignore mount points we can't unmount because they + * are API or because we are keeping them open (like + * /dev/console). Also, ignore all mounts below API + * file systems, since they are likely virtual too, + * and hence not worth spending time on. Also, in + * unprivileged containers we might lack the rights to + * unmount these things, hence don't bother. */ + if (mount_point_is_api(path) || + mount_point_ignore(path) || + PATH_STARTSWITH_SET(path, "/dev", "/sys", "/proc")) + continue; + + /* If we are in a container, don't attempt to + * read-only mount anything as that brings no real + * benefits, but might confuse the host, as we remount + * the superblock here, not the bind mount. + * + * If the filesystem is a network fs, also skip the + * remount. It brings no value (we cannot leave + * a "dirty fs") and could hang if the network is down. + * Note that umount2() is more careful and will not + * hang because of the network being down. */ + try_remount_ro = detect_container() <= 0 && + !fstype_is_network(fstype) && + !fstype_is_api_vfs(fstype) && + !fstype_is_ro(fstype) && + !fstab_test_yes_no_option(options, "ro\0rw\0"); + + if (try_remount_ro) { + /* mount(2) states that mount flags and options need to be exactly the same + * as they were when the filesystem was mounted, except for the desired + * changes. So we reconstruct both here and adjust them for the later + * remount call too. */ + + r = mnt_fs_get_propagation(fs, &remount_flags); + if (r < 0) { + log_warning_errno(r, "mnt_fs_get_propagation() failed for %s, ignoring: %m", path); + continue; + } + + r = mount_option_mangle(options, remount_flags, &remount_flags, &remount_options); + if (r < 0) { + log_warning_errno(r, "mount_option_mangle failed for %s, ignoring: %m", path); + continue; + } + + /* MS_BIND is special. If it is provided it will only make the mount-point + * read-only. If left out, the super block itself is remounted, which we want. */ + remount_flags = (remount_flags|MS_REMOUNT|MS_RDONLY) & ~MS_BIND; + } + + m = new0(MountPoint, 1); + if (!m) + return log_oom(); + + m->path = strdup(path); + if (!m->path) + return log_oom(); + + m->remount_options = TAKE_PTR(remount_options); + m->remount_flags = remount_flags; + m->try_remount_ro = try_remount_ro; + + LIST_PREPEND(mount_point, *head, TAKE_PTR(m)); + } + + return 0; +} + +int swap_list_get(const char *swaps, MountPoint **head) { + _cleanup_(mnt_free_tablep) struct libmnt_table *t = NULL; + _cleanup_(mnt_free_iterp) struct libmnt_iter *i = NULL; + int r; + + assert(head); + + t = mnt_new_table(); + i = mnt_new_iter(MNT_ITER_FORWARD); + if (!t || !i) + return log_oom(); + + r = mnt_table_parse_swaps(t, swaps); + if (r == -ENOENT) /* no /proc/swaps is fine */ + return 0; + if (r < 0) + return log_error_errno(r, "Failed to parse %s: %m", swaps ?: "/proc/swaps"); + + for (;;) { + struct libmnt_fs *fs; + _cleanup_free_ MountPoint *swap = NULL; + const char *source; + + r = mnt_table_next_fs(t, i, &fs); + if (r == 1) + break; + if (r < 0) + return log_error_errno(r, "Failed to get next entry from %s: %m", swaps ?: "/proc/swaps"); + + source = mnt_fs_get_source(fs); + if (!source) + continue; + + swap = new0(MountPoint, 1); + if (!swap) + return log_oom(); + + swap->path = strdup(source); + if (!swap->path) + return log_oom(); + + LIST_PREPEND(mount_point, *head, TAKE_PTR(swap)); + } + + return 0; +} + +static int loopback_list_get(MountPoint **head) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; + sd_device *d; + int r; + + assert(head); + + r = sd_device_enumerator_new(&e); + if (r < 0) + return r; + + r = sd_device_enumerator_allow_uninitialized(e); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_subsystem(e, "block", true); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_sysname(e, "loop*"); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_sysattr(e, "loop/backing_file", NULL, true); + if (r < 0) + return r; + + FOREACH_DEVICE(e, d) { + _cleanup_free_ char *p = NULL; + const char *dn; + MountPoint *lb; + dev_t devnum; + + if (sd_device_get_devnum(d, &devnum) < 0 || + sd_device_get_devname(d, &dn) < 0) + continue; + + p = strdup(dn); + if (!p) + return -ENOMEM; + + lb = new(MountPoint, 1); + if (!lb) + return -ENOMEM; + + *lb = (MountPoint) { + .path = TAKE_PTR(p), + .devnum = devnum, + }; + + LIST_PREPEND(mount_point, *head, lb); + } + + return 0; +} + +static int dm_list_get(MountPoint **head) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; + sd_device *d; + int r; + + assert(head); + + r = sd_device_enumerator_new(&e); + if (r < 0) + return r; + + r = sd_device_enumerator_allow_uninitialized(e); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_subsystem(e, "block", true); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_sysname(e, "dm-*"); + if (r < 0) + return r; + + FOREACH_DEVICE(e, d) { + _cleanup_free_ char *p = NULL; + const char *dn; + MountPoint *m; + dev_t devnum; + + if (sd_device_get_devnum(d, &devnum) < 0 || + sd_device_get_devname(d, &dn) < 0) + continue; + + p = strdup(dn); + if (!p) + return -ENOMEM; + + m = new(MountPoint, 1); + if (!m) + return -ENOMEM; + + *m = (MountPoint) { + .path = TAKE_PTR(p), + .devnum = devnum, + }; + + LIST_PREPEND(mount_point, *head, m); + } + + return 0; +} + +static int md_list_get(MountPoint **head) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; + sd_device *d; + int r; + + assert(head); + + r = sd_device_enumerator_new(&e); + if (r < 0) + return r; + + r = sd_device_enumerator_allow_uninitialized(e); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_subsystem(e, "block", true); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_sysname(e, "md*"); + if (r < 0) + return r; + + FOREACH_DEVICE(e, d) { + _cleanup_free_ char *p = NULL; + const char *dn; + MountPoint *m; + dev_t devnum; + + if (sd_device_get_devnum(d, &devnum) < 0 || + sd_device_get_devname(d, &dn) < 0) + continue; + + p = strdup(dn); + if (!p) + return -ENOMEM; + + m = new(MountPoint, 1); + if (!m) + return -ENOMEM; + + *m = (MountPoint) { + .path = TAKE_PTR(p), + .devnum = devnum, + }; + + LIST_PREPEND(mount_point, *head, m); + } + + return 0; +} + +static int delete_loopback(const char *device) { + _cleanup_close_ int fd = -1; + struct loop_info64 info; + + assert(device); + + fd = open(device, O_RDONLY|O_CLOEXEC); + if (fd < 0) { + log_debug_errno(errno, "Failed to open loopback device %s: %m", device); + return errno == ENOENT ? 0 : -errno; + } + + /* Loopback block devices don't sync in-flight blocks when we clear the fd, hence sync explicitly + * first */ + if (fsync(fd) < 0) + log_debug_errno(errno, "Failed to sync loop block device %s, ignoring: %m", device); + + if (ioctl(fd, LOOP_CLR_FD, 0) < 0) { + if (errno == ENXIO) /* Nothing bound, didn't do anything */ + return 0; + + if (errno != EBUSY) + return log_debug_errno(errno, "Failed to clear loopback device %s: %m", device); + + if (ioctl(fd, LOOP_GET_STATUS64, &info) < 0) { + if (errno == ENXIO) /* What? Suddenly detached after all? That's fine by us then. */ + return 1; + + log_debug_errno(errno, "Failed to invoke LOOP_GET_STATUS64 on loopback device %s, ignoring: %m", device); + return -EBUSY; /* propagate original error */ + } + + if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) /* someone else already set LO_FLAGS_AUTOCLEAR for us? fine by us */ + return -EBUSY; /* propagate original error */ + + info.lo_flags |= LO_FLAGS_AUTOCLEAR; + if (ioctl(fd, LOOP_SET_STATUS64, &info) < 0) { + if (errno == ENXIO) /* Suddenly detached after all? Fine by us */ + return 1; + + log_debug_errno(errno, "Failed to set LO_FLAGS_AUTOCLEAR flag for loop device %s, ignoring: %m", device); + } else + log_debug("Successfully set LO_FLAGS_AUTOCLEAR flag for loop device %s.", device); + + return -EBUSY; + } + + if (ioctl(fd, LOOP_GET_STATUS64, &info) < 0) { + /* If the LOOP_CLR_FD above succeeded we'll see ENXIO here. */ + if (errno == ENXIO) + log_debug("Successfully detached loopback device %s.", device); + else + log_debug_errno(errno, "Failed to invoke LOOP_GET_STATUS64 on loopback device %s, ignoring: %m", device); /* the LOOP_CLR_FD at least worked, let's hope for the best */ + + return 1; + } + + /* Linux makes LOOP_CLR_FD succeed whenever LO_FLAGS_AUTOCLEAR is set without actually doing + * anything. Very confusing. Let's hence not claim we did anything in this case. */ + if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) + log_debug("Successfully called LOOP_CLR_FD on a loopback device %s with autoclear set, which is a NOP.", device); + else + log_debug("Weird, LOOP_CLR_FD succeeded but the device is still attached on %s.", device); + + return -EBUSY; /* Nothing changed, the device is still attached, hence it apparently is still busy */ +} + +static int delete_dm(MountPoint *m) { + _cleanup_close_ int fd = -1; + int r; + + assert(m); + assert(major(m->devnum) != 0); + assert(m->path); + + fd = open("/dev/mapper/control", O_RDWR|O_CLOEXEC); + if (fd < 0) + return -errno; + + r = fsync_path_at(AT_FDCWD, m->path); + if (r < 0) + log_debug_errno(r, "Failed to sync DM block device %s, ignoring: %m", m->path); + + if (ioctl(fd, DM_DEV_REMOVE, &(struct dm_ioctl) { + .version = { + DM_VERSION_MAJOR, + DM_VERSION_MINOR, + DM_VERSION_PATCHLEVEL + }, + .data_size = sizeof(struct dm_ioctl), + .dev = m->devnum, + }) < 0) + return -errno; + + return 0; +} + +static int delete_md(MountPoint *m) { + _cleanup_close_ int fd = -1; + + assert(m); + assert(major(m->devnum) != 0); + assert(m->path); + + fd = open(m->path, O_RDONLY|O_CLOEXEC|O_EXCL); + if (fd < 0) + return -errno; + + if (fsync(fd) < 0) + log_debug_errno(errno, "Failed to sync MD block device %s, ignoring: %m", m->path); + + if (ioctl(fd, STOP_ARRAY, NULL) < 0) + return -errno; + + return 0; +} + +static bool nonunmountable_path(const char *path) { + return path_equal(path, "/") +#if ! HAVE_SPLIT_USR + || path_equal(path, "/usr") +#endif + || path_startswith(path, "/run/initramfs"); +} + +static int remount_with_timeout(MountPoint *m, int umount_log_level) { + pid_t pid; + int r; + + BLOCK_SIGNALS(SIGCHLD); + + assert(m); + + /* Due to the possibility of a remount operation hanging, we fork a child process and set a + * timeout. If the timeout lapses, the assumption is that the particular remount failed. */ + r = safe_fork("(sd-remount)", FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_REOPEN_LOG, &pid); + if (r < 0) + return r; + if (r == 0) { + log_info("Remounting '%s' read-only in with options '%s'.", m->path, m->remount_options); + + /* Start the mount operation here in the child */ + r = mount(NULL, m->path, NULL, m->remount_flags, m->remount_options); + if (r < 0) + log_full_errno(umount_log_level, errno, "Failed to remount '%s' read-only: %m", m->path); + + _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS); + } + + r = wait_for_terminate_with_timeout(pid, DEFAULT_TIMEOUT_USEC); + if (r == -ETIMEDOUT) { + log_error_errno(r, "Remounting '%s' timed out, issuing SIGKILL to PID " PID_FMT ".", m->path, pid); + (void) kill(pid, SIGKILL); + } else if (r == -EPROTO) + log_debug_errno(r, "Remounting '%s' failed abnormally, child process " PID_FMT " aborted or exited non-zero.", m->path, pid); + else if (r < 0) + log_error_errno(r, "Remounting '%s' failed unexpectedly, couldn't wait for child process " PID_FMT ": %m", m->path, pid); + + return r; +} + +static int umount_with_timeout(MountPoint *m, int umount_log_level) { + pid_t pid; + int r; + + BLOCK_SIGNALS(SIGCHLD); + + assert(m); + + /* Due to the possibility of a umount operation hanging, we fork a child process and set a + * timeout. If the timeout lapses, the assumption is that the particular umount failed. */ + r = safe_fork("(sd-umount)", FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_REOPEN_LOG, &pid); + if (r < 0) + return r; + if (r == 0) { + log_info("Unmounting '%s'.", m->path); + + /* Start the mount operation here in the child Using MNT_FORCE + * causes some filesystems (e.g. FUSE and NFS and other network + * filesystems) to abort any pending requests and return -EIO + * rather than blocking indefinitely. If the filesysten is + * "busy", this may allow processes to die, thus making the + * filesystem less busy so the unmount might succeed (rather + * then return EBUSY).*/ + r = umount2(m->path, MNT_FORCE); + if (r < 0) + log_full_errno(umount_log_level, errno, "Failed to unmount %s: %m", m->path); + + _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS); + } + + r = wait_for_terminate_with_timeout(pid, DEFAULT_TIMEOUT_USEC); + if (r == -ETIMEDOUT) { + log_error_errno(r, "Unmounting '%s' timed out, issuing SIGKILL to PID " PID_FMT ".", m->path, pid); + (void) kill(pid, SIGKILL); + } else if (r == -EPROTO) + log_debug_errno(r, "Unmounting '%s' failed abnormally, child process " PID_FMT " aborted or exited non-zero.", m->path, pid); + else if (r < 0) + log_error_errno(r, "Unmounting '%s' failed unexpectedly, couldn't wait for child process " PID_FMT ": %m", m->path, pid); + + return r; +} + +/* This includes remounting readonly, which changes the kernel mount options. Therefore the list passed to + * this function is invalidated, and should not be reused. */ +static int mount_points_list_umount(MountPoint **head, bool *changed, int umount_log_level) { + MountPoint *m; + int n_failed = 0; + + assert(head); + assert(changed); + + LIST_FOREACH(mount_point, m, *head) { + if (m->try_remount_ro) { + /* We always try to remount directories read-only first, before we go on and umount + * them. + * + * Mount points can be stacked. If a mount point is stacked below / or /usr, we + * cannot umount or remount it directly, since there is no way to refer to the + * underlying mount. There's nothing we can do about it for the general case, but we + * can do something about it if it is aliased somewhere else via a bind mount. If we + * explicitly remount the super block of that alias read-only we hence should be + * relatively safe regarding keeping a dirty fs we cannot otherwise see. + * + * Since the remount can hang in the instance of remote filesystems, we remount + * asynchronously and skip the subsequent umount if it fails. */ + if (remount_with_timeout(m, umount_log_level) < 0) { + /* Remount failed, but try unmounting anyway, + * unless this is a mount point we want to skip. */ + if (nonunmountable_path(m->path)) { + n_failed++; + continue; + } + } + } + + /* Skip / and /usr since we cannot unmount that anyway, since we are running from it. They + * have already been remounted ro. */ + if (nonunmountable_path(m->path)) + continue; + + /* Trying to umount */ + if (umount_with_timeout(m, umount_log_level) < 0) + n_failed++; + else + *changed = true; + } + + return n_failed; +} + +static int swap_points_list_off(MountPoint **head, bool *changed) { + MountPoint *m, *n; + int n_failed = 0; + + assert(head); + assert(changed); + + LIST_FOREACH_SAFE(mount_point, m, n, *head) { + log_info("Deactivating swap %s.", m->path); + if (swapoff(m->path) < 0) { + log_warning_errno(errno, "Could not deactivate swap %s: %m", m->path); + n_failed++; + continue; + } + + *changed = true; + mount_point_free(head, m); + } + + return n_failed; +} + +static int loopback_points_list_detach(MountPoint **head, bool *changed, int umount_log_level) { + MountPoint *m, *n; + int n_failed = 0, r; + dev_t rootdev = 0; + + assert(head); + assert(changed); + + (void) get_block_device("/", &rootdev); + + LIST_FOREACH_SAFE(mount_point, m, n, *head) { + if (major(rootdev) != 0 && rootdev == m->devnum) { + n_failed++; + continue; + } + + log_info("Detaching loopback %s.", m->path); + r = delete_loopback(m->path); + if (r < 0) { + log_full_errno(umount_log_level, r, "Could not detach loopback %s: %m", m->path); + n_failed++; + continue; + } + if (r > 0) + *changed = true; + + mount_point_free(head, m); + } + + return n_failed; +} + +static int dm_points_list_detach(MountPoint **head, bool *changed, int umount_log_level) { + MountPoint *m, *n; + int n_failed = 0, r; + dev_t rootdev = 0; + + assert(head); + assert(changed); + + (void) get_block_device("/", &rootdev); + + LIST_FOREACH_SAFE(mount_point, m, n, *head) { + if (major(rootdev) != 0 && rootdev == m->devnum) { + n_failed ++; + continue; + } + + log_info("Detaching DM %s (%u:%u).", m->path, major(m->devnum), minor(m->devnum)); + r = delete_dm(m); + if (r < 0) { + log_full_errno(umount_log_level, r, "Could not detach DM %s: %m", m->path); + n_failed++; + continue; + } + + *changed = true; + mount_point_free(head, m); + } + + return n_failed; +} + +static int md_points_list_detach(MountPoint **head, bool *changed, int umount_log_level) { + MountPoint *m, *n; + int n_failed = 0, r; + dev_t rootdev = 0; + + assert(head); + assert(changed); + + (void) get_block_device("/", &rootdev); + + LIST_FOREACH_SAFE(mount_point, m, n, *head) { + if (major(rootdev) != 0 && rootdev == m->devnum) { + n_failed ++; + continue; + } + + log_info("Stopping MD %s (%u:%u).", m->path, major(m->devnum), minor(m->devnum)); + r = delete_md(m); + if (r < 0) { + log_full_errno(umount_log_level, r, "Could not stop MD %s: %m", m->path); + n_failed++; + continue; + } + + *changed = true; + mount_point_free(head, m); + } + + return n_failed; +} + +static int umount_all_once(bool *changed, int umount_log_level) { + _cleanup_(mount_points_list_free) LIST_HEAD(MountPoint, mp_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(mp_list_head); + r = mount_points_list_get(NULL, &mp_list_head); + if (r < 0) + return r; + + return mount_points_list_umount(&mp_list_head, changed, umount_log_level); +} + +int umount_all(bool *changed, int umount_log_level) { + bool umount_changed; + int r; + + assert(changed); + + /* Retry umount, until nothing can be umounted anymore. Mounts are + * processed in order, newest first. The retries are needed when + * an old mount has been moved, to a path inside a newer mount. */ + do { + umount_changed = false; + + r = umount_all_once(&umount_changed, umount_log_level); + if (umount_changed) + *changed = true; + } while (umount_changed); + + return r; +} + +int swapoff_all(bool *changed) { + _cleanup_(mount_points_list_free) LIST_HEAD(MountPoint, swap_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(swap_list_head); + + r = swap_list_get(NULL, &swap_list_head); + if (r < 0) + return r; + + return swap_points_list_off(&swap_list_head, changed); +} + +int loopback_detach_all(bool *changed, int umount_log_level) { + _cleanup_(mount_points_list_free) LIST_HEAD(MountPoint, loopback_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(loopback_list_head); + + r = loopback_list_get(&loopback_list_head); + if (r < 0) + return r; + + return loopback_points_list_detach(&loopback_list_head, changed, umount_log_level); +} + +int dm_detach_all(bool *changed, int umount_log_level) { + _cleanup_(mount_points_list_free) LIST_HEAD(MountPoint, dm_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(dm_list_head); + + r = dm_list_get(&dm_list_head); + if (r < 0) + return r; + + return dm_points_list_detach(&dm_list_head, changed, umount_log_level); +} + +int md_detach_all(bool *changed, int umount_log_level) { + _cleanup_(mount_points_list_free) LIST_HEAD(MountPoint, md_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(md_list_head); + + r = md_list_get(&md_list_head); + if (r < 0) + return r; + + return md_points_list_detach(&md_list_head, changed, umount_log_level); +} diff --git a/src/shutdown/umount.h b/src/shutdown/umount.h new file mode 100644 index 0000000..fac1a12 --- /dev/null +++ b/src/shutdown/umount.h @@ -0,0 +1,32 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include "list.h" + +int umount_all(bool *changed, int umount_log_level); + +int swapoff_all(bool *changed); + +int loopback_detach_all(bool *changed, int umount_log_level); + +int dm_detach_all(bool *changed, int umount_log_level); + +int md_detach_all(bool *changed, int umount_log_level); + +/* This is exported just for testing */ +typedef struct MountPoint { + char *path; + char *remount_options; + unsigned long remount_flags; + bool try_remount_ro; + dev_t devnum; + LIST_FIELDS(struct MountPoint, mount_point); +} MountPoint; + +int mount_points_list_get(const char *mountinfo, MountPoint **head); +void mount_points_list_free(MountPoint **head); +int swap_list_get(const char *swaps, MountPoint **head); |