diff options
Diffstat (limited to 'src/shutdown')
-rw-r--r-- | src/shutdown/detach-dm.c | 167 | ||||
-rw-r--r-- | src/shutdown/detach-dm.h | 10 | ||||
-rw-r--r-- | src/shutdown/detach-loopback.c | 225 | ||||
-rw-r--r-- | src/shutdown/detach-loopback.h | 10 | ||||
-rw-r--r-- | src/shutdown/detach-md.c | 188 | ||||
-rw-r--r-- | src/shutdown/detach-md.h | 10 | ||||
-rw-r--r-- | src/shutdown/detach-swap.c | 110 | ||||
-rw-r--r-- | src/shutdown/detach-swap.h | 21 | ||||
-rw-r--r-- | src/shutdown/meson.build | 39 | ||||
-rw-r--r-- | src/shutdown/shutdown.c | 663 | ||||
-rw-r--r-- | src/shutdown/test-umount.c | 68 | ||||
-rw-r--r-- | src/shutdown/umount.c | 494 | ||||
-rw-r--r-- | src/shutdown/umount.h | 26 |
13 files changed, 2031 insertions, 0 deletions
diff --git a/src/shutdown/detach-dm.c b/src/shutdown/detach-dm.c new file mode 100644 index 0000000..8b8f72d --- /dev/null +++ b/src/shutdown/detach-dm.c @@ -0,0 +1,167 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <linux/dm-ioctl.h> +#include <sys/ioctl.h> + +#include "sd-device.h" + +#include "alloc-util.h" +#include "blockdev-util.h" +#include "detach-dm.h" +#include "device-util.h" +#include "devnum-util.h" +#include "errno-util.h" +#include "fd-util.h" +#include "sync-util.h" + +typedef struct DeviceMapper { + char *path; + dev_t devnum; + LIST_FIELDS(struct DeviceMapper, device_mapper); +} DeviceMapper; + +static void device_mapper_free(DeviceMapper **head, DeviceMapper *m) { + assert(head); + assert(m); + + LIST_REMOVE(device_mapper, *head, m); + + free(m->path); + free(m); +} + +static void device_mapper_list_free(DeviceMapper **head) { + assert(head); + + while (*head) + device_mapper_free(head, *head); +} + +static int dm_list_get(DeviceMapper **head) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; + int r; + + assert(head); + + r = sd_device_enumerator_new(&e); + if (r < 0) + return r; + + r = sd_device_enumerator_allow_uninitialized(e); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_subsystem(e, "block", true); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_sysname(e, "dm-*"); + if (r < 0) + return r; + + FOREACH_DEVICE(e, d) { + _cleanup_free_ char *p = NULL; + const char *dn; + DeviceMapper *m; + dev_t devnum; + + if (sd_device_get_devnum(d, &devnum) < 0 || + sd_device_get_devname(d, &dn) < 0) + continue; + + p = strdup(dn); + if (!p) + return -ENOMEM; + + m = new(DeviceMapper, 1); + if (!m) + return -ENOMEM; + + *m = (DeviceMapper) { + .path = TAKE_PTR(p), + .devnum = devnum, + }; + + LIST_PREPEND(device_mapper, *head, m); + } + + return 0; +} + +static int delete_dm(DeviceMapper *m) { + _cleanup_close_ int fd = -EBADF; + int r; + + assert(m); + assert(major(m->devnum) != 0); + assert(m->path); + + fd = open("/dev/mapper/control", O_RDWR|O_CLOEXEC); + if (fd < 0) + return -errno; + + r = fsync_path_at(AT_FDCWD, m->path); + if (r < 0) + log_debug_errno(r, "Failed to sync DM block device %s, ignoring: %m", m->path); + + return RET_NERRNO(ioctl(fd, DM_DEV_REMOVE, &(struct dm_ioctl) { + .version = { + DM_VERSION_MAJOR, + DM_VERSION_MINOR, + DM_VERSION_PATCHLEVEL + }, + .data_size = sizeof(struct dm_ioctl), + .dev = m->devnum, + })); +} + +static int dm_points_list_detach(DeviceMapper **head, bool *changed, bool last_try) { + int n_failed = 0, r; + dev_t rootdev = 0, usrdev = 0; + + assert(head); + assert(changed); + + (void) get_block_device("/", &rootdev); + (void) get_block_device("/usr", &usrdev); + + LIST_FOREACH(device_mapper, m, *head) { + if ((major(rootdev) != 0 && rootdev == m->devnum) || + (major(usrdev) != 0 && usrdev == m->devnum)) { + log_debug("Not detaching DM %s that backs the OS itself, skipping.", m->path); + n_failed ++; + continue; + } + + log_info("Detaching DM %s (" DEVNUM_FORMAT_STR ").", m->path, DEVNUM_FORMAT_VAL(m->devnum)); + r = delete_dm(m); + if (r < 0) { + log_full_errno(last_try ? LOG_ERR : LOG_INFO, r, "Could not detach DM %s: %m", m->path); + n_failed++; + continue; + } + + *changed = true; + device_mapper_free(head, m); + } + + return n_failed; +} + +int dm_detach_all(bool *changed, bool last_try) { + _cleanup_(device_mapper_list_free) LIST_HEAD(DeviceMapper, dm_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(dm_list_head); + + r = dm_list_get(&dm_list_head); + if (r < 0) + return r; + + return dm_points_list_detach(&dm_list_head, changed, last_try); +} diff --git a/src/shutdown/detach-dm.h b/src/shutdown/detach-dm.h new file mode 100644 index 0000000..b5f50a3 --- /dev/null +++ b/src/shutdown/detach-dm.h @@ -0,0 +1,10 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <stdbool.h> + +int dm_detach_all(bool *changed, bool last_try); diff --git a/src/shutdown/detach-loopback.c b/src/shutdown/detach-loopback.c new file mode 100644 index 0000000..267509f --- /dev/null +++ b/src/shutdown/detach-loopback.c @@ -0,0 +1,225 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <linux/loop.h> +#include <sys/ioctl.h> +#include <unistd.h> + +#if HAVE_VALGRIND_MEMCHECK_H +#include <valgrind/memcheck.h> +#endif + +#include "sd-device.h" + +#include "alloc-util.h" +#include "blockdev-util.h" +#include "detach-loopback.h" +#include "device-util.h" +#include "fd-util.h" + +typedef struct LoopbackDevice { + char *path; + dev_t devnum; + LIST_FIELDS(struct LoopbackDevice, loopback_device); +} LoopbackDevice; + +static void loopback_device_free(LoopbackDevice **head, LoopbackDevice *m) { + assert(head); + assert(m); + + LIST_REMOVE(loopback_device, *head, m); + + free(m->path); + free(m); +} + +static void loopback_device_list_free(LoopbackDevice **head) { + assert(head); + + while (*head) + loopback_device_free(head, *head); +} + +static int loopback_list_get(LoopbackDevice **head) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; + int r; + + assert(head); + + r = sd_device_enumerator_new(&e); + if (r < 0) + return r; + + r = sd_device_enumerator_allow_uninitialized(e); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_subsystem(e, "block", true); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_sysname(e, "loop*"); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_sysattr(e, "loop/backing_file", NULL, true); + if (r < 0) + return r; + + FOREACH_DEVICE(e, d) { + _cleanup_free_ char *p = NULL; + const char *dn; + LoopbackDevice *lb; + dev_t devnum; + + if (sd_device_get_devnum(d, &devnum) < 0 || + sd_device_get_devname(d, &dn) < 0) + continue; + + p = strdup(dn); + if (!p) + return -ENOMEM; + + lb = new(LoopbackDevice, 1); + if (!lb) + return -ENOMEM; + + *lb = (LoopbackDevice) { + .path = TAKE_PTR(p), + .devnum = devnum, + }; + + LIST_PREPEND(loopback_device, *head, lb); + } + + return 0; +} + +static int delete_loopback(const char *device) { + _cleanup_close_ int fd = -EBADF; + struct loop_info64 info; + + assert(device); + + fd = open(device, O_RDONLY|O_CLOEXEC); + if (fd < 0) { + log_debug_errno(errno, "Failed to open loopback device %s: %m", device); + return errno == ENOENT ? 0 : -errno; + } + + /* Loopback block devices don't sync in-flight blocks when we clear the fd, hence sync explicitly + * first */ + if (fsync(fd) < 0) + log_debug_errno(errno, "Failed to sync loop block device %s, ignoring: %m", device); + + if (ioctl(fd, LOOP_CLR_FD, 0) < 0) { + if (errno == ENXIO) /* Nothing bound, didn't do anything */ + return 0; + + if (errno != EBUSY) + return log_debug_errno(errno, "Failed to clear loopback device %s: %m", device); + + if (ioctl(fd, LOOP_GET_STATUS64, &info) < 0) { + if (errno == ENXIO) /* What? Suddenly detached after all? That's fine by us then. */ + return 1; + + log_debug_errno(errno, "Failed to invoke LOOP_GET_STATUS64 on loopback device %s, ignoring: %m", device); + return -EBUSY; /* propagate original error */ + } + +#if HAVE_VALGRIND_MEMCHECK_H + VALGRIND_MAKE_MEM_DEFINED(&info, sizeof(info)); +#endif + + if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) /* someone else already set LO_FLAGS_AUTOCLEAR for us? fine by us */ + return -EBUSY; /* propagate original error */ + + info.lo_flags |= LO_FLAGS_AUTOCLEAR; + if (ioctl(fd, LOOP_SET_STATUS64, &info) < 0) { + if (errno == ENXIO) /* Suddenly detached after all? Fine by us */ + return 1; + + log_debug_errno(errno, "Failed to set LO_FLAGS_AUTOCLEAR flag for loop device %s, ignoring: %m", device); + } else + log_debug("Successfully set LO_FLAGS_AUTOCLEAR flag for loop device %s.", device); + + return -EBUSY; + } + + if (ioctl(fd, LOOP_GET_STATUS64, &info) < 0) { + /* If the LOOP_CLR_FD above succeeded we'll see ENXIO here. */ + if (errno == ENXIO) + log_debug("Successfully detached loopback device %s.", device); + else + log_debug_errno(errno, "Failed to invoke LOOP_GET_STATUS64 on loopback device %s, ignoring: %m", device); /* the LOOP_CLR_FD at least worked, let's hope for the best */ + + return 1; + } + +#if HAVE_VALGRIND_MEMCHECK_H + VALGRIND_MAKE_MEM_DEFINED(&info, sizeof(info)); +#endif + + /* Linux makes LOOP_CLR_FD succeed whenever LO_FLAGS_AUTOCLEAR is set without actually doing + * anything. Very confusing. Let's hence not claim we did anything in this case. */ + if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) + log_debug("Successfully called LOOP_CLR_FD on a loopback device %s with autoclear set, which is a NOP.", device); + else + log_debug("Weird, LOOP_CLR_FD succeeded but the device is still attached on %s.", device); + + return -EBUSY; /* Nothing changed, the device is still attached, hence it apparently is still busy */ +} + +static int loopback_points_list_detach(LoopbackDevice **head, bool *changed, bool last_try) { + int n_failed = 0, r; + dev_t rootdev = 0, usrdev = 0; + + assert(head); + assert(changed); + + (void) get_block_device_harder("/", &rootdev); + (void) block_get_whole_disk(rootdev, &rootdev); + + (void) get_block_device_harder("/usr", &usrdev); + (void) block_get_whole_disk(usrdev, &usrdev); + + LIST_FOREACH(loopback_device, m, *head) { + if ((major(rootdev) != 0 && rootdev == m->devnum) || + (major(usrdev) != 0 && usrdev == m->devnum)) { + log_debug("Not detaching loopback device %s that backs the OS itself, skipping.", m->path); + n_failed++; + continue; + } + + log_info("Detaching loopback %s.", m->path); + r = delete_loopback(m->path); + if (r < 0) { + log_full_errno(last_try ? LOG_ERR : LOG_INFO, r, "Could not detach loopback %s: %m", m->path); + n_failed++; + continue; + } + if (r > 0) + *changed = true; + + loopback_device_free(head, m); + } + + return n_failed; +} + +int loopback_detach_all(bool *changed, bool last_try) { + _cleanup_(loopback_device_list_free) LIST_HEAD(LoopbackDevice, loopback_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(loopback_list_head); + + r = loopback_list_get(&loopback_list_head); + if (r < 0) + return r; + + return loopback_points_list_detach(&loopback_list_head, changed, last_try); +} diff --git a/src/shutdown/detach-loopback.h b/src/shutdown/detach-loopback.h new file mode 100644 index 0000000..d6d73f3 --- /dev/null +++ b/src/shutdown/detach-loopback.h @@ -0,0 +1,10 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <stdbool.h> + +int loopback_detach_all(bool *changed, bool last_try); diff --git a/src/shutdown/detach-md.c b/src/shutdown/detach-md.c new file mode 100644 index 0000000..cf3130d --- /dev/null +++ b/src/shutdown/detach-md.c @@ -0,0 +1,188 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <linux/major.h> +#include <linux/raid/md_u.h> +#include <sys/ioctl.h> +#include <unistd.h> + +#include "sd-device.h" + +#include "alloc-util.h" +#include "blockdev-util.h" +#include "detach-md.h" +#include "device-util.h" +#include "devnum-util.h" +#include "errno-util.h" +#include "fd-util.h" +#include "string-util.h" + +typedef struct RaidDevice { + char *path; + dev_t devnum; + LIST_FIELDS(struct RaidDevice, raid_device); +} RaidDevice; + +static void raid_device_free(RaidDevice **head, RaidDevice *m) { + assert(head); + assert(m); + + LIST_REMOVE(raid_device, *head, m); + + free(m->path); + free(m); +} + +static void raid_device_list_free(RaidDevice **head) { + assert(head); + + while (*head) + raid_device_free(head, *head); +} + +static int md_list_get(RaidDevice **head) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; + int r; + + assert(head); + + r = sd_device_enumerator_new(&e); + if (r < 0) + return r; + + r = sd_device_enumerator_allow_uninitialized(e); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_subsystem(e, "block", true); + if (r < 0) + return r; + + r = sd_device_enumerator_add_match_sysname(e, "md*"); + if (r < 0) + return r; + + /* Filter out partitions. */ + r = sd_device_enumerator_add_match_property(e, "DEVTYPE", "disk"); + if (r < 0) + return r; + + FOREACH_DEVICE(e, d) { + _cleanup_free_ char *p = NULL; + const char *dn, *md_level; + RaidDevice *m; + dev_t devnum; + + r = sd_device_get_devname(d, &dn); + if (r < 0) { + log_device_warning_errno(d, r, "Failed to get name of enumerated device, ignoring: %m"); + continue; + } + + r = sd_device_get_devnum(d, &devnum); + if (r < 0) { + log_device_warning_errno(d, r, "Failed to get devno of enumerated device '%s', ignoring device: %m", dn); + continue; + } + + /* MD "containers" are a special type of MD devices, used for external metadata. Since they + * don't provide RAID functionality in themselves we don't need to stop them. Note that the + * MD_LEVEL udev property is set by mdadm in userspace, which is an optional package. Hence + * let's handle gracefully if the property is missing. */ + + r = sd_device_get_property_value(d, "MD_LEVEL", &md_level); + if (r < 0) + log_device_full_errno(d, + r == -ENOENT ? LOG_DEBUG : LOG_WARNING, + r, + "Failed to get MD_LEVEL property for %s, assuming regular MD device, not a container: %m", dn); + else if (streq(md_level, "container")) { + log_device_debug(d, "Skipping MD device '%s' because it is a container MD device.", dn); + continue; + } + + p = strdup(dn); + if (!p) + return -ENOMEM; + + m = new(RaidDevice, 1); + if (!m) + return -ENOMEM; + + *m = (RaidDevice) { + .path = TAKE_PTR(p), + .devnum = devnum, + }; + + LIST_PREPEND(raid_device, *head, m); + } + + return 0; +} + +static int delete_md(RaidDevice *m) { + _cleanup_close_ int fd = -EBADF; + + assert(m); + assert(major(m->devnum) != 0); + assert(m->path); + + fd = open(m->path, O_RDONLY|O_CLOEXEC|O_EXCL); + if (fd < 0) + return -errno; + + if (fsync(fd) < 0) + log_debug_errno(errno, "Failed to sync MD block device %s, ignoring: %m", m->path); + + return RET_NERRNO(ioctl(fd, STOP_ARRAY, NULL)); +} + +static int md_points_list_detach(RaidDevice **head, bool *changed, bool last_try) { + int n_failed = 0, r; + dev_t rootdev = 0, usrdev = 0; + + assert(head); + assert(changed); + + (void) get_block_device("/", &rootdev); + (void) get_block_device("/usr", &usrdev); + + LIST_FOREACH(raid_device, m, *head) { + if ((major(rootdev) != 0 && rootdev == m->devnum) || + (major(usrdev) != 0 && usrdev == m->devnum)) { + log_debug("Not detaching MD %s that backs the OS itself, skipping.", m->path); + n_failed ++; + continue; + } + + log_info("Stopping MD %s (" DEVNUM_FORMAT_STR ").", m->path, DEVNUM_FORMAT_VAL(m->devnum)); + r = delete_md(m); + if (r < 0) { + log_full_errno(last_try ? LOG_ERR : LOG_INFO, r, "Could not stop MD %s: %m", m->path); + n_failed++; + continue; + } + + *changed = true; + raid_device_free(head, m); + } + + return n_failed; +} + +int md_detach_all(bool *changed, bool last_try) { + _cleanup_(raid_device_list_free) LIST_HEAD(RaidDevice, md_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(md_list_head); + + r = md_list_get(&md_list_head); + if (r < 0) + return r; + + return md_points_list_detach(&md_list_head, changed, last_try); +} diff --git a/src/shutdown/detach-md.h b/src/shutdown/detach-md.h new file mode 100644 index 0000000..3784598 --- /dev/null +++ b/src/shutdown/detach-md.h @@ -0,0 +1,10 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <stdbool.h> + +int md_detach_all(bool *changed, bool last_try); diff --git a/src/shutdown/detach-swap.c b/src/shutdown/detach-swap.c new file mode 100644 index 0000000..fd7dcdf --- /dev/null +++ b/src/shutdown/detach-swap.c @@ -0,0 +1,110 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <sys/swap.h> + +#include "alloc-util.h" +#include "detach-swap.h" +#include "libmount-util.h" + +static void swap_device_free(SwapDevice **head, SwapDevice *m) { + assert(head); + assert(m); + + LIST_REMOVE(swap_device, *head, m); + + free(m->path); + free(m); +} + +void swap_devices_list_free(SwapDevice **head) { + assert(head); + + while (*head) + swap_device_free(head, *head); +} + +int swap_list_get(const char *swaps, SwapDevice **head) { + _cleanup_(mnt_free_tablep) struct libmnt_table *t = NULL; + _cleanup_(mnt_free_iterp) struct libmnt_iter *i = NULL; + int r; + + assert(head); + + t = mnt_new_table(); + i = mnt_new_iter(MNT_ITER_FORWARD); + if (!t || !i) + return log_oom(); + + r = mnt_table_parse_swaps(t, swaps); + if (r == -ENOENT) /* no /proc/swaps is fine */ + return 0; + if (r < 0) + return log_error_errno(r, "Failed to parse %s: %m", swaps ?: "/proc/swaps"); + + for (;;) { + struct libmnt_fs *fs; + _cleanup_free_ SwapDevice *swap = NULL; + const char *source; + + r = mnt_table_next_fs(t, i, &fs); + if (r == 1) /* EOF */ + break; + if (r < 0) + return log_error_errno(r, "Failed to get next entry from %s: %m", swaps ?: "/proc/swaps"); + + source = mnt_fs_get_source(fs); + if (!source) + continue; + + swap = new0(SwapDevice, 1); + if (!swap) + return log_oom(); + + swap->path = strdup(source); + if (!swap->path) + return log_oom(); + + LIST_PREPEND(swap_device, *head, TAKE_PTR(swap)); + } + + return 0; +} + +static int swap_points_list_off(SwapDevice **head, bool *changed) { + int n_failed = 0; + + assert(head); + assert(changed); + + LIST_FOREACH(swap_device, m, *head) { + log_info("Deactivating swap %s.", m->path); + if (swapoff(m->path) < 0) { + log_warning_errno(errno, "Could not deactivate swap %s: %m", m->path); + n_failed++; + continue; + } + + *changed = true; + swap_device_free(head, m); + } + + return n_failed; +} + +int swapoff_all(bool *changed) { + _cleanup_(swap_devices_list_free) LIST_HEAD(SwapDevice, swap_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(swap_list_head); + + r = swap_list_get(NULL, &swap_list_head); + if (r < 0) + return r; + + return swap_points_list_off(&swap_list_head, changed); +} diff --git a/src/shutdown/detach-swap.h b/src/shutdown/detach-swap.h new file mode 100644 index 0000000..1ebf5eb --- /dev/null +++ b/src/shutdown/detach-swap.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <stdbool.h> + +#include "list.h" + +int swapoff_all(bool *changed); + +/* This is exported just for testing */ +typedef struct SwapDevice { + char *path; + LIST_FIELDS(struct SwapDevice, swap_device); +} SwapDevice; + +int swap_list_get(const char *swaps, SwapDevice **head); +void swap_devices_list_free(SwapDevice **head); diff --git a/src/shutdown/meson.build b/src/shutdown/meson.build new file mode 100644 index 0000000..219f9fd --- /dev/null +++ b/src/shutdown/meson.build @@ -0,0 +1,39 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +systemd_shutdown_sources = files( + 'detach-dm.c', + 'detach-loopback.c', + 'detach-md.c', + 'detach-swap.c', + 'shutdown.c', + 'umount.c', +) + +executables += [ + libexec_template + { + 'name' : 'systemd-shutdown', + 'sources' : systemd_shutdown_sources, + 'dependencies' : libmount, + }, + libexec_template + { + 'name' : 'systemd-shutdown.standalone', + 'sources' : systemd_shutdown_sources, + 'c_args' : '-DSTANDALONE', + 'link_with' : [ + libbasic, + libshared_static, + libsystemd_static, + ], + 'dependencies' : libmount, + 'build_by_default' : have_standalone_binaries, + 'install' : have_standalone_binaries, + }, + test_template + { + 'sources' : files( + 'test-umount.c', + 'detach-swap.c', + 'umount.c', + ), + 'dependencies' : libmount, + }, +] diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c new file mode 100644 index 0000000..b709078 --- /dev/null +++ b/src/shutdown/shutdown.c @@ -0,0 +1,663 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <errno.h> +#include <getopt.h> +#include <linux/reboot.h> +#include <stdbool.h> +#include <stdlib.h> +#include <sys/mman.h> +#include <sys/mount.h> +#include <sys/reboot.h> +#include <sys/stat.h> +#include <unistd.h> + +#include "sd-daemon.h" +#include "sd-messages.h" + +#include "alloc-util.h" +#include "async.h" +#include "binfmt-util.h" +#include "cgroup-setup.h" +#include "cgroup-util.h" +#include "constants.h" +#include "coredump-util.h" +#include "detach-dm.h" +#include "detach-loopback.h" +#include "detach-md.h" +#include "detach-swap.h" +#include "errno-util.h" +#include "exec-util.h" +#include "fd-util.h" +#include "fileio.h" +#include "getopt-defs.h" +#include "initrd-util.h" +#include "killall.h" +#include "log.h" +#include "parse-util.h" +#include "process-util.h" +#include "reboot-util.h" +#include "rlimit-util.h" +#include "signal-util.h" +#include "string-util.h" +#include "switch-root.h" +#include "sysctl-util.h" +#include "terminal-util.h" +#include "umount.h" +#include "virt.h" +#include "watchdog.h" + +#define SYNC_PROGRESS_ATTEMPTS 3 +#define SYNC_TIMEOUT_USEC (10*USEC_PER_SEC) + +static char* arg_verb; +static uint8_t arg_exit_code; +static usec_t arg_timeout = DEFAULT_TIMEOUT_USEC; + +static int parse_argv(int argc, char *argv[]) { + enum { + COMMON_GETOPT_ARGS, + SHUTDOWN_GETOPT_ARGS, + }; + + static const struct option options[] = { + COMMON_GETOPT_OPTIONS, + SHUTDOWN_GETOPT_OPTIONS, + {} + }; + + int c, r; + + assert(argc >= 1); + assert(argv); + + /* Resetting to 0 forces the invocation of an internal initialization routine of getopt_long() + * that checks for GNU extensions in optstring ('-' or '+' at the beginning). */ + optind = 0; + + /* "-" prevents getopt from permuting argv[] and moving the verb away + * from argv[1]. Our interface to initrd promises it'll be there. */ + while ((c = getopt_long(argc, argv, "-", options, NULL)) >= 0) + switch (c) { + + case ARG_LOG_LEVEL: + r = log_set_max_level_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log level %s, ignoring: %m", optarg); + + break; + + case ARG_LOG_TARGET: + r = log_set_target_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log target %s, ignoring: %m", optarg); + + break; + + case ARG_LOG_COLOR: + + if (optarg) { + r = log_show_color_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log color setting %s, ignoring: %m", optarg); + } else + log_show_color(true); + + break; + + case ARG_LOG_LOCATION: + if (optarg) { + r = log_show_location_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log location setting %s, ignoring: %m", optarg); + } else + log_show_location(true); + + break; + + case ARG_LOG_TIME: + + if (optarg) { + r = log_show_time_from_string(optarg); + if (r < 0) + log_error_errno(r, "Failed to parse log time setting %s, ignoring: %m", optarg); + } else + log_show_time(true); + + break; + + case ARG_EXIT_CODE: + r = safe_atou8(optarg, &arg_exit_code); + if (r < 0) + log_error_errno(r, "Failed to parse exit code %s, ignoring: %m", optarg); + + break; + + case ARG_TIMEOUT: + r = parse_sec(optarg, &arg_timeout); + if (r < 0) + log_error_errno(r, "Failed to parse shutdown timeout %s, ignoring: %m", optarg); + + break; + + case '\001': + if (!arg_verb) + arg_verb = optarg; + else + log_error("Excess arguments, ignoring"); + break; + + case '?': + return -EINVAL; + + default: + assert_not_reached(); + } + + if (!arg_verb) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Verb argument missing."); + + return 0; +} + +static int switch_root_initramfs(void) { + /* Do not detach the old root, because /run/initramfs/shutdown needs to access it. + * + * Disable sync() during switch-root, we after all sync'ed here plenty, and a dumb sync (as opposed + * to the "smart" sync() we did here that looks at progress parameters) would defeat much of our + * efforts here. As the new root will be /run/initramfs/, it is not necessary to mount /run/ + * recursively. */ + return switch_root( + /* new_root= */ "/run/initramfs", + /* old_root_after= */ "/oldroot", + /* flags= */ SWITCH_ROOT_DONT_SYNC); +} + +/* Read the following fields from /proc/meminfo: + * + * NFS_Unstable + * Writeback + * Dirty + * + * Return true if the sum of these fields is greater than the previous + * value input. For all other issues, report the failure and indicate that + * the sync is not making progress. + */ +static int sync_making_progress(unsigned long long *prev_dirty) { + _cleanup_fclose_ FILE *f = NULL; + unsigned long long val = 0; + int ret; + + f = fopen("/proc/meminfo", "re"); + if (!f) + return log_warning_errno(errno, "Failed to open /proc/meminfo: %m"); + + for (;;) { + _cleanup_free_ char *line = NULL; + unsigned long long ull = 0; + int q; + + q = read_line(f, LONG_LINE_MAX, &line); + if (q < 0) + return log_warning_errno(q, "Failed to parse /proc/meminfo: %m"); + if (q == 0) + break; + + if (!first_word(line, "NFS_Unstable:") && !first_word(line, "Writeback:") && !first_word(line, "Dirty:")) + continue; + + errno = 0; + if (sscanf(line, "%*s %llu %*s", &ull) != 1) { + if (errno != 0) + log_warning_errno(errno, "Failed to parse /proc/meminfo: %m"); + else + log_warning("Failed to parse /proc/meminfo"); + + return false; + } + + val += ull; + } + + ret = *prev_dirty > val; + *prev_dirty = val; + return ret; +} + +static void sync_with_progress(void) { + unsigned long long dirty = ULLONG_MAX; + unsigned checks; + pid_t pid; + int r; + + BLOCK_SIGNALS(SIGCHLD); + + /* Due to the possibility of the sync operation hanging, we fork a child process and monitor + * the progress. If the timeout lapses, the assumption is that the particular sync stalled. */ + + r = asynchronous_sync(&pid); + if (r < 0) { + log_error_errno(r, "Failed to fork sync(): %m"); + return; + } + + log_info("Syncing filesystems and block devices."); + + /* Start monitoring the sync operation. If more than + * SYNC_PROGRESS_ATTEMPTS lapse without progress being made, + * we assume that the sync is stalled */ + for (checks = 0; checks < SYNC_PROGRESS_ATTEMPTS; checks++) { + r = wait_for_terminate_with_timeout(pid, SYNC_TIMEOUT_USEC); + if (r == 0) + /* Sync finished without error. + * (The sync itself does not return an error code) */ + return; + else if (r == -ETIMEDOUT) { + /* Reset the check counter if the "Dirty" value is + * decreasing */ + if (sync_making_progress(&dirty) > 0) + checks = 0; + } else { + log_error_errno(r, "Failed to sync filesystems and block devices: %m"); + return; + } + } + + /* Only reached in the event of a timeout. We should issue a kill + * to the stray process. */ + log_error("Syncing filesystems and block devices - timed out, issuing SIGKILL to PID "PID_FMT".", pid); + (void) kill(pid, SIGKILL); +} + +static int read_current_sysctl_printk_log_level(void) { + _cleanup_free_ char *sysctl_printk_vals = NULL, *sysctl_printk_curr = NULL; + int current_lvl; + const char *p; + int r; + + r = sysctl_read("kernel/printk", &sysctl_printk_vals); + if (r < 0) + return log_debug_errno(r, "Cannot read sysctl kernel.printk: %m"); + + p = sysctl_printk_vals; + r = extract_first_word(&p, &sysctl_printk_curr, NULL, 0); + if (r < 0) + return log_debug_errno(r, "Failed to split out kernel printk priority: %m"); + if (r == 0) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Short read while reading kernel.printk sysctl"); + + r = safe_atoi(sysctl_printk_curr, ¤t_lvl); + if (r < 0) + return log_debug_errno(r, "Failed to parse kernel.printk sysctl: %s", sysctl_printk_vals); + + return current_lvl; +} + +static void bump_sysctl_printk_log_level(int min_level) { + int current_lvl, r; + + /* Set the logging level to be able to see messages with log level smaller or equal to min_level */ + + current_lvl = read_current_sysctl_printk_log_level(); + if (current_lvl < 0 || current_lvl >= min_level + 1) + return; + + r = sysctl_writef("kernel/printk", "%i", min_level + 1); + if (r < 0) + log_debug_errno(r, "Failed to bump kernel.printk to %i: %m", min_level + 1); +} + +static void init_watchdog(void) { + const char *s; + int r; + + s = getenv("WATCHDOG_DEVICE"); + if (s) { + r = watchdog_set_device(s); + if (r < 0) + log_warning_errno(r, "Failed to set watchdog device to %s, ignoring: %m", s); + } + + s = getenv("WATCHDOG_USEC"); + if (s) { + usec_t usec; + + r = safe_atou64(s, &usec); + if (r < 0) + log_warning_errno(r, "Failed to parse watchdog timeout '%s', ignoring: %m", s); + else + (void) watchdog_setup(usec); + } +} + +int main(int argc, char *argv[]) { + static const char* const dirs[] = { + SYSTEM_SHUTDOWN_PATH, + NULL + }; + _cleanup_free_ char *cgroup = NULL; + char *arguments[3]; + int cmd, r; + + /* Close random fds we might have get passed, just for paranoia, before we open any new fds, for + * example for logging. After all this tool's purpose is about detaching any pinned resources, and + * open file descriptors are the primary way to pin resources. Note that we don't really expect any + * fds to be passed here. */ + (void) close_all_fds(NULL, 0); + + /* The log target defaults to console, but the original systemd process will pass its log target in through a + * command line argument, which will override this default. Also, ensure we'll never log to the journal or + * syslog, as these logging daemons are either already dead or will die very soon. */ + + log_set_target(LOG_TARGET_CONSOLE); + log_set_prohibit_ipc(true); + log_parse_environment(); + + if (getpid_cached() == 1) + log_set_always_reopen_console(true); + + r = parse_argv(argc, argv); + if (r < 0) + goto error; + + log_open(); + + umask(0022); + + if (getpid_cached() != 1) { + r = log_error_errno(SYNTHETIC_ERRNO(EPERM), "Not executed by init (PID 1)."); + goto error; + } + + if (streq(arg_verb, "reboot")) + cmd = RB_AUTOBOOT; + else if (streq(arg_verb, "poweroff")) + cmd = RB_POWER_OFF; + else if (streq(arg_verb, "halt")) + cmd = RB_HALT_SYSTEM; + else if (streq(arg_verb, "kexec")) + cmd = LINUX_REBOOT_CMD_KEXEC; + else if (streq(arg_verb, "exit")) + cmd = 0; /* ignored, just checking that arg_verb is valid */ + else { + r = log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown action '%s'.", arg_verb); + goto error; + } + + /* This is primarily useful when running systemd in a VM, as it provides the user running the VM with + * a mechanism to pick up systemd's exit status in the VM. Note that we execute this as early as + * possible since otherwise we might shut down the VM before the AF_VSOCK buffers have been flushed. + * While this doesn't guarantee the message will arrive, in practice we do enough work after this + * that the message should always arrive on the host */ + (void) sd_notifyf(0, "EXIT_STATUS=%i", arg_exit_code); + + (void) cg_get_root_path(&cgroup); + bool in_container = detect_container() > 0; + + /* If the logging messages are going to KMSG, and if we are not running from a container, then try to + * update the sysctl kernel.printk current value in order to see "info" messages; This current log + * level is not updated if already big enough. + */ + if (!in_container && + IN_SET(log_get_target(), + LOG_TARGET_AUTO, + LOG_TARGET_JOURNAL_OR_KMSG, + LOG_TARGET_SYSLOG_OR_KMSG, + LOG_TARGET_KMSG)) + bump_sysctl_printk_log_level(LOG_WARNING); + + init_watchdog(); + + /* Lock us into memory */ + (void) mlockall(MCL_CURRENT|MCL_FUTURE); + + /* We need to make mounts private so that we can MS_MOVE in unmount_all(). Kernel does not allow + * MS_MOVE when parent mountpoints have shared propagation. */ + if (mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) < 0) + log_warning_errno(errno, "Failed to make mounts private, ignoring: %m"); + + /* Synchronize everything that is not written to disk yet at this point already. This is a good idea so that + * slow IO is processed here already and the final process killing spree is not impacted by processes + * desperately trying to sync IO to disk within their timeout. Do not remove this sync, data corruption will + * result. */ + if (!in_container) + sync_with_progress(); + + disable_coredumps(); + disable_binfmt(); + + log_info("Sending SIGTERM to remaining processes..."); + broadcast_signal(SIGTERM, true, true, arg_timeout); + + log_info("Sending SIGKILL to remaining processes..."); + broadcast_signal(SIGKILL, true, false, arg_timeout); + + bool need_umount = !in_container, need_swapoff = !in_container, need_loop_detach = !in_container, + need_dm_detach = !in_container, need_md_detach = !in_container, can_initrd, last_try = false; + can_initrd = !in_container && !in_initrd() && access("/run/initramfs/shutdown", X_OK) == 0; + + /* Unmount all mountpoints, swaps, and loopback devices */ + for (;;) { + bool changed = false; + + (void) watchdog_ping(); + + /* Let's trim the cgroup tree on each iteration so that we leave an empty cgroup tree around, + * so that container managers get a nice notify event when we are down */ + if (cgroup) + (void) cg_trim(SYSTEMD_CGROUP_CONTROLLER, cgroup, false); + + if (need_umount) { + log_info("Unmounting file systems."); + r = umount_all(&changed, last_try); + if (r == 0) { + need_umount = false; + log_info("All filesystems unmounted."); + } else if (r > 0) + log_info("Not all file systems unmounted, %d left.", r); + else + log_error_errno(r, "Unable to unmount file systems: %m"); + } + + if (need_swapoff) { + log_info("Deactivating swaps."); + r = swapoff_all(&changed); + if (r == 0) { + need_swapoff = false; + log_info("All swaps deactivated."); + } else if (r > 0) + log_info("Not all swaps deactivated, %d left.", r); + else + log_error_errno(r, "Unable to deactivate swaps: %m"); + } + + if (need_loop_detach) { + log_info("Detaching loop devices."); + r = loopback_detach_all(&changed, last_try); + if (r == 0) { + need_loop_detach = false; + log_info("All loop devices detached."); + } else if (r > 0) + log_info("Not all loop devices detached, %d left.", r); + else + log_error_errno(r, "Unable to detach loop devices: %m"); + } + + if (need_md_detach) { + log_info("Stopping MD devices."); + r = md_detach_all(&changed, last_try); + if (r == 0) { + need_md_detach = false; + log_info("All MD devices stopped."); + } else if (r > 0) + log_info("Not all MD devices stopped, %d left.", r); + else + log_error_errno(r, "Unable to stop MD devices: %m"); + } + + if (need_dm_detach) { + log_info("Detaching DM devices."); + r = dm_detach_all(&changed, last_try); + if (r == 0) { + need_dm_detach = false; + log_info("All DM devices detached."); + } else if (r > 0) + log_info("Not all DM devices detached, %d left.", r); + else + log_error_errno(r, "Unable to detach DM devices: %m"); + } + + if (!need_umount && !need_swapoff && !need_loop_detach && !need_dm_detach + && !need_md_detach) { + log_info("All filesystems, swaps, loop devices, MD devices and DM devices detached."); + /* Yay, done */ + break; + } + + if (!changed && !last_try && !can_initrd) { + /* There are things we cannot get rid of. Loop one more time in which we will log + * with higher priority to inform the user. Note that we don't need to do this if + * there is an initrd to switch to, because that one is likely to get rid of the + * remaining mounts. If not, it will log about them. */ + last_try = true; + continue; + } + + /* If in this iteration we didn't manage to unmount/deactivate anything, we simply give up */ + if (!changed) { + log_info("Cannot finalize remaining%s%s%s%s%s continuing.", + need_umount ? " file systems," : "", + need_swapoff ? " swap devices," : "", + need_loop_detach ? " loop devices," : "", + need_dm_detach ? " DM devices," : "", + need_md_detach ? " MD devices," : ""); + break; + } + + log_debug("Couldn't finalize remaining %s%s%s%s%s trying again.", + need_umount ? " file systems," : "", + need_swapoff ? " swap devices," : "", + need_loop_detach ? " loop devices," : "", + need_dm_detach ? " DM devices," : "", + need_md_detach ? " MD devices," : ""); + } + + /* We're done with the watchdog. Note that the watchdog is explicitly not stopped here. It remains + * active to guard against any issues during the rest of the shutdown sequence. */ + watchdog_free_device(); + + arguments[0] = NULL; /* Filled in by execute_directories(), when needed */ + arguments[1] = arg_verb; + arguments[2] = NULL; + (void) execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments, NULL, EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS); + + (void) rlimit_nofile_safe(); + + if (can_initrd) { + r = switch_root_initramfs(); + if (r >= 0) { + argv[0] = (char*) "/shutdown"; + + (void) setsid(); + (void) make_console_stdio(); + + log_info("Successfully changed into root pivot.\n" + "Returning to initrd..."); + + execv("/shutdown", argv); + log_error_errno(errno, "Failed to execute shutdown binary: %m"); + } else + log_error_errno(r, "Failed to switch root to \"/run/initramfs\": %m"); + } + + if (need_umount || need_swapoff || need_loop_detach || need_dm_detach || need_md_detach) + log_error("Unable to finalize remaining%s%s%s%s%s ignoring.", + need_umount ? " file systems," : "", + need_swapoff ? " swap devices," : "", + need_loop_detach ? " loop devices," : "", + need_dm_detach ? " DM devices," : "", + need_md_detach ? " MD devices," : ""); + + /* The kernel will automatically flush ATA disks and suchlike on reboot(), but the file systems need + * to be sync'ed explicitly in advance. So let's do this here, but not needlessly slow down + * containers. Note that we sync'ed things already once above, but we did some more work since then + * which might have caused IO, hence let's do it once more. Do not remove this sync, data corruption + * will result. */ + if (!in_container) + sync_with_progress(); + + if (streq(arg_verb, "exit")) { + if (in_container) { + log_info("Exiting container."); + return arg_exit_code; + } + + cmd = RB_POWER_OFF; /* We cannot exit() on the host, fallback on another method. */ + } + + switch (cmd) { + + case LINUX_REBOOT_CMD_KEXEC: + + if (!in_container) { + /* We cheat and exec kexec to avoid doing all its work */ + log_info("Rebooting with kexec."); + + r = safe_fork("(sd-kexec)", FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_WAIT, NULL); + if (r == 0) { + const char * const args[] = { + KEXEC, "-e", NULL + }; + + /* Child */ + + execv(args[0], (char * const *) args); + log_debug_errno(errno, "Failed to execute '" KEXEC "' binary, proceeding with reboot(RB_KEXEC): %m"); + + /* execv failed (kexec binary missing?), so try simply reboot(RB_KEXEC) */ + (void) reboot(cmd); + _exit(EXIT_FAILURE); + } + + /* If we are still running, then the kexec can't have worked, let's fall through */ + } + + cmd = RB_AUTOBOOT; + _fallthrough_; + + case RB_AUTOBOOT: + (void) reboot_with_parameter(REBOOT_LOG); + log_info("Rebooting."); + break; + + case RB_POWER_OFF: + log_info("Powering off."); + break; + + case RB_HALT_SYSTEM: + log_info("Halting system."); + break; + + default: + assert_not_reached(); + } + + (void) reboot(cmd); + if (ERRNO_IS_PRIVILEGE(errno) && in_container) { + /* If we are in a container, and we lacked CAP_SYS_BOOT just exit, this will kill our + * container for good. */ + log_info("Exiting container."); + return EXIT_SUCCESS; + } + + r = log_error_errno(errno, "Failed to invoke reboot(): %m"); + + error: + log_struct_errno(LOG_EMERG, r, + LOG_MESSAGE("Critical error while doing system shutdown: %m"), + "MESSAGE_ID=" SD_MESSAGE_SHUTDOWN_ERROR_STR); + freeze(); +} diff --git a/src/shutdown/test-umount.c b/src/shutdown/test-umount.c new file mode 100644 index 0000000..93da2e0 --- /dev/null +++ b/src/shutdown/test-umount.c @@ -0,0 +1,68 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ + +#include "alloc-util.h" +#include "detach-swap.h" +#include "errno-util.h" +#include "log.h" +#include "path-util.h" +#include "string-util.h" +#include "tests.h" +#include "umount.h" + +static void test_mount_points_list_one(const char *fname) { + _cleanup_(mount_points_list_free) LIST_HEAD(MountPoint, mp_list_head); + _cleanup_free_ char *testdata_fname = NULL; + + log_info("/* %s(\"%s\") */", __func__, fname ?: "/proc/self/mountinfo"); + + if (fname) { + assert_se(get_testdata_dir(fname, &testdata_fname) >= 0); + fname = testdata_fname; + } + + LIST_HEAD_INIT(mp_list_head); + assert_se(mount_points_list_get(fname, &mp_list_head) >= 0); + + LIST_FOREACH(mount_point, m, mp_list_head) + log_debug("path=%s o=%s f=0x%lx try-ro=%s", + m->path, + strempty(m->remount_options), + m->remount_flags, + yes_no(m->try_remount_ro)); +} + +TEST(mount_points_list) { + test_mount_points_list_one(NULL); + test_mount_points_list_one("/test-umount/empty.mountinfo"); + test_mount_points_list_one("/test-umount/garbled.mountinfo"); + test_mount_points_list_one("/test-umount/rhbug-1554943.mountinfo"); +} + +static void test_swap_list_one(const char *fname) { + _cleanup_(swap_devices_list_free) LIST_HEAD(SwapDevice, sd_list_head); + _cleanup_free_ char *testdata_fname = NULL; + int r; + + log_info("/* %s(\"%s\") */", __func__, fname ?: "/proc/swaps"); + + if (fname) { + assert_se(get_testdata_dir(fname, &testdata_fname) >= 0); + fname = testdata_fname; + } + + LIST_HEAD_INIT(sd_list_head); + r = swap_list_get(fname, &sd_list_head); + if (ERRNO_IS_PRIVILEGE(r)) + return; + assert_se(r >= 0); + + LIST_FOREACH(swap_device, m, sd_list_head) + log_debug("path=%s", m->path); +} + +TEST(swap_list) { + test_swap_list_one(NULL); + test_swap_list_one("/test-umount/example.swaps"); +} + +DEFINE_TEST_MAIN(LOG_DEBUG); diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c new file mode 100644 index 0000000..1a9b99d --- /dev/null +++ b/src/shutdown/umount.c @@ -0,0 +1,494 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <errno.h> +#include <fcntl.h> +#include <sys/mount.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> + +#include "alloc-util.h" +#include "chase.h" +#include "dirent-util.h" +#include "fd-util.h" +#include "fileio.h" +#include "fs-util.h" +#include "fstab-util.h" +#include "libmount-util.h" +#include "mkdir.h" +#include "mount-setup.h" +#include "mount-util.h" +#include "mountpoint-util.h" +#include "parse-util.h" +#include "process-util.h" +#include "random-util.h" +#include "signal-util.h" +#include "umount.h" +#include "virt.h" + +static void mount_point_free(MountPoint **head, MountPoint *m) { + assert(head); + assert(m); + + LIST_REMOVE(mount_point, *head, m); + + free(m->path); + free(m->remount_options); + free(m); +} + +void mount_points_list_free(MountPoint **head) { + assert(head); + + while (*head) + mount_point_free(head, *head); +} + +int mount_points_list_get(const char *mountinfo, MountPoint **head) { + _cleanup_(mnt_free_tablep) struct libmnt_table *table = NULL; + _cleanup_(mnt_free_iterp) struct libmnt_iter *iter = NULL; + int r; + + assert(head); + + r = libmount_parse(mountinfo, NULL, &table, &iter); + if (r < 0) + return log_error_errno(r, "Failed to parse %s: %m", mountinfo ?: "/proc/self/mountinfo"); + + for (;;) { + _cleanup_free_ char *options = NULL, *remount_options = NULL; + struct libmnt_fs *fs; + const char *path, *fstype; + unsigned long remount_flags = 0u; + bool try_remount_ro, is_api_vfs; + _cleanup_free_ MountPoint *m = NULL; + + r = mnt_table_next_fs(table, iter, &fs); + if (r == 1) /* EOF */ + break; + if (r < 0) + return log_error_errno(r, "Failed to get next entry from %s: %m", mountinfo ?: "/proc/self/mountinfo"); + + path = mnt_fs_get_target(fs); + if (!path) + continue; + + fstype = mnt_fs_get_fstype(fs); + + /* Combine the generic VFS options with the FS-specific options. Duplicates are not a problem + * here, because the only options that should come up twice are typically ro/rw, which are + * turned into MS_RDONLY or the inversion of it. + * + * Even if there are duplicates later in mount_option_mangle() they shouldn't hurt anyways as + * they override each other. */ + if (!strextend_with_separator(&options, ",", mnt_fs_get_vfs_options(fs))) + return log_oom(); + if (!strextend_with_separator(&options, ",", mnt_fs_get_fs_options(fs))) + return log_oom(); + + /* Ignore mount points we can't unmount because they are API or because we are keeping them + * open (like /dev/console). Also, ignore all mounts below API file systems, since they are + * likely virtual too, and hence not worth spending time on. Also, in unprivileged containers + * we might lack the rights to unmount these things, hence don't bother. */ + if (mount_point_is_api(path) || + mount_point_ignore(path) || + PATH_STARTSWITH_SET(path, "/dev", "/sys", "/proc")) + continue; + + is_api_vfs = fstype_is_api_vfs(fstype); + + /* If we are in a container, don't attempt to read-only mount anything as that brings no real + * benefits, but might confuse the host, as we remount the superblock here, not the bind + * mount. + * + * If the filesystem is a network fs, also skip the remount. It brings no value (we cannot + * leave a "dirty fs") and could hang if the network is down. Note that umount2() is more + * careful and will not hang because of the network being down. */ + try_remount_ro = detect_container() <= 0 && + !fstype_is_network(fstype) && + !is_api_vfs && + !fstype_is_ro(fstype) && + !fstab_test_yes_no_option(options, "ro\0rw\0"); + + if (try_remount_ro) { + /* mount(2) states that mount flags and options need to be exactly the same as they + * were when the filesystem was mounted, except for the desired changes. So we + * reconstruct both here and adjust them for the later remount call too. */ + + r = mnt_fs_get_propagation(fs, &remount_flags); + if (r < 0) { + log_warning_errno(r, "mnt_fs_get_propagation() failed for %s, ignoring: %m", path); + continue; + } + + r = mount_option_mangle(options, remount_flags, &remount_flags, &remount_options); + if (r < 0) { + log_warning_errno(r, "mount_option_mangle failed for %s, ignoring: %m", path); + continue; + } + + /* MS_BIND is special. If it is provided it will only make the mount-point + * read-only. If left out, the super block itself is remounted, which we want. */ + remount_flags = (remount_flags|MS_REMOUNT|MS_RDONLY) & ~MS_BIND; + } + + m = new(MountPoint, 1); + if (!m) + return log_oom(); + + r = libmount_is_leaf(table, fs); + if (r < 0) + return log_error_errno(r, "Failed to get children mounts for %s from %s: %m", path, mountinfo ?: "/proc/self/mountinfo"); + bool leaf = r; + + *m = (MountPoint) { + .remount_options = remount_options, + .remount_flags = remount_flags, + .try_remount_ro = try_remount_ro, + + /* Unmount sysfs/procfs/… lazily, since syncing doesn't matter there, and it's OK if + * something keeps an fd open to it. */ + .umount_lazily = is_api_vfs, + .leaf = leaf, + }; + + m->path = strdup(path); + if (!m->path) + return log_oom(); + + TAKE_PTR(remount_options); + + LIST_PREPEND(mount_point, *head, TAKE_PTR(m)); + } + + return 0; +} + +static bool nonunmountable_path(const char *path) { + assert(path); + + return PATH_IN_SET(path, "/", "/usr") || + path_startswith(path, "/run/initramfs"); +} + +static void log_umount_blockers(const char *mnt) { + _cleanup_free_ char *blockers = NULL; + int r; + + _cleanup_closedir_ DIR *dir = opendir("/proc"); + if (!dir) + return (void) log_warning_errno(errno, "Failed to open /proc/: %m"); + + FOREACH_DIRENT_ALL(de, dir, break) { + if (!IN_SET(de->d_type, DT_DIR, DT_UNKNOWN)) + continue; + + pid_t pid; + if (parse_pid(de->d_name, &pid) < 0) + continue; + + _cleanup_free_ char *fdp = path_join(de->d_name, "fd"); + if (!fdp) + return (void) log_oom(); + + _cleanup_closedir_ DIR *fd_dir = xopendirat(dirfd(dir), fdp, 0); + if (!fd_dir) { + if (errno != ENOENT) /* process gone by now? */ + log_debug_errno(errno, "Failed to open /proc/%s/, ignoring: %m",fdp); + continue; + } + + bool culprit = false; + FOREACH_DIRENT(fd_de, fd_dir, break) { + _cleanup_free_ char *open_file = NULL; + + r = readlinkat_malloc(dirfd(fd_dir), fd_de->d_name, &open_file); + if (r < 0) { + if (r != -ENOENT) /* fd closed by now */ + log_debug_errno(r, "Failed to read link /proc/%s/%s, ignoring: %m", fdp, fd_de->d_name); + continue; + } + + if (path_startswith(open_file, mnt)) { + culprit = true; + break; + } + } + + if (!culprit) + continue; + + _cleanup_free_ char *comm = NULL; + r = pid_get_comm(pid, &comm); + if (r < 0) { + if (r != -ESRCH) /* process gone by now */ + log_debug_errno(r, "Failed to read process name of PID " PID_FMT ": %m", pid); + continue; + } + + if (!strextend_with_separator(&blockers, ", ", comm)) + return (void) log_oom(); + + if (!strextend(&blockers, "(", de->d_name, ")")) + return (void) log_oom(); + } + + if (blockers) + log_warning("Unmounting '%s' blocked by: %s", mnt, blockers); +} + +static int remount_with_timeout(MountPoint *m, bool last_try) { + _cleanup_close_pair_ int pfd[2] = EBADF_PAIR; + _cleanup_(sigkill_nowaitp) pid_t pid = 0; + int r; + + BLOCK_SIGNALS(SIGCHLD); + + assert(m); + + r = pipe2(pfd, O_CLOEXEC|O_NONBLOCK); + if (r < 0) + return r; + + /* Due to the possibility of a remount operation hanging, we fork a child process and set a + * timeout. If the timeout lapses, the assumption is that the particular remount failed. */ + r = safe_fork_full("(sd-remount)", + NULL, + pfd, ELEMENTSOF(pfd), + FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_REOPEN_LOG, &pid); + if (r < 0) + return r; + if (r == 0) { + pfd[0] = safe_close(pfd[0]); + + log_info("Remounting '%s' read-only with options '%s'.", m->path, strempty(m->remount_options)); + + /* Start the mount operation here in the child */ + r = mount(NULL, m->path, NULL, m->remount_flags, m->remount_options); + if (r < 0) + log_full_errno(last_try ? LOG_ERR : LOG_INFO, + errno, + "Failed to remount '%s' read-only: %m", + m->path); + + (void) write(pfd[1], &r, sizeof(r)); /* try to send errno up */ + _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS); + } + + pfd[1] = safe_close(pfd[1]); + + r = wait_for_terminate_with_timeout(pid, DEFAULT_TIMEOUT_USEC); + if (r == -ETIMEDOUT) + log_error_errno(r, "Remounting '%s' timed out, issuing SIGKILL to PID " PID_FMT ".", m->path, pid); + else if (r == -EPROTO) { + /* Try to read error code from child */ + if (read(pfd[0], &r, sizeof(r)) == sizeof(r)) + log_debug_errno(r, "Remounting '%s' failed abnormally, child process " PID_FMT " failed: %m", m->path, pid); + else + r = log_debug_errno(EPROTO, "Remounting '%s' failed abnormally, child process " PID_FMT " aborted or exited non-zero.", m->path, pid); + TAKE_PID(pid); /* child exited (just not as we expected) hence don't kill anymore */ + } else if (r < 0) + log_error_errno(r, "Remounting '%s' failed unexpectedly, couldn't wait for child process " PID_FMT ": %m", m->path, pid); + + return r; +} + +static int umount_with_timeout(MountPoint *m, bool last_try) { + _cleanup_close_pair_ int pfd[2] = EBADF_PAIR; + _cleanup_(sigkill_nowaitp) pid_t pid = 0; + int r; + + BLOCK_SIGNALS(SIGCHLD); + + assert(m); + + r = pipe2(pfd, O_CLOEXEC|O_NONBLOCK); + if (r < 0) + return r; + + /* Due to the possibility of a umount operation hanging, we fork a child process and set a + * timeout. If the timeout lapses, the assumption is that the particular umount failed. */ + r = safe_fork_full("(sd-umount)", + NULL, + pfd, ELEMENTSOF(pfd), + FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_REOPEN_LOG, &pid); + if (r < 0) + return r; + if (r == 0) { + pfd[0] = safe_close(pfd[0]); + + log_info("Unmounting '%s'.", m->path); + + /* Start the mount operation here in the child Using MNT_FORCE causes some filesystems + * (e.g. FUSE and NFS and other network filesystems) to abort any pending requests and return + * -EIO rather than blocking indefinitely. If the filesysten is "busy", this may allow + * processes to die, thus making the filesystem less busy so the unmount might succeed + * (rather than return EBUSY). */ + r = RET_NERRNO(umount2(m->path, + UMOUNT_NOFOLLOW | /* Don't follow symlinks: this should never happen unless our mount list was wrong */ + (m->umount_lazily ? MNT_DETACH : MNT_FORCE))); + if (r < 0) { + log_full_errno(last_try ? LOG_ERR : LOG_INFO, r, "Failed to unmount %s: %m", m->path); + + if (r == -EBUSY && last_try) + log_umount_blockers(m->path); + } + + (void) write(pfd[1], &r, sizeof(r)); /* try to send errno up */ + _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS); + } + + pfd[1] = safe_close(pfd[1]); + + r = wait_for_terminate_with_timeout(pid, DEFAULT_TIMEOUT_USEC); + if (r == -ETIMEDOUT) + log_error_errno(r, "Unmounting '%s' timed out, issuing SIGKILL to PID " PID_FMT ".", m->path, pid); + else if (r == -EPROTO) { + /* Try to read error code from child */ + if (read(pfd[0], &r, sizeof(r)) == sizeof(r)) + log_debug_errno(r, "Unmounting '%s' failed abnormally, child process " PID_FMT " failed: %m", m->path, pid); + else + r = log_debug_errno(EPROTO, "Unmounting '%s' failed abnormally, child process " PID_FMT " aborted or exited non-zero.", m->path, pid); + TAKE_PID(pid); /* It died, but abnormally, no purpose in killing */ + } else if (r < 0) + log_error_errno(r, "Unmounting '%s' failed unexpectedly, couldn't wait for child process " PID_FMT ": %m", m->path, pid); + + return r; +} + +/* This includes remounting readonly, which changes the kernel mount options. Therefore the list passed to + * this function is invalidated, and should not be reused. */ +static int mount_points_list_umount(MountPoint **head, bool *changed, bool last_try) { + int n_failed = 0, r; + _cleanup_free_ char *resolved_mounts_path = NULL; + + assert(head); + assert(changed); + + LIST_FOREACH(mount_point, m, *head) { + if (m->try_remount_ro) { + /* We always try to remount directories read-only first, before we go on and umount + * them. + * + * Mount points can be stacked. If a mount point is stacked below / or /usr, we + * cannot umount or remount it directly, since there is no way to refer to the + * underlying mount. There's nothing we can do about it for the general case, but we + * can do something about it if it is aliased somewhere else via a bind mount. If we + * explicitly remount the super block of that alias read-only we hence should be + * relatively safe regarding keeping a dirty fs we cannot otherwise see. + * + * Since the remount can hang in the instance of remote filesystems, we remount + * asynchronously and skip the subsequent umount if it fails. */ + if (remount_with_timeout(m, last_try) < 0) { + /* Remount failed, but try unmounting anyway, + * unless this is a mount point we want to skip. */ + if (nonunmountable_path(m->path)) { + n_failed++; + continue; + } + } + } + + /* Skip / and /usr since we cannot unmount that anyway, since we are running from it. They + * have already been remounted ro. */ + if (nonunmountable_path(m->path)) + continue; + + /* Trying to umount */ + r = umount_with_timeout(m, last_try); + if (r < 0) + n_failed++; + else + *changed = true; + + /* If a mount is busy, we move it to not keep parent mount points busy. + * If a mount point is not a leaf, moving it would invalidate our mount table. + * More moving will occur in next iteration with a fresh mount table. + */ + if (r != -EBUSY || !m->leaf) + continue; + + _cleanup_free_ char *dirname = NULL; + + r = path_extract_directory(m->path, &dirname); + if (r < 0) { + n_failed++; + log_full_errno(last_try ? LOG_ERR : LOG_INFO, r, "Cannot find directory for %s: %m", m->path); + continue; + } + + /* We need to canonicalize /run/shutdown/mounts. We cannot compare inodes, since /run + * might be bind mounted somewhere we want to unmount. And we need to move all mounts in + * /run/shutdown/mounts from there. + */ + if (!resolved_mounts_path) + (void) chase("/run/shutdown/mounts", NULL, 0, &resolved_mounts_path, NULL); + if (!path_equal(dirname, resolved_mounts_path)) { + char newpath[STRLEN("/run/shutdown/mounts/") + 16 + 1]; + + xsprintf(newpath, "/run/shutdown/mounts/%016" PRIx64, random_u64()); + + /* on error of is_dir, assume directory */ + if (is_dir(m->path, true) != 0) { + r = mkdir_p(newpath, 0000); + if (r < 0) { + log_full_errno(last_try ? LOG_ERR : LOG_INFO, r, "Could not create directory %s: %m", newpath); + continue; + } + } else { + r = touch_file(newpath, /* parents= */ true, USEC_INFINITY, UID_INVALID, GID_INVALID, 0700); + if (r < 0) { + log_full_errno(last_try ? LOG_ERR : LOG_INFO, r, "Could not create file %s: %m", newpath); + continue; + } + } + + log_info("Moving mount %s to %s.", m->path, newpath); + + r = RET_NERRNO(mount(m->path, newpath, NULL, MS_MOVE, NULL)); + if (r < 0) { + n_failed++; + log_full_errno(last_try ? LOG_ERR : LOG_INFO, r, "Could not move %s to %s: %m", m->path, newpath); + } else + *changed = true; + } + } + + return n_failed; +} + +static int umount_all_once(bool *changed, bool last_try) { + _cleanup_(mount_points_list_free) LIST_HEAD(MountPoint, mp_list_head); + int r; + + assert(changed); + + LIST_HEAD_INIT(mp_list_head); + r = mount_points_list_get(NULL, &mp_list_head); + if (r < 0) + return r; + + return mount_points_list_umount(&mp_list_head, changed, last_try); +} + +int umount_all(bool *changed, bool last_try) { + bool umount_changed; + int r; + + assert(changed); + + /* Retry umount, until nothing can be umounted anymore. Mounts are processed in order, newest + * first. The retries are needed when an old mount has been moved, to a path inside a newer mount. */ + do { + umount_changed = false; + + r = umount_all_once(&umount_changed, last_try); + if (umount_changed) + *changed = true; + } while (umount_changed); + + return r; +} diff --git a/src/shutdown/umount.h b/src/shutdown/umount.h new file mode 100644 index 0000000..f8f9ae8 --- /dev/null +++ b/src/shutdown/umount.h @@ -0,0 +1,26 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +/*** + Copyright © 2010 ProFUSION embedded systems +***/ + +#include <stdbool.h> + +#include "list.h" + +int umount_all(bool *changed, bool last_try); + +/* This is exported just for testing */ +typedef struct MountPoint { + char *path; + char *remount_options; + unsigned long remount_flags; + bool try_remount_ro; + bool umount_lazily; + bool leaf; + LIST_FIELDS(struct MountPoint, mount_point); +} MountPoint; + +int mount_points_list_get(const char *mountinfo, MountPoint **head); +void mount_points_list_free(MountPoint **head); |