1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
|
#--
# Author:: Daniel DeLeo (<dan@opscode.com>)
# Copyright:: Copyright (c) 2010, 2011 Opscode, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module Mixlib
class ShellOut
module Unix
# "1.8.7" as a frozen string. We use this with a hack that disables GC to
# avoid segfaults on Ruby 1.8.7, so we need to allocate the fewest
# objects we possibly can.
ONE_DOT_EIGHT_DOT_SEVEN = "1.8.7".freeze
# Option validation that is unix specific
def validate_options(opts)
# No options to validate, raise exceptions here if needed
end
# Whether we're simulating a login shell
def using_login?
return login && user
end
# Helper method for sgids
def all_seconderies
ret = []
Etc.endgrent
while ( g = Etc.getgrent ) do
ret << g
end
Etc.endgrent
return ret
end
# The secondary groups that the subprocess will switch to.
# Currently valid only if login is used, and is set
# to the user's secondary groups
def sgids
return nil unless using_login?
user_name = Etc.getpwuid(uid).name
all_seconderies.select{|g| g.mem.include?(user_name)}.map{|g|g.gid}
end
# The environment variables that are deduced from simulating logon
# Only valid if login is used
def logon_environment
return {} unless using_login?
entry = Etc.getpwuid(uid)
# According to `man su`, the set fields are:
# $HOME, $SHELL, $USER, $LOGNAME, $PATH, and $IFS
# Values are copied from "shadow" package in Ubuntu 14.10
{'HOME'=>entry.dir, 'SHELL'=>entry.shell, 'USER'=>entry.name, 'LOGNAME'=>entry.name, 'PATH'=>'/sbin:/bin:/usr/sbin:/usr/bin', 'IFS'=>"\t\n"}
end
# Merges the two environments for the process
def process_environment
logon_environment.merge(self.environment)
end
# Run the command, writing the command's standard out and standard error
# to +stdout+ and +stderr+, and saving its exit status object to +status+
# === Returns
# returns +self+; +stdout+, +stderr+, +status+, and +exitstatus+ will be
# populated with results of the command.
# === Raises
# * Errno::EACCES when you are not privileged to execute the command
# * Errno::ENOENT when the command is not available on the system (or not
# in the current $PATH)
# * Chef::Exceptions::CommandTimeout when the command does not complete
# within +timeout+ seconds (default: 600s). When this happens, ShellOut
# will send a TERM and then KILL to the entire process group to ensure
# that any grandchild processes are terminated. If the invocation of
# the child process spawned multiple child processes (which commonly
# happens if the command is passed as a single string to be interpreted
# by bin/sh, and bin/sh is not bash), the exit status object may not
# contain the correct exit code of the process (of course there is no
# exit code if the command is killed by SIGKILL, also).
def run_command
@child_pid = fork_subprocess
@reaped = false
configure_parent_process_file_descriptors
# Ruby 1.8.7 and 1.8.6 from mid 2009 try to allocate objects during GC
# when calling IO.select and IO#read. Disabling GC works around the
# segfault, but obviously it's a bad workaround. We no longer support
# 1.8.6 so we only need this hack for 1.8.7.
GC.disable if RUBY_VERSION == ONE_DOT_EIGHT_DOT_SEVEN
# CHEF-3390: Marshall.load on Ruby < 1.8.7p369 also has a GC bug related
# to Marshall.load, so try disabling GC first.
propagate_pre_exec_failure
@status = nil
@result = nil
@execution_time = 0
write_to_child_stdin
until @status
ready_buffers = attempt_buffer_read
unless ready_buffers
@execution_time += READ_WAIT_TIME
if @execution_time >= timeout && !@result
# kill the bad proccess
reap_errant_child
# read anything it wrote when we killed it
attempt_buffer_read
# raise
raise CommandTimeout, "Command timed out after #{@execution_time.to_i}s:\n#{format_for_exception}"
end
end
attempt_reap
end
self
rescue Errno::ENOENT
# When ENOENT happens, we can be reasonably sure that the child process
# is going to exit quickly, so we use the blocking variant of waitpid2
reap
raise
ensure
reap_errant_child if should_reap?
# make one more pass to get the last of the output after the
# child process dies
attempt_buffer_read
# no matter what happens, turn the GC back on, and hope whatever busted
# version of ruby we're on doesn't allocate some objects during the next
# GC run.
GC.enable
close_all_pipes
end
private
def set_user
if user
Process.uid = uid
Process.euid = uid
end
end
def set_group
if group
Process.egid = gid
Process.gid = gid
end
end
def set_secondarygroups
if sgids
Process.groups = sgids
end
end
def set_environment
# user-set variables should override the login ones
process_environment.each do |env_var,value|
ENV[env_var] = value
end
end
def set_umask
File.umask(umask) if umask
end
def set_cwd
Dir.chdir(cwd) if cwd
end
# Since we call setsid the child_pgid will be the child_pid, set to negative here
# so it can be directly used in arguments to kill, wait, etc.
def child_pgid
-@child_pid
end
def initialize_ipc
@stdin_pipe, @stdout_pipe, @stderr_pipe, @process_status_pipe = IO.pipe, IO.pipe, IO.pipe, IO.pipe
@process_status_pipe.last.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
end
def child_stdin
@stdin_pipe[1]
end
def child_stdout
@stdout_pipe[0]
end
def child_stderr
@stderr_pipe[0]
end
def child_process_status
@process_status_pipe[0]
end
def close_all_pipes
child_stdin.close unless child_stdin.closed?
child_stdout.close unless child_stdout.closed?
child_stderr.close unless child_stderr.closed?
child_process_status.close unless child_process_status.closed?
end
# Replace stdout, and stderr with pipes to the parent, and close the
# reader side of the error marshaling side channel.
#
# If there is no input, close STDIN so when we exec,
# the new program will know it's never getting input ever.
def configure_subprocess_file_descriptors
process_status_pipe.first.close
# HACK: for some reason, just STDIN.close isn't good enough when running
# under ruby 1.9.2, so make it good enough:
stdin_pipe.last.close
STDIN.reopen stdin_pipe.first
stdin_pipe.first.close unless input
stdout_pipe.first.close
STDOUT.reopen stdout_pipe.last
stdout_pipe.last.close
stderr_pipe.first.close
STDERR.reopen stderr_pipe.last
stderr_pipe.last.close
STDOUT.sync = STDERR.sync = true
STDIN.sync = true if input
end
def configure_parent_process_file_descriptors
# Close the sides of the pipes we don't care about
stdin_pipe.first.close
stdin_pipe.last.close unless input
stdout_pipe.last.close
stderr_pipe.last.close
process_status_pipe.last.close
# Get output as it happens rather than buffered
child_stdin.sync = true if input
child_stdout.sync = true
child_stderr.sync = true
true
end
# Some patch levels of ruby in wide use (in particular the ruby 1.8.6 on OSX)
# segfault when you IO.select a pipe that's reached eof. Weak sauce.
def open_pipes
@open_pipes ||= [child_stdout, child_stderr, child_process_status]
end
# Keep this unbuffered for now
def write_to_child_stdin
return unless input
child_stdin << input
child_stdin.close # Kick things off
end
def attempt_buffer_read
ready = IO.select(open_pipes, nil, nil, READ_WAIT_TIME)
if ready
read_stdout_to_buffer if ready.first.include?(child_stdout)
read_stderr_to_buffer if ready.first.include?(child_stderr)
read_process_status_to_buffer if ready.first.include?(child_process_status)
end
ready
end
def read_stdout_to_buffer
while chunk = child_stdout.read_nonblock(READ_SIZE)
@stdout << chunk
@live_stdout << chunk if @live_stdout
end
rescue Errno::EAGAIN
rescue EOFError
open_pipes.delete(child_stdout)
end
def read_stderr_to_buffer
while chunk = child_stderr.read_nonblock(READ_SIZE)
@stderr << chunk
@live_stderr << chunk if @live_stderr
end
rescue Errno::EAGAIN
rescue EOFError
open_pipes.delete(child_stderr)
end
def read_process_status_to_buffer
while chunk = child_process_status.read_nonblock(READ_SIZE)
@process_status << chunk
end
rescue Errno::EAGAIN
rescue EOFError
open_pipes.delete(child_process_status)
end
def fork_subprocess
initialize_ipc
fork do
# Child processes may themselves fork off children. A common case
# is when the command is given as a single string (instead of
# command name plus Array of arguments) and /bin/sh does not
# support the "ONESHOT" optimization (where sh -c does exec without
# forking). To support cleaning up all the children, we need to
# ensure they're in a unique process group.
#
# We use setsid here to abandon our controlling tty and get a new session
# and process group that are set to the pid of the child process.
Process.setsid
configure_subprocess_file_descriptors
set_secondarygroups
set_group
set_user
set_environment
set_umask
set_cwd
begin
command.kind_of?(Array) ? exec(*command, :close_others=>true) : exec(command, :close_others=>true)
raise 'forty-two' # Should never get here
rescue Exception => e
Marshal.dump(e, process_status_pipe.last)
process_status_pipe.last.flush
end
process_status_pipe.last.close unless (process_status_pipe.last.closed?)
exit!
end
end
# Attempt to get a Marshaled error from the side-channel.
# If it's there, un-marshal it and raise. If it's not there,
# assume everything went well.
def propagate_pre_exec_failure
begin
attempt_buffer_read until child_process_status.eof?
e = Marshal.load(@process_status)
raise(Exception === e ? e : "unknown failure: #{e.inspect}")
rescue ArgumentError # If we get an ArgumentError error, then the exec was successful
true
ensure
child_process_status.close
open_pipes.delete(child_process_status)
end
end
def reap_errant_child
return if attempt_reap
@terminate_reason = "Command exceeded allowed execution time, process terminated"
logger.error("Command exceeded allowed execution time, sending TERM") if logger
Process.kill(:TERM, child_pgid)
sleep 3
attempt_reap
logger.error("Command exceeded allowed execution time, sending KILL") if logger
Process.kill(:KILL, child_pgid)
reap
# Should not hit this but it's possible if something is calling waitall
# in a separate thread.
rescue Errno::ESRCH
nil
end
def should_reap?
# if we fail to fork, no child pid so nothing to reap
@child_pid && !@reaped
end
# Unconditionally reap the child process. This is used in scenarios where
# we can be confident the child will exit quickly, and has not spawned
# and grandchild processes.
def reap
results = Process.waitpid2(@child_pid)
@reaped = true
@status = results.last
rescue Errno::ECHILD
# When cleaning up timed-out processes, we might send SIGKILL to the
# whole process group after we've cleaned up the direct child. In that
# case the grandchildren will have been adopted by init so we can't
# reap them even if we wanted to (we don't).
nil
end
# Try to reap the child process but don't block if it isn't dead yet.
def attempt_reap
if results = Process.waitpid2(@child_pid, Process::WNOHANG)
@reaped = true
@status = results.last
else
nil
end
end
end
end
end
|