/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-05-23 20:18:34 UTC
  • mto: This revision was merged to the branch mainline in revision 756.
  • Revision ID: teddy@recompile.se-20150523201834-e89ex4ito93yni8x
mandos: Use multiprocessing module to run checkers.

For a long time, the Mandos server has occasionally logged the message
"ERROR: Child process vanished".  This was never a fatal error, but it
has been annoying and slightly worrying, since a definite cause was
not found.  One potential cause could be the "multiprocessing" and
"subprocess" modules conflicting w.r.t. SIGCHLD.  To avoid this,
change the running of checkers from using subprocess.Popen
asynchronously to instead first create a multiprocessing.Process()
(which is asynchronous) calling a function, and have that function
then call subprocess.call() (which is synchronous).  In this way, the
only thing using any asynchronous subprocesses is the multiprocessing
module.

This makes it necessary to change one small thing in the D-Bus API,
since the subprocesses.call() function does not expose the raw wait(2)
status value.

DBUS-API (CheckerCompleted): Change the second value provided by this
                             D-Bus signal from the raw wait(2) status
                             to the actual terminating signal number.
mandos (subprocess_call_pipe): New function to be called by
                               multiprocessing.Process (starting a
                               separate process).
(Client.last_checker signal): New attribute for signal which
                              terminated last checker.  Like
                              last_checker_status, only not accessible
                              via D-Bus.
(Client.checker_callback): Take new "connection" argument and use it
                           to get returncode; set last_checker_signal.
                           Return False so gobject does not call this
                           callback again.
(Client.start_checker): Start checker using a multiprocessing.Process
                        instead of a subprocess.Popen.
(ClientDBus.checker_callback): Take new "connection" argument.        Call
                               Client.checker_callback early to have
                               it set last_checker_status and
                               last_checker_signal; use those.  Change
                               second value provided to D-Bus signal
                               CheckerCompleted to use
                               last_checker_signal if checker was
                               terminated by signal.
mandos-monitor: Update to reflect DBus API change.
(MandosClientWidget.checker_completed): Take "signal" instead of
                                        "condition" argument.  Use it
                                        accordingly.  Remove dead code
                                        (os.WCOREDUMP case).

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "plugin-runner">
6
 
<!ENTITY TIMESTAMP "2008-09-05">
 
5
<!ENTITY TIMESTAMP "2012-01-01">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
7
8
]>
8
9
 
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
    <title>Mandos Manual</title>
12
13
    <!-- Nwalsh’s docbook scripts use this to generate the footer: -->
13
14
    <productname>Mandos</productname>
14
 
    <productnumber>&VERSION;</productnumber>
 
15
    <productnumber>&version;</productnumber>
15
16
    <date>&TIMESTAMP;</date>
16
17
    <authorgroup>
17
18
      <author>
18
19
        <firstname>Björn</firstname>
19
20
        <surname>Påhlsson</surname>
20
21
        <address>
21
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
22
23
        </address>
23
24
      </author>
24
25
      <author>
25
26
        <firstname>Teddy</firstname>
26
27
        <surname>Hogeborn</surname>
27
28
        <address>
28
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
29
30
        </address>
30
31
      </author>
31
32
    </authorgroup>
32
33
    <copyright>
33
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2012</year>
34
37
      <holder>Teddy Hogeborn</holder>
35
38
      <holder>Björn Påhlsson</holder>
36
39
    </copyright>
37
40
    <xi:include href="legalnotice.xml"/>
38
41
  </refentryinfo>
39
 
 
 
42
  
40
43
  <refmeta>
41
44
    <refentrytitle>&COMMANDNAME;</refentrytitle>
42
45
    <manvolnum>8mandos</manvolnum>
48
51
      Run Mandos plugins, pass data from first to succeed.
49
52
    </refpurpose>
50
53
  </refnamediv>
51
 
 
 
54
  
52
55
  <refsynopsisdiv>
53
56
    <cmdsynopsis>
54
57
      <command>&COMMANDNAME;</command>
55
58
      <group rep="repeat">
56
59
        <arg choice="plain"><option>--global-env=<replaceable
57
 
        >VAR</replaceable><literal>=</literal><replaceable
 
60
        >ENV</replaceable><literal>=</literal><replaceable
58
61
        >value</replaceable></option></arg>
59
62
        <arg choice="plain"><option>-G
60
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
63
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
61
64
        >value</replaceable> </option></arg>
62
65
      </group>
63
66
      <sbr/>
170
173
    <variablelist>
171
174
      <varlistentry>
172
175
        <term><option>--global-env
173
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
176
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
174
177
        >value</replaceable></option></term>
175
178
        <term><option>-G
176
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
179
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
177
180
        >value</replaceable></option></term>
178
181
        <listitem>
179
182
          <para>
247
250
          </para>
248
251
        </listitem>
249
252
      </varlistentry>
250
 
 
 
253
      
251
254
      <varlistentry>
252
255
        <term><option>--disable
253
256
        <replaceable>PLUGIN</replaceable></option></term>
258
261
            Disable the plugin named
259
262
            <replaceable>PLUGIN</replaceable>.  The plugin will not be
260
263
            started.
261
 
          </para>       
 
264
          </para>
262
265
        </listitem>
263
266
      </varlistentry>
264
 
 
 
267
      
265
268
      <varlistentry>
266
269
        <term><option>--enable
267
270
        <replaceable>PLUGIN</replaceable></option></term>
276
279
          </para>
277
280
        </listitem>
278
281
      </varlistentry>
279
 
 
 
282
      
280
283
      <varlistentry>
281
284
        <term><option>--groupid
282
285
        <replaceable>ID</replaceable></option></term>
289
292
          </para>
290
293
        </listitem>
291
294
      </varlistentry>
292
 
 
 
295
      
293
296
      <varlistentry>
294
297
        <term><option>--userid
295
298
        <replaceable>ID</replaceable></option></term>
302
305
          </para>
303
306
        </listitem>
304
307
      </varlistentry>
305
 
 
 
308
      
306
309
      <varlistentry>
307
310
        <term><option>--plugin-dir
308
311
        <replaceable>DIRECTORY</replaceable></option></term>
365
368
          </para>
366
369
        </listitem>
367
370
      </varlistentry>
368
 
 
 
371
      
369
372
      <varlistentry>
370
373
        <term><option>--version</option></term>
371
374
        <term><option>-V</option></term>
377
380
      </varlistentry>
378
381
    </variablelist>
379
382
  </refsect1>
380
 
 
 
383
  
381
384
  <refsect1 id="overview">
382
385
    <title>OVERVIEW</title>
383
386
    <xi:include href="overview.xml"/>
403
406
      code will make this plugin-runner output the password from that
404
407
      plugin, stop any other plugins, and exit.
405
408
    </para>
406
 
 
 
409
    
407
410
    <refsect2 id="writing_plugins">
408
411
      <title>WRITING PLUGINS</title>
409
412
      <para>
416
419
        console.
417
420
      </para>
418
421
      <para>
 
422
        If the password is a single-line, manually entered passprase,
 
423
        a final trailing newline character should
 
424
        <emphasis>not</emphasis> be printed.
 
425
      </para>
 
426
      <para>
419
427
        The plugin will run in the initial RAM disk environment, so
420
428
        care must be taken not to depend on any files or running
421
429
        services not available there.
566
574
      <para>
567
575
        Run plugins from a different directory, read a different
568
576
        configuration file, and add two options to the
569
 
        <citerefentry><refentrytitle >password-request</refentrytitle>
 
577
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
570
578
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
571
579
      </para>
572
580
      <para>
573
581
 
574
582
<!-- do not wrap this line -->
575
 
<userinput>&COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=password-request:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>
 
583
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
576
584
 
577
585
      </para>
578
586
    </informalexample>
610
618
  <refsect1 id="see_also">
611
619
    <title>SEE ALSO</title>
612
620
    <para>
 
621
      <citerefentry><refentrytitle>intro</refentrytitle>
 
622
      <manvolnum>8mandos</manvolnum></citerefentry>,
613
623
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
614
624
      <manvolnum>8</manvolnum></citerefentry>,
615
625
      <citerefentry><refentrytitle>crypttab</refentrytitle>
620
630
      <manvolnum>8</manvolnum></citerefentry>,
621
631
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
622
632
      <manvolnum>8mandos</manvolnum></citerefentry>,
623
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
633
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
624
634
      <manvolnum>8mandos</manvolnum></citerefentry>
625
635
    </para>
626
636
  </refsect1>