#
# Author:: Daniel DeLeo (<dan@chef.io>)
# Copyright:: Copyright (c) 2010-2016 Chef Software, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module Mixlib
class ShellOut
module Unix
# "1.8.7" as a frozen string. We use this with a hack that disables GC to
# avoid segfaults on Ruby 1.8.7, so we need to allocate the fewest
# objects we possibly can.
ONE_DOT_EIGHT_DOT_SEVEN = "1.8.7".freeze
# Option validation that is unix specific
def validate_options(opts)
if opts[:elevated]
raise InvalidCommandOption, "Option `elevated` is supported for Powershell commands only"
end
end
# Whether we're simulating a login shell
def using_login?
login && user
end
# Helper method for sgids
def all_seconderies
ret = []
Etc.endgrent
while ( g = Etc.getgrent )
ret << g
end
Etc.endgrent
ret
end
# The secondary groups that the subprocess will switch to.
# Currently valid only if login is used, and is set
# to the user's secondary groups
def sgids
return nil unless using_login?
user_name = Etc.getpwuid(uid).name
all_seconderies.select { |g| g.mem.include?(user_name) }.map(&:gid)
end
# The environment variables that are deduced from simulating logon
# Only valid if login is used
def logon_environment
return {} unless using_login?
entry = Etc.getpwuid(uid)
# According to `man su`, the set fields are:
# $HOME, $SHELL, $USER, $LOGNAME, $PATH, and $IFS
# Values are copied from "shadow" package in Ubuntu 14.10
{ "HOME" => entry.dir, "SHELL" => entry.shell, "USER" => entry.name, "LOGNAME" => entry.name, "PATH" => "/sbin:/bin:/usr/sbin:/usr/bin", "IFS" => "\t\n" }
end
# Merges the two environments for the process
def process_environment
logon_environment.merge(environment)
end
# Run the command, writing the command's standard out and standard error
# to +stdout+ and +stderr+, and saving its exit status object to +status+
# === Returns
# returns +self+; +stdout+, +stderr+, +status+, and +exitstatus+ will be
# populated with results of the command.
# === Raises
# * Errno::EACCES when you are not privileged to execute the command
# * Errno::ENOENT when the command is not available on the system (or not
# in the current $PATH)
# * Chef::Exceptions::CommandTimeout when the command does not complete
# within +timeout+ seconds (default: 600s). When this happens, ShellOut
# will send a TERM and then KILL to the entire process group to ensure
# that any grandchild processes are terminated. If the invocation of
# the child process spawned multiple child processes (which commonly
# happens if the command is passed as a single string to be interpreted
# by bin/sh, and bin/sh is not bash), the exit status object may not
# contain the correct exit code of the process (of course there is no
# exit code if the command is killed by SIGKILL, also).
def run_command
@child_pid = fork_subprocess
@reaped = false
configure_parent_process_file_descriptors
# Ruby 1.8.7 and 1.8.6 from mid 2009 try to allocate objects during GC
# when calling IO.select and IO#read. Disabling GC works around the
# segfault, but obviously it's a bad workaround. We no longer support
# 1.8.6 so we only need this hack for 1.8.7.
GC.disable if RUBY_VERSION == ONE_DOT_EIGHT_DOT_SEVEN
# CHEF-3390: Marshall.load on Ruby < 1.8.7p369 also has a GC bug related
# to Marshall.load, so try disabling GC first.
propagate_pre_exec_failure
@status = nil
@result = nil
@execution_time = 0
write_to_child_stdin
until @status
ready_buffers = attempt_buffer_read
unless ready_buffers
@execution_time += READ_WAIT_TIME
if @execution_time >= timeout && !@result
# kill the bad proccess
reap_errant_child
# read anything it wrote when we killed it
attempt_buffer_read
# raise
raise CommandTimeout, "Command timed out after #{@execution_time.to_i}s:\n#{format_for_exception}"
end
end
attempt_reap
end
self
rescue Errno::ENOENT
# When ENOENT happens, we can be reasonably sure that the child process
# is going to exit quickly, so we use the blocking variant of waitpid2
reap
raise
ensure
reap_errant_child if should_reap?
# make one more pass to get the last of the output after the
# child process dies
attempt_buffer_read
# no matter what happens, turn the GC back on, and hope whatever busted
# version of ruby we're on doesn't allocate some objects during the next
# GC run.
GC.enable
close_all_pipes
end
private
def set_user
if user
Process.uid = uid
Process.euid = uid
end
end
def set_group
if group
Process.egid = gid
Process.gid = gid
end
end
def set_secondarygroups
if sgids
Process.groups = sgids
end
end
def set_environment
# user-set variables should override the login ones
process_environment.each do |env_var, value|
ENV[env_var] = value
end
end
def set_umask
File.umask(umask) if umask
end
def set_cwd
Dir.chdir(cwd) if cwd
end
# Since we call setsid the child_pgid will be the child_pid, set to negative here
# so it can be directly used in arguments to kill, wait, etc.
def child_pgid
-@child_pid
end
def initialize_ipc
@stdin_pipe, @stdout_pipe, @stderr_pipe, @process_status_pipe = IO.pipe, IO.pipe, IO.pipe, IO.pipe
@process_status_pipe.last.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
end
def child_stdin
@stdin_pipe[1]
end
def child_stdout
@stdout_pipe[0]
end
def child_stderr
@stderr_pipe[0]
end
def child_process_status
@process_status_pipe[0]
end
def close_all_pipes
child_stdin.close unless child_stdin.closed?
child_stdout.close unless child_stdout.closed?
child_stderr.close unless child_stderr.closed?
child_process_status.close unless child_process_status.closed?
end
# Replace stdout, and stderr with pipes to the parent, and close the
# reader side of the error marshaling side channel.
#
# If there is no input, close STDIN so when we exec,
# the new program will know it's never getting input ever.
def configure_subprocess_file_descriptors
process_status_pipe.first.close
# HACK: for some reason, just STDIN.close isn't good enough when running
# under ruby 1.9.2, so make it good enough:
stdin_pipe.last.close
STDIN.reopen stdin_pipe.first
stdin_pipe.first.close unless input
stdout_pipe.first.close
STDOUT.reopen stdout_pipe.last
stdout_pipe.last.close
stderr_pipe.first.close
STDERR.reopen stderr_pipe.last
stderr_pipe.last.close
STDOUT.sync = STDERR.sync = true
STDIN.sync = true if input
end
def configure_parent_process_file_descriptors
# Close the sides of the pipes we don't care about
stdin_pipe.first.close
stdin_pipe.last.close unless input
stdout_pipe.last.close
stderr_pipe.last.close
process_status_pipe.last.close
# Get output as it happens rather than buffered
child_stdin.sync = true if input
child_stdout.sync = true
child_stderr.sync = true
true
end
# Some patch levels of ruby in wide use (in particular the ruby 1.8.6 on OSX)
# segfault when you IO.select a pipe that's reached eof. Weak sauce.
def open_pipes
@open_pipes ||= [child_stdout, child_stderr, child_process_status]
end
# Keep this unbuffered for now
def write_to_child_stdin
return unless input
child_stdin << input
child_stdin.close # Kick things off
end
def attempt_buffer_read
ready = IO.select(open_pipes, nil, nil, READ_WAIT_TIME)
if ready
read_stdout_to_buffer if ready.first.include?(child_stdout)
read_stderr_to_buffer if ready.first.include?(child_stderr)
read_process_status_to_buffer if ready.first.include?(child_process_status)
end
ready
end
def read_stdout_to_buffer
while ( chunk = child_stdout.read_nonblock(READ_SIZE) )
@stdout << chunk
@live_stdout << chunk if @live_stdout
end
rescue Errno::EAGAIN
rescue EOFError
open_pipes.delete(child_stdout)
end
def read_stderr_to_buffer
while ( chunk = child_stderr.read_nonblock(READ_SIZE) )
@stderr << chunk
@live_stderr << chunk if @live_stderr
end
rescue Errno::EAGAIN
rescue EOFError
open_pipes.delete(child_stderr)
end
def read_process_status_to_buffer
while ( chunk = child_process_status.read_nonblock(READ_SIZE) )
@process_status << chunk
end
rescue Errno::EAGAIN
rescue EOFError
open_pipes.delete(child_process_status)
end
def fork_subprocess
initialize_ipc
fork do
# Child processes may themselves fork off children. A common case
# is when the command is given as a single string (instead of
# command name plus Array of arguments) and /bin/sh does not
# support the "ONESHOT" optimization (where sh -c does exec without
# forking). To support cleaning up all the children, we need to
# ensure they're in a unique process group.
#
# We use setsid here to abandon our controlling tty and get a new session
# and process group that are set to the pid of the child process.
Process.setsid
configure_subprocess_file_descriptors
set_secondarygroups
set_group
set_user
set_environment
set_umask
set_cwd
begin
command.is_a?(Array) ? exec(*command, close_others: true) : exec(command, close_others: true)
raise "forty-two" # Should never get here
rescue Exception => e
Marshal.dump(e, process_status_pipe.last)
process_status_pipe.last.flush
end
process_status_pipe.last.close unless process_status_pipe.last.closed?
exit!
end
end
# Attempt to get a Marshaled error from the side-channel.
# If it's there, un-marshal it and raise. If it's not there,
# assume everything went well.
def propagate_pre_exec_failure
attempt_buffer_read until child_process_status.eof?
e = Marshal.load(@process_status)
raise(Exception === e ? e : "unknown failure: #{e.inspect}")
rescue ArgumentError # If we get an ArgumentError error, then the exec was successful
true
ensure
child_process_status.close
open_pipes.delete(child_process_status)
end
def reap_errant_child
return if attempt_reap
@terminate_reason = "Command exceeded allowed execution time, process terminated"
logger&.error("Command exceeded allowed execution time, sending TERM")
Process.kill(:TERM, child_pgid)
sleep 3
attempt_reap
logger&.error("Command exceeded allowed execution time, sending KILL")
Process.kill(:KILL, child_pgid)
reap
# Should not hit this but it's possible if something is calling waitall
# in a separate thread.
rescue Errno::ESRCH
nil
end
def should_reap?
# if we fail to fork, no child pid so nothing to reap
@child_pid && !@reaped
end
# Unconditionally reap the child process. This is used in scenarios where
# we can be confident the child will exit quickly, and has not spawned
# and grandchild processes.
def reap
results = Process.waitpid2(@child_pid)
@reaped = true
@status = results.last
rescue Errno::ECHILD
# When cleaning up timed-out processes, we might send SIGKILL to the
# whole process group after we've cleaned up the direct child. In that
# case the grandchildren will have been adopted by init so we can't
# reap them even if we wanted to (we don't).
nil
end
# Try to reap the child process but don't block if it isn't dead yet.
def attempt_reap
results = Process.waitpid2(@child_pid, Process::WNOHANG)
if results
@reaped = true
@status = results.last
else
nil
end
end
end
end
end