1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2012 Zbigniew Jędrzejewski-Szmek
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <sys/prctl.h>
28 #include <sys/socket.h>
30 #include <sys/types.h>
34 #include "sd-daemon.h"
35 #include "journal-file.h"
36 #include "journald-native.h"
37 #include "socket-util.h"
43 #include "conf-parser.h"
44 #include "siphash24.h"
47 #include <gnutls/gnutls.h>
50 #include "journal-remote.h"
51 #include "journal-remote-write.h"
53 #define REMOTE_JOURNAL_PATH "/var/log/journal/remote"
55 #define PRIV_KEY_FILE CERTIFICATE_ROOT "/private/journal-remote.pem"
56 #define CERT_FILE CERTIFICATE_ROOT "/certs/journal-remote.pem"
57 #define TRUST_FILE CERTIFICATE_ROOT "/ca/trusted.pem"
59 static char* arg_url = NULL;
60 static char* arg_getter = NULL;
61 static char* arg_listen_raw = NULL;
62 static char* arg_listen_http = NULL;
63 static char* arg_listen_https = NULL;
64 static char** arg_files = NULL;
65 static int arg_compress = true;
66 static int arg_seal = false;
67 static int http_socket = -1, https_socket = -1;
68 static char** arg_gnutls_log = NULL;
70 static JournalWriteSplitMode arg_split_mode = JOURNAL_WRITE_SPLIT_HOST;
71 static char* arg_output = NULL;
73 static char *arg_key = NULL;
74 static char *arg_cert = NULL;
75 static char *arg_trust = NULL;
76 static bool arg_trust_all = false;
78 /**********************************************************************
79 **********************************************************************
80 **********************************************************************/
82 static int spawn_child(const char* child, char** argv) {
84 pid_t parent_pid, child_pid;
88 log_error("Failed to create pager pipe: %m");
92 parent_pid = getpid();
97 log_error("Failed to fork: %m");
103 if (child_pid == 0) {
104 r = dup2(fd[1], STDOUT_FILENO);
106 log_error("Failed to dup pipe to stdout: %m");
112 /* Make sure the child goes away when the parent dies */
113 if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0)
116 /* Check whether our parent died before we were able
117 * to set the death signal */
118 if (getppid() != parent_pid)
122 log_error("Failed to exec child %s: %m", child);
128 log_warning("Failed to close write end of pipe: %m");
133 static int spawn_curl(const char* url) {
134 char **argv = STRV_MAKE("curl",
135 "-HAccept: application/vnd.fdo.journal",
141 r = spawn_child("curl", argv);
143 log_error("Failed to spawn curl: %m");
147 static int spawn_getter(const char *getter, const char *url) {
149 _cleanup_strv_free_ char **words = NULL;
152 r = strv_split_quoted(&words, getter);
154 log_error("Failed to split getter option: %s", strerror(-r));
158 r = strv_extend(&words, url);
160 log_error("Failed to create command line: %s", strerror(-r));
164 r = spawn_child(words[0], words);
166 log_error("Failed to spawn getter %s: %m", getter);
171 #define filename_escape(s) xescape((s), "/ ")
173 static int open_output(Writer *w, const char* host) {
174 _cleanup_free_ char *_output = NULL;
178 switch (arg_split_mode) {
179 case JOURNAL_WRITE_SPLIT_NONE:
180 output = arg_output ?: REMOTE_JOURNAL_PATH "/remote.journal";
183 case JOURNAL_WRITE_SPLIT_HOST: {
184 _cleanup_free_ char *name;
188 name = filename_escape(host);
192 r = asprintf(&_output, "%s/remote-%s.journal",
193 arg_output ?: REMOTE_JOURNAL_PATH,
203 assert_not_reached("what?");
206 r = journal_file_open_reliably(output,
207 O_RDWR|O_CREAT, 0640,
208 arg_compress, arg_seal,
213 log_error("Failed to open output journal %s: %s",
214 output, strerror(-r));
216 log_info("Opened output file %s", w->journal->path);
220 /**********************************************************************
221 **********************************************************************
222 **********************************************************************/
224 static int init_writer_hashmap(RemoteServer *s) {
225 static const struct hash_ops *hash_ops[] = {
226 [JOURNAL_WRITE_SPLIT_NONE] = NULL,
227 [JOURNAL_WRITE_SPLIT_HOST] = &string_hash_ops,
230 assert(arg_split_mode >= 0 && arg_split_mode < (int) ELEMENTSOF(hash_ops));
232 s->writers = hashmap_new(hash_ops[arg_split_mode]);
239 static int get_writer(RemoteServer *s, const char *host,
242 _cleanup_writer_unref_ Writer *w = NULL;
245 switch(arg_split_mode) {
246 case JOURNAL_WRITE_SPLIT_NONE:
247 key = "one and only";
250 case JOURNAL_WRITE_SPLIT_HOST:
256 assert_not_reached("what split mode?");
259 w = hashmap_get(s->writers, key);
267 if (arg_split_mode == JOURNAL_WRITE_SPLIT_HOST) {
268 w->hashmap_key = strdup(key);
273 r = open_output(w, host);
277 r = hashmap_put(s->writers, w->hashmap_key ?: key, w);
287 /**********************************************************************
288 **********************************************************************
289 **********************************************************************/
291 /* This should go away as soon as µhttpd allows state to be passed around. */
292 static RemoteServer *server;
294 static int dispatch_raw_source_event(sd_event_source *event,
298 static int dispatch_blocking_source_event(sd_event_source *event,
300 static int dispatch_raw_connection_event(sd_event_source *event,
304 static int dispatch_http_event(sd_event_source *event,
309 static int get_source_for_fd(RemoteServer *s,
310 int fd, char *name, RemoteSource **source) {
314 /* This takes ownership of name, but only on success. */
319 if (!GREEDY_REALLOC0(s->sources, s->sources_size, fd + 1))
322 r = get_writer(s, name, &writer);
324 log_warning("Failed to get writer for source %s: %s",
329 if (s->sources[fd] == NULL) {
330 s->sources[fd] = source_new(fd, false, name, writer);
331 if (!s->sources[fd]) {
332 writer_unref(writer);
339 *source = s->sources[fd];
343 static int remove_source(RemoteServer *s, int fd) {
344 RemoteSource *source;
347 assert(fd >= 0 && fd < (ssize_t) s->sources_size);
349 source = s->sources[fd];
351 /* this closes fd too */
353 s->sources[fd] = NULL;
360 static int add_source(RemoteServer *s, int fd, char* name, bool own_name) {
362 RemoteSource *source;
365 /* This takes ownership of name, even on failure, if own_name is true. */
377 r = get_source_for_fd(s, fd, name, &source);
379 log_error("Failed to create source for fd:%d (%s): %s",
380 fd, name, strerror(-r));
385 r = sd_event_add_io(s->events, &source->event,
386 fd, EPOLLIN|EPOLLRDHUP|EPOLLPRI,
387 dispatch_raw_source_event, s);
389 log_debug("Falling back to sd_event_add_defer for fd:%d (%s)", fd, name);
390 r = sd_event_add_defer(s->events, &source->event,
391 dispatch_blocking_source_event, source);
393 sd_event_source_set_enabled(source->event, SD_EVENT_ON);
396 log_error("Failed to register event source for fd:%d: %s",
401 return 1; /* work to do */
404 remove_source(s, fd);
408 static int add_raw_socket(RemoteServer *s, int fd) {
411 r = sd_event_add_io(s->events, &s->listen_event,
413 dispatch_raw_connection_event, s);
423 static int setup_raw_socket(RemoteServer *s, const char *address) {
426 fd = make_socket_fd(LOG_INFO, address, SOCK_STREAM | SOCK_CLOEXEC);
430 return add_raw_socket(s, fd);
433 /**********************************************************************
434 **********************************************************************
435 **********************************************************************/
437 static RemoteSource *request_meta(void **connection_cls, int fd, char *hostname) {
438 RemoteSource *source;
442 assert(connection_cls);
444 return *connection_cls;
446 r = get_writer(server, hostname, &writer);
448 log_warning("Failed to get writer for source %s: %s",
449 hostname, strerror(-r));
453 source = source_new(fd, true, hostname, writer);
456 writer_unref(writer);
460 log_debug("Added RemoteSource as connection metadata %p", source);
462 *connection_cls = source;
466 static void request_meta_free(void *cls,
467 struct MHD_Connection *connection,
468 void **connection_cls,
469 enum MHD_RequestTerminationCode toe) {
472 assert(connection_cls);
475 log_debug("Cleaning up connection metadata %p", s);
477 *connection_cls = NULL;
480 static int process_http_upload(
481 struct MHD_Connection *connection,
482 const char *upload_data,
483 size_t *upload_data_size,
484 RemoteSource *source) {
486 bool finished = false;
492 log_debug("request_handler_upload: connection %p, %zu bytes",
493 connection, *upload_data_size);
495 if (*upload_data_size) {
496 log_debug("Received %zu bytes", *upload_data_size);
498 r = push_data(source, upload_data, *upload_data_size);
500 return mhd_respond_oom(connection);
502 *upload_data_size = 0;
507 r = process_source(source, arg_compress, arg_seal);
508 if (r == -EAGAIN || r == -EWOULDBLOCK)
511 log_warning("Failed to process data for connection %p", connection);
513 return mhd_respondf(connection,
514 MHD_HTTP_REQUEST_ENTITY_TOO_LARGE,
515 "Entry is too large, maximum is %u bytes.\n",
518 return mhd_respondf(connection,
519 MHD_HTTP_UNPROCESSABLE_ENTITY,
520 "Processing failed: %s.", strerror(-r));
527 /* The upload is finished */
529 remaining = source_non_empty(source);
531 log_warning("Premature EOFbyte. %zu bytes lost.", remaining);
532 return mhd_respondf(connection, MHD_HTTP_EXPECTATION_FAILED,
533 "Premature EOF. %zu bytes of trailing data not processed.",
537 return mhd_respond(connection, MHD_HTTP_ACCEPTED, "OK.\n");
540 static int request_handler(
542 struct MHD_Connection *connection,
546 const char *upload_data,
547 size_t *upload_data_size,
548 void **connection_cls) {
552 _cleanup_free_ char *hostname = NULL;
555 assert(connection_cls);
559 log_debug("Handling a connection %s %s %s", method, url, version);
562 return process_http_upload(connection,
563 upload_data, upload_data_size,
566 if (!streq(method, "POST"))
567 return mhd_respond(connection, MHD_HTTP_METHOD_NOT_ACCEPTABLE,
568 "Unsupported method.\n");
570 if (!streq(url, "/upload"))
571 return mhd_respond(connection, MHD_HTTP_NOT_FOUND,
574 header = MHD_lookup_connection_value(connection,
575 MHD_HEADER_KIND, "Content-Type");
576 if (!header || !streq(header, "application/vnd.fdo.journal"))
577 return mhd_respond(connection, MHD_HTTP_UNSUPPORTED_MEDIA_TYPE,
578 "Content-Type: application/vnd.fdo.journal"
582 const union MHD_ConnectionInfo *ci;
584 ci = MHD_get_connection_info(connection,
585 MHD_CONNECTION_INFO_CONNECTION_FD);
587 log_error("MHD_get_connection_info failed: cannot get remote fd");
588 return mhd_respond(connection, MHD_HTTP_INTERNAL_SERVER_ERROR,
589 "Cannot check remote address");
596 if (server->check_trust) {
597 r = check_permissions(connection, &code, &hostname);
601 r = getnameinfo_pretty(fd, &hostname);
603 return mhd_respond(connection, MHD_HTTP_INTERNAL_SERVER_ERROR,
604 "Cannot check remote hostname");
610 if (!request_meta(connection_cls, fd, hostname))
611 return respond_oom(connection);
616 static int setup_microhttpd_server(RemoteServer *s,
621 struct MHD_OptionItem opts[] = {
622 { MHD_OPTION_NOTIFY_COMPLETED, (intptr_t) request_meta_free},
623 { MHD_OPTION_EXTERNAL_LOGGER, (intptr_t) microhttpd_logger},
624 { MHD_OPTION_LISTEN_SOCKET, fd},
632 MHD_USE_PEDANTIC_CHECKS |
633 MHD_USE_EPOLL_LINUX_ONLY |
636 const union MHD_DaemonInfo *info;
642 r = fd_nonblock(fd, true);
644 log_error("Failed to make fd:%d nonblocking: %s", fd, strerror(-r));
651 opts[opts_pos++] = (struct MHD_OptionItem)
652 {MHD_OPTION_HTTPS_MEM_KEY, 0, (char*) key};
653 opts[opts_pos++] = (struct MHD_OptionItem)
654 {MHD_OPTION_HTTPS_MEM_CERT, 0, (char*) cert};
656 flags |= MHD_USE_SSL;
659 opts[opts_pos++] = (struct MHD_OptionItem)
660 {MHD_OPTION_HTTPS_MEM_TRUST, 0, (char*) trust};
663 d = new(MHDDaemonWrapper, 1);
667 d->fd = (uint64_t) fd;
669 d->daemon = MHD_start_daemon(flags, 0,
671 request_handler, NULL,
672 MHD_OPTION_ARRAY, opts,
675 log_error("Failed to start µhttp daemon");
680 log_debug("Started MHD %s daemon on fd:%d (wrapper @ %p)",
681 key ? "HTTPS" : "HTTP", fd, d);
684 info = MHD_get_daemon_info(d->daemon, MHD_DAEMON_INFO_EPOLL_FD_LINUX_ONLY);
686 log_error("µhttp returned NULL daemon info");
691 epoll_fd = info->listen_fd;
693 log_error("µhttp epoll fd is invalid");
698 r = sd_event_add_io(s->events, &d->event,
700 dispatch_http_event, d);
702 log_error("Failed to add event callback: %s", strerror(-r));
706 r = hashmap_ensure_allocated(&s->daemons, &uint64_hash_ops);
712 r = hashmap_put(s->daemons, &d->fd, d);
714 log_error("Failed to add daemon to hashmap: %s", strerror(-r));
722 MHD_stop_daemon(d->daemon);
728 static int setup_microhttpd_socket(RemoteServer *s,
735 fd = make_socket_fd(LOG_INFO, address, SOCK_STREAM | SOCK_CLOEXEC);
739 return setup_microhttpd_server(s, fd, key, cert, trust);
742 static int dispatch_http_event(sd_event_source *event,
746 MHDDaemonWrapper *d = userdata;
751 r = MHD_run(d->daemon);
753 log_error("MHD_run failed!");
754 // XXX: unregister daemon
758 return 1; /* work to do */
761 /**********************************************************************
762 **********************************************************************
763 **********************************************************************/
765 static int dispatch_sigterm(sd_event_source *event,
766 const struct signalfd_siginfo *si,
768 RemoteServer *s = userdata;
772 log_received_signal(LOG_INFO, si);
774 sd_event_exit(s->events, 0);
778 static int setup_signals(RemoteServer *s) {
784 assert_se(sigemptyset(&mask) == 0);
785 sigset_add_many(&mask, SIGINT, SIGTERM, -1);
786 assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
788 r = sd_event_add_signal(s->events, &s->sigterm_event, SIGTERM, dispatch_sigterm, s);
792 r = sd_event_add_signal(s->events, &s->sigint_event, SIGINT, dispatch_sigterm, s);
799 static int negative_fd(const char *spec) {
800 /* Return a non-positive number as its inverse, -EINVAL otherwise. */
804 r = safe_atoi(spec, &fd);
814 static int remoteserver_init(RemoteServer *s,
823 if ((arg_listen_raw || arg_listen_http) && trust) {
824 log_error("Option --trust makes all non-HTTPS connections untrusted.");
828 r = sd_event_default(&s->events);
830 log_error("Failed to allocate event loop: %s", strerror(-r));
836 assert(server == NULL);
839 r = init_writer_hashmap(s);
843 n = sd_listen_fds(true);
845 log_error("Failed to read listening file descriptors from environment: %s",
849 log_info("Received %d descriptors", n);
851 if (MAX(http_socket, https_socket) >= SD_LISTEN_FDS_START + n) {
852 log_error("Received fewer sockets than expected");
856 for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + n; fd++) {
857 if (sd_is_socket(fd, AF_UNSPEC, 0, true)) {
858 log_info("Received a listening socket (fd:%d)", fd);
860 if (fd == http_socket)
861 r = setup_microhttpd_server(s, fd, NULL, NULL, NULL);
862 else if (fd == https_socket)
863 r = setup_microhttpd_server(s, fd, key, cert, trust);
865 r = add_raw_socket(s, fd);
866 } else if (sd_is_socket(fd, AF_UNSPEC, 0, false)) {
869 r = getnameinfo_pretty(fd, &hostname);
871 log_error("Failed to retrieve remote name: %s", strerror(-r));
875 log_info("Received a connection socket (fd:%d) from %s", fd, hostname);
877 r = add_source(s, fd, hostname, true);
879 log_error("Unknown socket passed on fd:%d", fd);
885 log_error("Failed to register socket (fd:%d): %s",
892 const char *url, *hostname;
894 url = strappenda(arg_url, "/entries");
897 log_info("Spawning getter %s...", url);
898 fd = spawn_getter(arg_getter, url);
900 log_info("Spawning curl %s...", url);
901 fd = spawn_curl(url);
907 startswith(arg_url, "https://") ?:
908 startswith(arg_url, "http://") ?:
911 r = add_source(s, fd, (char*) hostname, false);
916 if (arg_listen_raw) {
917 log_info("Listening on a socket...");
918 r = setup_raw_socket(s, arg_listen_raw);
923 if (arg_listen_http) {
924 r = setup_microhttpd_socket(s, arg_listen_http, NULL, NULL, NULL);
929 if (arg_listen_https) {
930 r = setup_microhttpd_socket(s, arg_listen_https, key, cert, trust);
935 STRV_FOREACH(file, arg_files) {
936 const char *output_name;
938 if (streq(*file, "-")) {
939 log_info("Using standard input as source.");
942 output_name = "stdin";
944 log_info("Reading file %s...", *file);
946 fd = open(*file, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
948 log_error("Failed to open %s: %m", *file);
954 r = add_source(s, fd, (char*) output_name, false);
959 if (s->active == 0) {
960 log_error("Zarro sources specified");
964 if (arg_split_mode == JOURNAL_WRITE_SPLIT_NONE) {
965 /* In this case we know what the writer will be
966 called, so we can create it and verify that we can
967 create output as expected. */
968 r = get_writer(s, NULL, &s->_single_writer);
976 static void server_destroy(RemoteServer *s) {
980 while ((d = hashmap_steal_first(s->daemons))) {
981 MHD_stop_daemon(d->daemon);
982 sd_event_source_unref(d->event);
986 hashmap_free(s->daemons);
988 assert(s->sources_size == 0 || s->sources);
989 for (i = 0; i < s->sources_size; i++)
993 writer_unref(s->_single_writer);
994 hashmap_free(s->writers);
996 sd_event_source_unref(s->sigterm_event);
997 sd_event_source_unref(s->sigint_event);
998 sd_event_source_unref(s->listen_event);
999 sd_event_unref(s->events);
1001 /* fds that we're listening on remain open... */
1004 /**********************************************************************
1005 **********************************************************************
1006 **********************************************************************/
1008 static int dispatch_raw_source_event(sd_event_source *event,
1013 RemoteServer *s = userdata;
1014 RemoteSource *source;
1017 assert(fd >= 0 && fd < (ssize_t) s->sources_size);
1018 source = s->sources[fd];
1019 assert(source->fd == fd);
1021 r = process_source(source, arg_compress, arg_seal);
1022 if (source->state == STATE_EOF) {
1025 log_info("EOF reached with source fd:%d (%s)",
1026 source->fd, source->name);
1028 remaining = source_non_empty(source);
1030 log_warning("Premature EOF. %zu bytes lost.", remaining);
1031 remove_source(s, source->fd);
1032 log_info("%zd active sources remaining", s->active);
1034 } else if (r == -E2BIG) {
1035 log_error("Entry too big, skipped");
1037 } else if (r == -EAGAIN) {
1040 log_info("Closing connection: %s", strerror(-r));
1041 remove_source(server, fd);
1047 static int dispatch_blocking_source_event(sd_event_source *event,
1049 RemoteSource *source = userdata;
1051 return dispatch_raw_source_event(event, source->fd, EPOLLIN, server);
1054 static int accept_connection(const char* type, int fd,
1055 SocketAddress *addr, char **hostname) {
1058 log_debug("Accepting new %s connection on fd:%d", type, fd);
1059 fd2 = accept4(fd, &addr->sockaddr.sa, &addr->size, SOCK_NONBLOCK|SOCK_CLOEXEC);
1061 log_error("accept() on fd:%d failed: %m", fd);
1065 switch(socket_address_family(addr)) {
1068 _cleanup_free_ char *a = NULL;
1071 r = socket_address_print(addr, &a);
1073 log_error("socket_address_print(): %s", strerror(-r));
1078 r = socknameinfo_pretty(&addr->sockaddr, addr->size, &b);
1084 log_info("Accepted %s %s connection from %s",
1086 socket_address_family(addr) == AF_INET ? "IP" : "IPv6",
1094 log_error("Rejected %s connection with unsupported family %d",
1095 type, socket_address_family(addr));
1102 static int dispatch_raw_connection_event(sd_event_source *event,
1106 RemoteServer *s = userdata;
1108 SocketAddress addr = {
1109 .size = sizeof(union sockaddr_union),
1110 .type = SOCK_STREAM,
1114 fd2 = accept_connection("raw", fd, &addr, &hostname);
1118 return add_source(s, fd2, hostname, true);
1121 /**********************************************************************
1122 **********************************************************************
1123 **********************************************************************/
1125 static const char* const journal_write_split_mode_table[_JOURNAL_WRITE_SPLIT_MAX] = {
1126 [JOURNAL_WRITE_SPLIT_NONE] = "none",
1127 [JOURNAL_WRITE_SPLIT_HOST] = "host",
1130 DEFINE_PRIVATE_STRING_TABLE_LOOKUP(journal_write_split_mode, JournalWriteSplitMode);
1131 static DEFINE_CONFIG_PARSE_ENUM(config_parse_write_split_mode,
1132 journal_write_split_mode,
1133 JournalWriteSplitMode,
1134 "Failed to parse split mode setting");
1136 static int parse_config(void) {
1137 const ConfigTableItem items[] = {
1138 { "Remote", "SplitMode", config_parse_write_split_mode, 0, &arg_split_mode },
1139 { "Remote", "ServerKeyFile", config_parse_path, 0, &arg_key },
1140 { "Remote", "ServerCertificateFile", config_parse_path, 0, &arg_cert },
1141 { "Remote", "TrustedCertificateFile", config_parse_path, 0, &arg_trust },
1144 return config_parse(NULL, PKGSYSCONFDIR "/journal-remote.conf", NULL,
1146 config_item_table_lookup, items,
1147 false, false, true, NULL);
1150 static void help(void) {
1151 printf("%s [OPTIONS...] {FILE|-}...\n\n"
1152 "Write external journal events to journal file(s).\n\n"
1153 " -h --help Show this help\n"
1154 " --version Show package version\n"
1155 " --url=URL Read events from systemd-journal-gatewayd at URL\n"
1156 " --getter=COMMAND Read events from the output of COMMAND\n"
1157 " --listen-raw=ADDR Listen for connections at ADDR\n"
1158 " --listen-http=ADDR Listen for HTTP connections at ADDR\n"
1159 " --listen-https=ADDR Listen for HTTPS connections at ADDR\n"
1160 " -o --output=FILE|DIR Write output to FILE or DIR/external-*.journal\n"
1161 " --compress[=BOOL] Use XZ-compression in the output journal (default: yes)\n"
1162 " --seal[=BOOL] Use Event sealing in the output journal (default: no)\n"
1163 " --key=FILENAME Specify key in PEM format (default:\n"
1164 " \"" PRIV_KEY_FILE "\")\n"
1165 " --cert=FILENAME Specify certificate in PEM format (default:\n"
1166 " \"" CERT_FILE "\")\n"
1167 " --trust=FILENAME|all Specify CA certificate or disable checking (default:\n"
1168 " \"" TRUST_FILE "\")\n"
1169 " --gnutls-log=CATEGORY...\n"
1170 " Specify a list of gnutls logging categories\n"
1172 "Note: file descriptors from sd_listen_fds() will be consumed, too.\n"
1173 , program_invocation_short_name);
1176 static int parse_argv(int argc, char *argv[]) {
1178 ARG_VERSION = 0x100,
1193 static const struct option options[] = {
1194 { "help", no_argument, NULL, 'h' },
1195 { "version", no_argument, NULL, ARG_VERSION },
1196 { "url", required_argument, NULL, ARG_URL },
1197 { "getter", required_argument, NULL, ARG_GETTER },
1198 { "listen-raw", required_argument, NULL, ARG_LISTEN_RAW },
1199 { "listen-http", required_argument, NULL, ARG_LISTEN_HTTP },
1200 { "listen-https", required_argument, NULL, ARG_LISTEN_HTTPS },
1201 { "output", required_argument, NULL, 'o' },
1202 { "split-mode", required_argument, NULL, ARG_SPLIT_MODE },
1203 { "compress", optional_argument, NULL, ARG_COMPRESS },
1204 { "seal", optional_argument, NULL, ARG_SEAL },
1205 { "key", required_argument, NULL, ARG_KEY },
1206 { "cert", required_argument, NULL, ARG_CERT },
1207 { "trust", required_argument, NULL, ARG_TRUST },
1208 { "gnutls-log", required_argument, NULL, ARG_GNUTLS_LOG },
1213 bool type_a, type_b;
1218 while ((c = getopt_long(argc, argv, "ho:", options, NULL)) >= 0)
1222 return 0 /* done */;
1225 puts(PACKAGE_STRING);
1226 puts(SYSTEMD_FEATURES);
1227 return 0 /* done */;
1231 log_error("cannot currently set more than one --url");
1240 log_error("cannot currently use --getter more than once");
1244 arg_getter = optarg;
1247 case ARG_LISTEN_RAW:
1248 if (arg_listen_raw) {
1249 log_error("cannot currently use --listen-raw more than once");
1253 arg_listen_raw = optarg;
1256 case ARG_LISTEN_HTTP:
1257 if (arg_listen_http || http_socket >= 0) {
1258 log_error("cannot currently use --listen-http more than once");
1262 r = negative_fd(optarg);
1266 arg_listen_http = optarg;
1269 case ARG_LISTEN_HTTPS:
1270 if (arg_listen_https || https_socket >= 0) {
1271 log_error("cannot currently use --listen-https more than once");
1275 r = negative_fd(optarg);
1279 arg_listen_https = optarg;
1285 log_error("Key file specified twice");
1289 arg_key = strdup(optarg);
1297 log_error("Certificate file specified twice");
1301 arg_cert = strdup(optarg);
1308 if (arg_trust || arg_trust_all) {
1309 log_error("Confusing trusted CA configuration");
1313 if (streq(optarg, "all"))
1314 arg_trust_all = true;
1317 arg_trust = strdup(optarg);
1321 log_error("Option --trust is not available.");
1330 log_error("cannot use --output/-o more than once");
1334 arg_output = optarg;
1337 case ARG_SPLIT_MODE:
1338 arg_split_mode = journal_write_split_mode_from_string(optarg);
1339 if (arg_split_mode == _JOURNAL_WRITE_SPLIT_INVALID) {
1340 log_error("Invalid split mode: %s", optarg);
1347 r = parse_boolean(optarg);
1349 log_error("Failed to parse --compress= parameter.");
1355 arg_compress = true;
1361 r = parse_boolean(optarg);
1363 log_error("Failed to parse --seal= parameter.");
1373 case ARG_GNUTLS_LOG: {
1375 const char *word, *state;
1378 FOREACH_WORD_SEPARATOR(word, size, optarg, ",", state) {
1381 cat = strndup(word, size);
1385 if (strv_consume(&arg_gnutls_log, cat) < 0)
1390 log_error("Option --gnutls-log is not available.");
1399 assert_not_reached("Unknown option code.");
1403 arg_files = argv + optind;
1405 type_a = arg_getter || !strv_isempty(arg_files);
1408 || arg_listen_http || arg_listen_https
1409 || sd_listen_fds(false) > 0;
1410 if (type_a && type_b) {
1411 log_error("Cannot use file input or --getter with "
1412 "--arg-listen-... or socket activation.");
1417 log_error("Option --output must be specified with file input or --getter.");
1421 arg_split_mode = JOURNAL_WRITE_SPLIT_NONE;
1424 if (arg_split_mode == JOURNAL_WRITE_SPLIT_NONE
1425 && arg_output && is_dir(arg_output, true) > 0) {
1426 log_error("For SplitMode=none, output must be a file.");
1430 if (arg_split_mode == JOURNAL_WRITE_SPLIT_HOST
1431 && arg_output && is_dir(arg_output, true) <= 0) {
1432 log_error("For SplitMode=host, output must be a directory.");
1436 log_debug("Full config: SplitMode=%s Key=%s Cert=%s Trust=%s",
1437 journal_write_split_mode_to_string(arg_split_mode),
1442 return 1 /* work to do */;
1445 static int load_certificates(char **key, char **cert, char **trust) {
1448 r = read_full_file(arg_key ?: PRIV_KEY_FILE, key, NULL);
1450 log_error("Failed to read key from file '%s': %s",
1451 arg_key ?: PRIV_KEY_FILE, strerror(-r));
1455 r = read_full_file(arg_cert ?: CERT_FILE, cert, NULL);
1457 log_error("Failed to read certificate from file '%s': %s",
1458 arg_cert ?: CERT_FILE, strerror(-r));
1463 log_info("Certificate checking disabled.");
1465 r = read_full_file(arg_trust ?: TRUST_FILE, trust, NULL);
1467 log_error("Failed to read CA certificate file '%s': %s",
1468 arg_trust ?: TRUST_FILE, strerror(-r));
1476 static int setup_gnutls_logger(char **categories) {
1477 if (!arg_listen_http && !arg_listen_https)
1485 gnutls_global_set_log_function(log_func_gnutls);
1488 STRV_FOREACH(cat, categories) {
1489 r = log_enable_gnutls_category(*cat);
1494 log_reset_gnutls_level();
1501 int main(int argc, char **argv) {
1502 RemoteServer s = {};
1504 _cleanup_free_ char *key = NULL, *cert = NULL, *trust = NULL;
1506 log_show_color(true);
1507 log_parse_environment();
1511 return EXIT_FAILURE;
1513 r = parse_argv(argc, argv);
1515 return r == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
1517 r = setup_gnutls_logger(arg_gnutls_log);
1519 return EXIT_FAILURE;
1521 if (arg_listen_https || https_socket >= 0)
1522 if (load_certificates(&key, &cert, &trust) < 0)
1523 return EXIT_FAILURE;
1525 if (remoteserver_init(&s, key, cert, trust) < 0)
1526 return EXIT_FAILURE;
1528 sd_event_set_watchdog(s.events, true);
1530 log_debug("%s running as pid "PID_FMT,
1531 program_invocation_short_name, getpid());
1534 "STATUS=Processing requests...");
1537 r = sd_event_get_state(s.events);
1540 if (r == SD_EVENT_FINISHED)
1543 r = sd_event_run(s.events, -1);
1545 log_error("Failed to run event loop: %s", strerror(-r));
1552 "STATUS=Shutting down after writing %" PRIu64 " entries...", s.event_count);
1553 log_info("Finishing after writing %" PRIu64 " entries", s.event_count);
1561 return r >= 0 ? EXIT_SUCCESS : EXIT_FAILURE;
~ianmdlvl / elogind.git / blob