s->trigger_limit.interval = USEC_INFINITY;
s->trigger_limit.burst = UINT_MAX;
+
+ s->poll_limit_interval = USEC_INFINITY;
+ s->poll_limit_burst = UINT_MAX;
}
static void socket_unwatch_control_pid(Socket *s) {
if (!pidref_is_set(&s->control_pid))
return;
- unit_unwatch_pid(UNIT(s), s->control_pid.pid);
+ unit_unwatch_pidref(UNIT(s), &s->control_pid);
pidref_done(&s->control_pid);
}
s->timer_event_source = sd_event_source_disable_unref(s->timer_event_source);
}
-static int socket_arm_timer(Socket *s, usec_t usec) {
- int r;
-
+static int socket_arm_timer(Socket *s, bool relative, usec_t usec) {
assert(s);
- if (s->timer_event_source) {
- r = sd_event_source_set_time(s->timer_event_source, usec);
- if (r < 0)
- return r;
-
- return sd_event_source_set_enabled(s->timer_event_source, SD_EVENT_ONESHOT);
- }
-
- if (usec == USEC_INFINITY)
- return 0;
-
- r = sd_event_add_time(
- UNIT(s)->manager->event,
- &s->timer_event_source,
- CLOCK_MONOTONIC,
- usec, 0,
- socket_dispatch_timer, s);
- if (r < 0)
- return r;
-
- (void) sd_event_source_set_description(s->timer_event_source, "socket-timer");
-
- return 0;
+ return unit_arm_timer(UNIT(s), &s->timer_event_source, relative, usec, socket_dispatch_timer);
}
static bool have_non_accept_socket(Socket *s) {
* off the queues, which it might not necessarily do. Moreover, while Accept=no services are supposed to
* process whatever is queued in one go, and thus should normally never have to be started frequently. This is
* different for Accept=yes where each connection is processed by a new service instance, and thus frequent
- * service starts are typical. */
+ * service starts are typical.
+ *
+ * For the poll limit we follow a similar rule, but use 3/4th of the trigger limit parameters, to
+ * trigger this earlier. */
if (s->trigger_limit.interval == USEC_INFINITY)
s->trigger_limit.interval = 2 * USEC_PER_SEC;
+ if (s->trigger_limit.burst == UINT_MAX)
+ s->trigger_limit.burst = s->accept ? 200 : 20;
- if (s->trigger_limit.burst == UINT_MAX) {
- if (s->accept)
- s->trigger_limit.burst = 200;
- else
- s->trigger_limit.burst = 20;
- }
+ if (s->poll_limit_interval == USEC_INFINITY)
+ s->poll_limit_interval = 2 * USEC_PER_SEC;
+ if (s->poll_limit_burst == UINT_MAX)
+ s->poll_limit_burst = s->accept ? 150 : 15;
if (have_non_accept_socket(s)) {
DEFINE_TRIVIAL_REF_UNREF_FUNC(SocketPeer, socket_peer, socket_peer_free);
-int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
+int socket_acquire_peer(Socket *s, int fd, SocketPeer **ret) {
_cleanup_(socket_peer_unrefp) SocketPeer *remote = NULL;
SocketPeer sa = {
.peer_salen = sizeof(union sockaddr_union),
assert(fd >= 0);
assert(s);
+ assert(ret);
if (getpeername(fd, &sa.peer.sa, &sa.peer_salen) < 0)
- return log_unit_error_errno(UNIT(s), errno, "getpeername failed: %m");
+ return log_unit_error_errno(UNIT(s), errno, "getpeername() failed: %m");
if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
- *p = NULL;
+ *ret = NULL;
return 0;
}
- r = set_ensure_allocated(&s->peers_by_address, &peer_address_hash_ops);
- if (r < 0)
- return r;
-
i = set_get(s->peers_by_address, &sa);
if (i) {
- *p = socket_peer_ref(i);
+ *ret = socket_peer_ref(i);
return 1;
}
remote->peer = sa.peer;
remote->peer_salen = sa.peer_salen;
- r = set_put(s->peers_by_address, remote);
+ r = set_ensure_put(&s->peers_by_address, &peer_address_hash_ops, remote);
if (r < 0)
- return r;
+ return log_unit_error_errno(UNIT(s), r, "Failed to insert peer info into hash table: %m");
remote->socket = s;
- *p = TAKE_PTR(remote);
+ *ret = TAKE_PTR(remote);
return 1;
}
fprintf(f,
"%sTriggerLimitIntervalSec: %s\n"
- "%sTriggerLimitBurst: %u\n",
+ "%sTriggerLimitBurst: %u\n"
+ "%sPollLimitIntervalSec: %s\n"
+ "%sPollLimitBurst: %u\n",
prefix, FORMAT_TIMESPAN(s->trigger_limit.interval, USEC_PER_SEC),
- prefix, s->trigger_limit.burst);
+ prefix, s->trigger_limit.burst,
+ prefix, FORMAT_TIMESPAN(s->poll_limit_interval, USEC_PER_SEC),
+ prefix, s->poll_limit_burst);
str = ip_protocol_to_name(s->socket_protocol);
if (str)
log_unit_error_errno(u, error, fmt, strna(_t)); \
})
-static int fork_needed(const SocketAddress *address, const ExecContext *context) {
+static int fork_needed(const SocketAddress *address, Socket *s) {
int r;
assert(address);
- assert(context);
+ assert(s);
/* Check if we need to do the cgroup or netns stuff. If not we can do things much simpler. */
+ /* If there are any NFTSet= directives with cgroup source, we need the cgroup */
+ Unit *u = UNIT(s);
+ CGroupContext *c = unit_get_cgroup_context(u);
+ if (c)
+ FOREACH_ARRAY(nft_set, c->nft_set_context.sets, c->nft_set_context.n_sets)
+ if (nft_set->source == NFT_SET_SOURCE_CGROUP)
+ return true;
+
if (IN_SET(address->sockaddr.sa.sa_family, AF_INET, AF_INET6)) {
r = bpf_firewall_supported();
if (r < 0)
return true;
}
- return exec_needs_network_namespace(context);
+ return exec_needs_network_namespace(&s->exec_context);
}
static int socket_address_listen_in_cgroup(
const SocketAddress *address,
const char *label) {
+ _cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
_cleanup_close_pair_ int pair[2] = PIPE_EBADF;
int fd, r;
- pid_t pid;
assert(s);
assert(address);
* the socket is actually properly attached to the unit's cgroup for the purpose of BPF filtering and
* such. */
- r = fork_needed(address, &s->exec_context);
+ r = fork_needed(address, s);
if (r < 0)
return r;
if (r == 0) {
fd = receive_one_fd(pair[0], 0);
/* We synchronously wait for the helper, as it shouldn't be slow */
- r = wait_for_terminate_and_check("(sd-listen)", pid, WAIT_LOG_ABNORMAL);
+ r = wait_for_terminate_and_check("(sd-listen)", pid.pid, WAIT_LOG_ABNORMAL);
if (r < 0) {
safe_close(fd);
return r;
(void) sd_event_source_set_description(p->event_source, "socket-port-io");
}
+
+ r = sd_event_source_set_ratelimit(p->event_source, s->poll_limit_interval, s->poll_limit_burst);
+ if (r < 0)
+ log_unit_debug_errno(UNIT(s), r, "Failed to set poll limit on I/O event source, ignoring: %m");
}
return 0;
SOCKET_FINAL_SIGKILL,
SOCKET_CLEANING)) {
- r = unit_watch_pid(UNIT(s), s->control_pid.pid, /* exclusive= */ false);
+ r = unit_watch_pidref(UNIT(s), &s->control_pid, /* exclusive= */ false);
if (r < 0)
return r;
- r = socket_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
+ r = socket_arm_timer(s, /* relative= */ false, usec_add(u->state_change_timestamp.monotonic, s->timeout_usec));
if (r < 0)
return r;
}
if (r < 0)
return r;
- r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
+ r = socket_arm_timer(s, /* relative= */ true, s->timeout_usec);
if (r < 0)
return r;
if (r < 0)
return r;
- r = unit_watch_pid(UNIT(s), pidref.pid, /* exclusive= */ true);
+ r = unit_watch_pidref(UNIT(s), &pidref, /* exclusive= */ true);
if (r < 0)
return r;
}
static int socket_chown(Socket *s, PidRef *ret_pid) {
- _cleanup_(pidref_done) PidRef pidref = PIDREF_NULL;
- pid_t pid;
+ _cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
int r;
assert(s);
- r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
+ r = socket_arm_timer(s, /* relative= */ true, s->timeout_usec);
if (r < 0)
return r;
_exit(EXIT_SUCCESS);
}
- r = pidref_set_pid(&pidref, pid);
- if (r < 0)
- return r;
-
- r = unit_watch_pid(UNIT(s), pidref.pid, /* exclusive= */ true);
+ r = unit_watch_pidref(UNIT(s), &pid, /* exclusive= */ true);
if (r < 0)
return r;
- *ret_pid = TAKE_PIDREF(pidref);
+ *ret_pid = TAKE_PIDREF(pid);
return 0;
}
pidref_done(&s->control_pid);
r = socket_spawn(s, s->control_command, &s->control_pid);
- if (r < 0)
- goto fail;
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to spawn 'stop-post' task: %m");
+ socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
+ return;
+ }
socket_set_state(s, SOCKET_STOP_POST);
} else
socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_SUCCESS);
-
- return;
-
-fail:
- log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-post' task: %m");
- socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
}
static int state_to_kill_operation(Socket *s, SocketState state) {
/* main_pid= */ NULL,
&s->control_pid,
/* main_pid_alien= */ false);
- if (r < 0)
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
goto fail;
+ }
if (r > 0) {
- r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
- if (r < 0)
+ r = socket_arm_timer(s, /* relative= */ true, s->timeout_usec);
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to install timer: %m");
goto fail;
+ }
socket_set_state(s, state);
} else if (state == SOCKET_STOP_PRE_SIGTERM)
return;
fail:
- log_unit_warning_errno(UNIT(s), r, "Failed to kill processes: %m");
-
if (IN_SET(state, SOCKET_STOP_PRE_SIGTERM, SOCKET_STOP_PRE_SIGKILL))
socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
else
pidref_done(&s->control_pid);
r = socket_spawn(s, s->control_command, &s->control_pid);
- if (r < 0)
- goto fail;
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to spawn 'stop-pre' task: %m");
+ socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
+ return;
+ }
socket_set_state(s, SOCKET_STOP_PRE);
} else
socket_enter_stop_post(s, SOCKET_SUCCESS);
-
- return;
-
-fail:
- log_unit_warning_errno(UNIT(s), r, "Failed to run 'stop-pre' task: %m");
- socket_enter_stop_post(s, SOCKET_FAILURE_RESOURCES);
}
static void socket_enter_listening(Socket *s) {
r = socket_watch_fds(s);
if (r < 0) {
log_unit_warning_errno(UNIT(s), r, "Failed to watch sockets: %m");
- goto fail;
+ socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
+ return;
}
socket_set_state(s, SOCKET_LISTENING);
- return;
-
-fail:
- socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
}
static void socket_enter_start_post(Socket *s) {
r = socket_spawn(s, s->control_command, &s->control_pid);
if (r < 0) {
- log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-post' task: %m");
- goto fail;
+ log_unit_warning_errno(UNIT(s), r, "Failed to spawn 'start-post' task: %m");
+ socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
+ return;
}
socket_set_state(s, SOCKET_START_POST);
} else
socket_enter_listening(s);
-
- return;
-
-fail:
- socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
}
static void socket_enter_start_chown(Socket *s) {
r = socket_chown(s, &s->control_pid);
if (r < 0) {
- log_unit_warning_errno(UNIT(s), r, "Failed to fork 'start-chown' task: %m");
+ log_unit_warning_errno(UNIT(s), r, "Failed to spawn 'start-chown' task: %m");
goto fail;
}
r = socket_spawn(s, s->control_command, &s->control_pid);
if (r < 0) {
- log_unit_warning_errno(UNIT(s), r, "Failed to run 'start-pre' task: %m");
- goto fail;
+ log_unit_warning_errno(UNIT(s), r, "Failed to spawn 'start-pre' task: %m");
+ socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
+ return;
}
socket_set_state(s, SOCKET_START_PRE);
} else
socket_enter_start_chown(s);
-
- return;
-
-fail:
- socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
}
static void flush_ports(Socket *s) {
goto refuse;
}
- if (cfd < 0) {
+ if (cfd < 0) { /* Accept=no case */
bool pending = false;
Unit *other;
if (!pending) {
if (!UNIT_ISSET(s->service)) {
- r = log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOENT),
- "Service to activate vanished, refusing activation.");
+ r = log_unit_warning_errno(UNIT(s), SYNTHETIC_ERRNO(ENOENT),
+ "Service to activate vanished, refusing activation.");
goto fail;
}
r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT_DEREF(s->service), JOB_REPLACE, NULL, &error, NULL);
if (r < 0)
- goto fail;
+ goto queue_error;
}
socket_set_state(s, SOCKET_RUNNING);
- } else {
+ } else { /* Accept=yes case */
_cleanup_(socket_peer_unrefp) SocketPeer *p = NULL;
Unit *service;
if (r < 0) {
if (ERRNO_IS_DISCONNECT(r))
return;
+
+ log_unit_warning_errno(UNIT(s), r, "Failed to load connection service unit: %m");
goto fail;
}
r = unit_add_two_dependencies(UNIT(s), UNIT_BEFORE, UNIT_TRIGGERS, service,
false, UNIT_DEPENDENCY_IMPLICIT);
- if (r < 0)
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to add Before=/Triggers= dependencies on connection unit: %m");
goto fail;
+ }
s->n_accepted++;
if (r < 0) {
if (ERRNO_IS_DISCONNECT(r))
return;
+
+ log_unit_warning_errno(UNIT(s), r, "Failed to set socket on service: %m");
goto fail;
}
/* We failed to activate the new service, but it still exists. Let's make sure the
* service closes and forgets the connection fd again, immediately. */
service_release_socket_fd(SERVICE(service));
- goto fail;
+ goto queue_error;
}
/* Notify clients about changed counters */
unit_add_to_dbus_queue(UNIT(s));
}
- TAKE_FD(cfd);
return;
refuse:
s->n_refused++;
return;
-fail:
+queue_error:
if (ERRNO_IS_RESOURCE(r))
log_unit_warning(UNIT(s), "Failed to queue service startup job: %s",
bus_error_message(&error, r));
cfd >= 0 ? "template" : "non-template",
bus_error_message(&error, r));
+fail:
socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
}
pidref_done(&s->control_pid);
r = socket_spawn(s, s->control_command, &s->control_pid);
- if (r < 0)
- goto fail;
-
- return;
-
-fail:
- log_unit_warning_errno(UNIT(s), r, "Failed to run next task: %m");
+ if (r < 0) {
+ log_unit_warning_errno(UNIT(s), r, "Failed to spawn next task: %m");
- if (s->state == SOCKET_START_POST)
- socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
- else if (s->state == SOCKET_STOP_POST)
- socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
- else
- socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
+ if (s->state == SOCKET_START_POST)
+ socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
+ else if (s->state == SOCKET_STOP_POST)
+ socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
+ else
+ socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_RESOURCES);
+ }
}
static int socket_start(Unit *u) {
}
static int socket_accept_in_cgroup(Socket *s, SocketPort *p, int fd) {
+ _cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
_cleanup_close_pair_ int pair[2] = PIPE_EBADF;
int cfd, r;
- pid_t pid;
assert(s);
assert(p);
cfd = receive_one_fd(pair[0], 0);
/* We synchronously wait for the helper, as it shouldn't be slow */
- r = wait_for_terminate_and_check("(sd-accept)", pid, WAIT_LOG_ABNORMAL);
+ r = wait_for_terminate_and_check("(sd-accept)", pid.pid, WAIT_LOG_ABNORMAL);
if (r < 0) {
safe_close(cfd);
return r;
static int socket_clean(Unit *u, ExecCleanMask mask) {
_cleanup_strv_free_ char **l = NULL;
Socket *s = SOCKET(u);
- pid_t pid;
int r;
assert(s);
s->control_command = NULL;
s->control_command_id = _SOCKET_EXEC_COMMAND_INVALID;
- r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->exec_context.timeout_clean_usec));
- if (r < 0)
- goto fail;
-
- r = unit_fork_and_watch_rm_rf(u, l, &pid);
- if (r < 0)
+ r = socket_arm_timer(s, /* relative= */ true, s->exec_context.timeout_clean_usec);
+ if (r < 0) {
+ log_unit_warning_errno(u, r, "Failed to install timer: %m");
goto fail;
+ }
- r = pidref_set_pid(&s->control_pid, pid);
- if (r < 0)
+ r = unit_fork_and_watch_rm_rf(u, l, &s->control_pid);
+ if (r < 0) {
+ log_unit_warning_errno(u, r, "Failed to spawn cleaning task: %m");
goto fail;
+ }
socket_set_state(s, SOCKET_CLEANING);
return 0;
fail:
- log_unit_warning_errno(u, r, "Failed to initiate cleaning: %m");
s->clean_result = SOCKET_FAILURE_RESOURCES;
s->timer_event_source = sd_event_source_disable_unref(s->timer_event_source);
return r;
projects / thirdparty / systemd.git / blobdiff