[thirdparty/systemd.git] / src / core / shutdown.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  Copyright © 2010 ProFUSION embedded systems
***/

#include <errno.h>
#include <getopt.h>
#include <linux/reboot.h>
#include <signal.h>
#include <stdbool.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/reboot.h>
#include <sys/stat.h>
#include <unistd.h>

#include "alloc-util.h"
#include "async.h"
#include "cgroup-util.h"
#include "def.h"
#include "exec-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "killall.h"
#include "log.h"
#include "missing.h"
#include "parse-util.h"
#include "process-util.h"
#include "reboot-util.h"
#include "signal-util.h"
#include "string-util.h"
#include "switch-root.h"
#include "terminal-util.h"
#include "umount.h"
#include "util.h"
#include "virt.h"
#include "watchdog.h"

#define SYNC_PROGRESS_ATTEMPTS 3
#define SYNC_TIMEOUT_USEC (10*USEC_PER_SEC)

static char* arg_verb;
static uint8_t arg_exit_code;
static usec_t arg_timeout = DEFAULT_TIMEOUT_USEC;

static int parse_argv(int argc, char *argv[]) {
        enum {
                ARG_LOG_LEVEL = 0x100,
                ARG_LOG_TARGET,
                ARG_LOG_COLOR,
                ARG_LOG_LOCATION,
                ARG_EXIT_CODE,
                ARG_TIMEOUT,
        };

        static const struct option options[] = {
                { "log-level",     required_argument, NULL, ARG_LOG_LEVEL    },
                { "log-target",    required_argument, NULL, ARG_LOG_TARGET   },
                { "log-color",     optional_argument, NULL, ARG_LOG_COLOR    },
                { "log-location",  optional_argument, NULL, ARG_LOG_LOCATION },
                { "exit-code",     required_argument, NULL, ARG_EXIT_CODE    },
                { "timeout",       required_argument, NULL, ARG_TIMEOUT      },
                {}
        };

        int c, r;

        assert(argc >= 1);
        assert(argv);

        /* "-" prevents getopt from permuting argv[] and moving the verb away
         * from argv[1]. Our interface to initrd promises it'll be there. */
        while ((c = getopt_long(argc, argv, "-", options, NULL)) >= 0)
                switch (c) {

                case ARG_LOG_LEVEL:
                        r = log_set_max_level_from_string(optarg);
                        if (r < 0)
                                log_error_errno(r, "Failed to parse log level %s, ignoring: %m", optarg);

                        break;

                case ARG_LOG_TARGET:
                        r = log_set_target_from_string(optarg);
                        if (r < 0)
                                log_error_errno(r, "Failed to parse log target %s, ignoring: %m", optarg);

                        break;

                case ARG_LOG_COLOR:

                        if (optarg) {
                                r = log_show_color_from_string(optarg);
                                if (r < 0)
                                        log_error_errno(r, "Failed to parse log color setting %s, ignoring: %m", optarg);
                        } else
                                log_show_color(true);

                        break;

                case ARG_LOG_LOCATION:
                        if (optarg) {
                                r = log_show_location_from_string(optarg);
                                if (r < 0)
                                        log_error_errno(r, "Failed to parse log location setting %s, ignoring: %m", optarg);
                        } else
                                log_show_location(true);

                        break;

                case ARG_EXIT_CODE:
                        r = safe_atou8(optarg, &arg_exit_code);
                        if (r < 0)
                                log_error_errno(r, "Failed to parse exit code %s, ignoring: %m", optarg);

                        break;

                case ARG_TIMEOUT:
                        r = parse_sec(optarg, &arg_timeout);
                        if (r < 0)
                                log_error_errno(r, "Failed to parse shutdown timeout %s, ignoring: %m", optarg);

                        break;

                case '\001':
                        if (!arg_verb)
                                arg_verb = optarg;
                        else
                                log_error("Excess arguments, ignoring");
                        break;

                case '?':
                        return -EINVAL;

                default:
                        assert_not_reached("Unhandled option code.");
                }

        if (!arg_verb) {
                log_error("Verb argument missing.");
                return -EINVAL;
        }

        return 0;
}

static int switch_root_initramfs(void) {
        if (mount("/run/initramfs", "/run/initramfs", NULL, MS_BIND, NULL) < 0)
                return log_error_errno(errno, "Failed to mount bind /run/initramfs on /run/initramfs: %m");

        if (mount(NULL, "/run/initramfs", NULL, MS_PRIVATE, NULL) < 0)
                return log_error_errno(errno, "Failed to make /run/initramfs private mount: %m");

        /* switch_root with MS_BIND, because there might still be processes lurking around, which have open file descriptors.
         * /run/initramfs/shutdown will take care of these.
         * Also do not detach the old root, because /run/initramfs/shutdown needs to access it.
         */
        return switch_root("/run/initramfs", "/oldroot", false, MS_BIND);
}

/* Read the following fields from /proc/meminfo:
 *
 *  NFS_Unstable
 *  Writeback
 *  Dirty
 *
 * Return true if the sum of these fields is greater than the previous
 * value input. For all other issues, report the failure and indicate that
 * the sync is not making progress.
 */
static bool sync_making_progress(unsigned long long *prev_dirty) {
        _cleanup_fclose_ FILE *f = NULL;
        unsigned long long val = 0;
        bool r = false;

        f = fopen("/proc/meminfo", "re");
        if (!f)
                return log_warning_errno(errno, "Failed to open /proc/meminfo: %m");

        for (;;) {
                _cleanup_free_ char *line = NULL;
                unsigned long long ull = 0;
                int q;

                q = read_line(f, LONG_LINE_MAX, &line);
                if (q < 0)
                        return log_warning_errno(q, "Failed to parse /proc/meminfo: %m");
                if (q == 0)
                        break;

                if (!first_word(line, "NFS_Unstable:") && !first_word(line, "Writeback:") && !first_word(line, "Dirty:"))
                        continue;

                errno = 0;
                if (sscanf(line, "%*s %llu %*s", &ull) != 1) {
                        if (errno != 0)
                                log_warning_errno(errno, "Failed to parse /proc/meminfo: %m");
                        else
                                log_warning("Failed to parse /proc/meminfo");

                        return false;
                }

                val += ull;
        }

        r = *prev_dirty > val;

        *prev_dirty = val;

        return r;
}

static void sync_with_progress(void) {
        unsigned long long dirty = ULONG_LONG_MAX;
        unsigned checks;
        pid_t pid;
        int r;

        BLOCK_SIGNALS(SIGCHLD);

        /* Due to the possiblity of the sync operation hanging, we fork a child process and monitor the progress. If
         * the timeout lapses, the assumption is that that particular sync stalled. */

        r = asynchronous_sync(&pid);
        if (r < 0) {
                log_error_errno(r, "Failed to fork sync(): %m");
                return;
        }

        log_info("Syncing filesystems and block devices.");

        /* Start monitoring the sync operation. If more than
         * SYNC_PROGRESS_ATTEMPTS lapse without progress being made,
         * we assume that the sync is stalled */
        for (checks = 0; checks < SYNC_PROGRESS_ATTEMPTS; checks++) {
                r = wait_for_terminate_with_timeout(pid, SYNC_TIMEOUT_USEC);
                if (r == 0)
                        /* Sync finished without error.
                         * (The sync itself does not return an error code) */
                        return;
                else if (r == -ETIMEDOUT) {
                        /* Reset the check counter if the "Dirty" value is
                         * decreasing */
                        if (sync_making_progress(&dirty))
                                checks = 0;
                } else {
                        log_error_errno(r, "Failed to sync filesystems and block devices: %m");
                        return;
                }
        }

        /* Only reached in the event of a timeout. We should issue a kill
         * to the stray process. */
        log_error("Syncing filesystems and block devices - timed out, issuing SIGKILL to PID "PID_FMT".", pid);
        (void) kill(pid, SIGKILL);
}

int main(int argc, char *argv[]) {
        bool need_umount, need_swapoff, need_loop_detach, need_dm_detach;
        bool in_container, use_watchdog = false, can_initrd;
        _cleanup_free_ char *cgroup = NULL;
        char *arguments[3];
        int cmd, r, umount_log_level = LOG_INFO;
        static const char* const dirs[] = {SYSTEM_SHUTDOWN_PATH, NULL};
        char *watchdog_device;

        /* The log target defaults to console, but the original systemd process will pass its log target in through a
         * command line argument, which will override this default. Also, ensure we'll never log to the journal or
         * syslog, as these logging daemons are either already dead or will die very soon. */

        log_set_target(LOG_TARGET_CONSOLE);
        log_set_prohibit_ipc(true);
        log_parse_environment();

        r = parse_argv(argc, argv);
        if (r < 0)
                goto error;

        log_open();

        umask(0022);

        if (getpid_cached() != 1) {
                log_error("Not executed by init (PID 1).");
                r = -EPERM;
                goto error;
        }

        if (streq(arg_verb, "reboot"))
                cmd = RB_AUTOBOOT;
        else if (streq(arg_verb, "poweroff"))
                cmd = RB_POWER_OFF;
        else if (streq(arg_verb, "halt"))
                cmd = RB_HALT_SYSTEM;
        else if (streq(arg_verb, "kexec"))
                cmd = LINUX_REBOOT_CMD_KEXEC;
        else if (streq(arg_verb, "exit"))
                cmd = 0; /* ignored, just checking that arg_verb is valid */
        else {
                log_error("Unknown action '%s'.", arg_verb);
                r = -EINVAL;
                goto error;
        }

        (void) cg_get_root_path(&cgroup);
        in_container = detect_container() > 0;

        use_watchdog = getenv("WATCHDOG_USEC");
        watchdog_device = getenv("WATCHDOG_DEVICE");
        if (watchdog_device) {
                r = watchdog_set_device(watchdog_device);
                if (r < 0)
                        log_warning_errno(r, "Failed to set watchdog device to %s, ignoring: %m",
                                          watchdog_device);
        }

        /* Lock us into memory */
        (void) mlockall(MCL_CURRENT|MCL_FUTURE);

        /* Synchronize everything that is not written to disk yet at this point already. This is a good idea so that
         * slow IO is processed here already and the final process killing spree is not impacted by processes
         * desperately trying to sync IO to disk within their timeout. Do not remove this sync, data corruption will
         * result. */
        if (!in_container)
                sync_with_progress();

        disable_coredumps();

        log_info("Sending SIGTERM to remaining processes...");
        broadcast_signal(SIGTERM, true, true, arg_timeout);

        log_info("Sending SIGKILL to remaining processes...");
        broadcast_signal(SIGKILL, true, false, arg_timeout);

        need_umount = !in_container;
        need_swapoff = !in_container;
        need_loop_detach = !in_container;
        need_dm_detach = !in_container;
        can_initrd = !in_container && !in_initrd() && access("/run/initramfs/shutdown", X_OK) == 0;

        /* Unmount all mountpoints, swaps, and loopback devices */
        for (;;) {
                bool changed = false;

                if (use_watchdog)
                        watchdog_ping();

                /* Let's trim the cgroup tree on each iteration so
                   that we leave an empty cgroup tree around, so that
                   container managers get a nice notify event when we
                   are down */
                if (cgroup)
                        cg_trim(SYSTEMD_CGROUP_CONTROLLER, cgroup, false);

                if (need_umount) {
                        log_info("Unmounting file systems.");
                        r = umount_all(&changed, umount_log_level);
                        if (r == 0) {
                                need_umount = false;
                                log_info("All filesystems unmounted.");
                        } else if (r > 0)
                                log_info("Not all file systems unmounted, %d left.", r);
                        else
                                log_error_errno(r, "Failed to unmount file systems: %m");
                }

                if (need_swapoff) {
                        log_info("Deactivating swaps.");
                        r = swapoff_all(&changed);
                        if (r == 0) {
                                need_swapoff = false;
                                log_info("All swaps deactivated.");
                        } else if (r > 0)
                                log_info("Not all swaps deactivated, %d left.", r);
                        else
                                log_error_errno(r, "Failed to deactivate swaps: %m");
                }

                if (need_loop_detach) {
                        log_info("Detaching loop devices.");
                        r = loopback_detach_all(&changed, umount_log_level);
                        if (r == 0) {
                                need_loop_detach = false;
                                log_info("All loop devices detached.");
                        } else if (r > 0)
                                log_info("Not all loop devices detached, %d left.", r);
                        else
                                log_error_errno(r, "Failed to detach loop devices: %m");
                }

                if (need_dm_detach) {
                        log_info("Detaching DM devices.");
                        r = dm_detach_all(&changed, umount_log_level);
                        if (r == 0) {
                                need_dm_detach = false;
                                log_info("All DM devices detached.");
                        } else if (r > 0)
                                log_info("Not all DM devices detached, %d left.", r);
                        else
                                log_error_errno(r, "Failed to detach DM devices: %m");
                }

                if (!need_umount && !need_swapoff && !need_loop_detach && !need_dm_detach) {
                        log_info("All filesystems, swaps, loop devices and DM devices detached.");
                        /* Yay, done */
                        break;
                }

                if (!changed && umount_log_level == LOG_INFO && !can_initrd) {
                        /* There are things we cannot get rid of. Loop one more time
                         * with LOG_ERR to inform the user. Note that we don't need
                         * to do this if there is a initrd to switch to, because that
                         * one is likely to get rid of the remounting mounts. If not,
                         * it will log about them. */
                        umount_log_level = LOG_ERR;
                        continue;
                }

                /* If in this iteration we didn't manage to
                 * unmount/deactivate anything, we simply give up */
                if (!changed) {
                        log_info("Cannot finalize remaining%s%s%s%s continuing.",
                                 need_umount ? " file systems," : "",
                                 need_swapoff ? " swap devices," : "",
                                 need_loop_detach ? " loop devices," : "",
                                 need_dm_detach ? " DM devices," : "");
                        break;
                }

                log_debug("Couldn't finalize remaining %s%s%s%s trying again.",
                          need_umount ? " file systems," : "",
                          need_swapoff ? " swap devices," : "",
                          need_loop_detach ? " loop devices," : "",
                          need_dm_detach ? " DM devices," : "");
        }

        /* We're done with the watchdog. */
        watchdog_free_device();

        arguments[0] = NULL;
        arguments[1] = arg_verb;
        arguments[2] = NULL;
        execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments, NULL);

        if (can_initrd) {
                r = switch_root_initramfs();
                if (r >= 0) {
                        argv[0] = (char*) "/shutdown";

                        setsid();
                        make_console_stdio();

                        log_info("Successfully changed into root pivot.\n"
                                 "Returning to initrd...");

                        execv("/shutdown", argv);
                        log_error_errno(errno, "Failed to execute shutdown binary: %m");
                } else
                        log_error_errno(r, "Failed to switch root to \"/run/initramfs\": %m");

        }

        if (need_umount || need_swapoff || need_loop_detach || need_dm_detach)
                log_error("Failed to finalize %s%s%s%s ignoring",
                          need_umount ? " file systems," : "",
                          need_swapoff ? " swap devices," : "",
                          need_loop_detach ? " loop devices," : "",
                          need_dm_detach ? " DM devices," : "");

        /* The kernel will automatically flush ATA disks and suchlike on reboot(), but the file systems need to be
         * sync'ed explicitly in advance. So let's do this here, but not needlessly slow down containers. Note that we
         * sync'ed things already once above, but we did some more work since then which might have caused IO, hence
         * let's do it once more. Do not remove this sync, data corruption will result. */
        if (!in_container)
                sync_with_progress();

        if (streq(arg_verb, "exit")) {
                if (in_container)
                        return arg_exit_code;

                cmd = RB_POWER_OFF; /* We cannot exit() on the host, fallback on another method. */
        }

        switch (cmd) {

        case LINUX_REBOOT_CMD_KEXEC:

                if (!in_container) {
                        /* We cheat and exec kexec to avoid doing all its work */
                        log_info("Rebooting with kexec.");

                        r = safe_fork("(sd-kexec)", FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_WAIT, NULL);
                        if (r == 0) {
                                const char * const args[] = {
                                        KEXEC, "-e", NULL
                                };

                                /* Child */

                                execv(args[0], (char * const *) args);
                                _exit(EXIT_FAILURE);
                        }

                        /* If we are still running, then the kexec can't have worked, let's fall through */
                }

                cmd = RB_AUTOBOOT;
                _fallthrough_;

        case RB_AUTOBOOT:
                (void) reboot_with_parameter(REBOOT_LOG);
                log_info("Rebooting.");
                break;

        case RB_POWER_OFF:
                log_info("Powering off.");
                break;

        case RB_HALT_SYSTEM:
                log_info("Halting system.");
                break;

        default:
                assert_not_reached("Unknown magic");
        }

        (void) reboot(cmd);
        if (errno == EPERM && in_container) {
                /* If we are in a container, and we lacked
                 * CAP_SYS_BOOT just exit, this will kill our
                 * container for good. */
                log_info("Exiting container.");
                return EXIT_SUCCESS;
        }

        r = log_error_errno(errno, "Failed to invoke reboot(): %m");

  error:
        log_emergency_errno(r, "Critical error while doing system shutdown: %m");
        freeze();
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
b1b2a107	2	/***
96b2fb93	3	Copyright © 2010 ProFUSION embedded systems
b1b2a107 FF	4	***/
b1b2a107 FF	5
b1b2a107	6	#include <errno.h>
07630cea	7	#include <getopt.h>
c01dcddf	8	#include <linux/reboot.h>
b1b2a107 FF	9	#include <signal.h>
	10	#include <stdbool.h>
	11	#include <stdlib.h>
07630cea LP	12	#include <sys/mman.h>
	13	#include <sys/mount.h>
	14	#include <sys/reboot.h>
	15	#include <sys/stat.h>
	16	#include <unistd.h>
b1b2a107	17
b5efdb8a	18	#include "alloc-util.h"
d00c2631	19	#include "async.h"
07630cea LP	20	#include "cgroup-util.h"
07630cea LP	21	#include "def.h"
89711996	22	#include "exec-util.h"
d00c2631	23	#include "fd-util.h"
ec26be51	24	#include "fileio.h"
07630cea LP	25	#include "killall.h"
	26	#include "log.h"
	27	#include "missing.h"
6bedfcbb	28	#include "parse-util.h"
07630cea	29	#include "process-util.h"
c01dcddf	30	#include "reboot-util.h"
73ad712f	31	#include "signal-util.h"
07630cea LP	32	#include "string-util.h"
	33	#include "switch-root.h"
	34	#include "terminal-util.h"
b1b2a107 FF	35	#include "umount.h"
b1b2a107 FF	36	#include "util.h"
b52aae1d	37	#include "virt.h"
e96d6be7	38	#include "watchdog.h"
b1b2a107	39
73ad712f KW	40	#define SYNC_PROGRESS_ATTEMPTS 3
	41	#define SYNC_TIMEOUT_USEC (10*USEC_PER_SEC)
	42
b1e90ec5	43	static char* arg_verb;
287419c1	44	static uint8_t arg_exit_code;
e73c54b8	45	static usec_t arg_timeout = DEFAULT_TIMEOUT_USEC;
b1e90ec5 ZJS	46
	47	static int parse_argv(int argc, char *argv[]) {
	48	enum {
	49	ARG_LOG_LEVEL = 0x100,
	50	ARG_LOG_TARGET,
	51	ARG_LOG_COLOR,
	52	ARG_LOG_LOCATION,
287419c1	53	ARG_EXIT_CODE,
e73c54b8	54	ARG_TIMEOUT,
b1e90ec5 ZJS	55	};
	56
	57	static const struct option options[] = {
	58	{ "log-level", required_argument, NULL, ARG_LOG_LEVEL },
	59	{ "log-target", required_argument, NULL, ARG_LOG_TARGET },
	60	{ "log-color", optional_argument, NULL, ARG_LOG_COLOR },
	61	{ "log-location", optional_argument, NULL, ARG_LOG_LOCATION },
287419c1	62	{ "exit-code", required_argument, NULL, ARG_EXIT_CODE },
e73c54b8	63	{ "timeout", required_argument, NULL, ARG_TIMEOUT },
b1e90ec5 ZJS	64	{}
	65	};
	66
	67	int c, r;
	68
	69	assert(argc >= 1);
	70	assert(argv);
	71
4b5d8d0f MS	72	/* "-" prevents getopt from permuting argv[] and moving the verb away
	73	* from argv[1]. Our interface to initrd promises it'll be there. */
	74	while ((c = getopt_long(argc, argv, "-", options, NULL)) >= 0)
b1e90ec5 ZJS	75	switch (c) {
	76
	77	case ARG_LOG_LEVEL:
	78	r = log_set_max_level_from_string(optarg);
	79	if (r < 0)
5e1ee764	80	log_error_errno(r, "Failed to parse log level %s, ignoring: %m", optarg);
b1e90ec5 ZJS	81
	82	break;
	83
	84	case ARG_LOG_TARGET:
	85	r = log_set_target_from_string(optarg);
	86	if (r < 0)
5e1ee764	87	log_error_errno(r, "Failed to parse log target %s, ignoring: %m", optarg);
b1e90ec5 ZJS	88
	89	break;
	90
	91	case ARG_LOG_COLOR:
	92
	93	if (optarg) {
	94	r = log_show_color_from_string(optarg);
	95	if (r < 0)
5e1ee764	96	log_error_errno(r, "Failed to parse log color setting %s, ignoring: %m", optarg);
b1e90ec5 ZJS	97	} else
	98	log_show_color(true);
	99
	100	break;
	101
	102	case ARG_LOG_LOCATION:
	103	if (optarg) {
	104	r = log_show_location_from_string(optarg);
	105	if (r < 0)
5e1ee764	106	log_error_errno(r, "Failed to parse log location setting %s, ignoring: %m", optarg);
b1e90ec5 ZJS	107	} else
	108	log_show_location(true);
	109
	110	break;
	111
287419c1 AC	112	case ARG_EXIT_CODE:
	113	r = safe_atou8(optarg, &arg_exit_code);
	114	if (r < 0)
5e1ee764	115	log_error_errno(r, "Failed to parse exit code %s, ignoring: %m", optarg);
287419c1 AC	116
	117	break;
	118
e73c54b8 JK	119	case ARG_TIMEOUT:
	120	r = parse_sec(optarg, &arg_timeout);
	121	if (r < 0)
5e1ee764	122	log_error_errno(r, "Failed to parse shutdown timeout %s, ignoring: %m", optarg);
e73c54b8 JK	123
	124	break;
	125
4b5d8d0f MS	126	case '\001':
	127	if (!arg_verb)
	128	arg_verb = optarg;
	129	else
	130	log_error("Excess arguments, ignoring");
	131	break;
	132
b1e90ec5	133	case '?':
b1e90ec5 ZJS	134	return -EINVAL;
	135
	136	default:
	137	assert_not_reached("Unhandled option code.");
	138	}
	139
4b5d8d0f	140	if (!arg_verb) {
b1e90ec5 ZJS	141	log_error("Verb argument missing.");
	142	return -EINVAL;
	143	}
	144
b1e90ec5 ZJS	145	return 0;
	146	}
	147
5a4bf02f	148	static int switch_root_initramfs(void) {
4a62c710 MS	149	if (mount("/run/initramfs", "/run/initramfs", NULL, MS_BIND, NULL) < 0)
4a62c710 MS	150	return log_error_errno(errno, "Failed to mount bind /run/initramfs on /run/initramfs: %m");
89d471d5	151
4a62c710 MS	152	if (mount(NULL, "/run/initramfs", NULL, MS_PRIVATE, NULL) < 0)
4a62c710 MS	153	return log_error_errno(errno, "Failed to make /run/initramfs private mount: %m");
89d471d5	154
f131770b	155	/* switch_root with MS_BIND, because there might still be processes lurking around, which have open file descriptors.
5a4bf02f HH	156	* /run/initramfs/shutdown will take care of these.
	157	* Also do not detach the old root, because /run/initramfs/shutdown needs to access it.
	158	*/
	159	return switch_root("/run/initramfs", "/oldroot", false, MS_BIND);
7cb1094a HH	160	}
7cb1094a HH	161
73ad712f KW	162	/* Read the following fields from /proc/meminfo:
	163	*
	164	* NFS_Unstable
	165	* Writeback
	166	* Dirty
	167	*
	168	* Return true if the sum of these fields is greater than the previous
	169	* value input. For all other issues, report the failure and indicate that
	170	* the sync is not making progress.
	171	*/
	172	static bool sync_making_progress(unsigned long long *prev_dirty) {
	173	_cleanup_fclose_ FILE *f = NULL;
73ad712f	174	unsigned long long val = 0;
a34f0dae	175	bool r = false;
73ad712f KW	176
	177	f = fopen("/proc/meminfo", "re");
	178	if (!f)
	179	return log_warning_errno(errno, "Failed to open /proc/meminfo: %m");
	180
a34f0dae LP	181	for (;;) {
a34f0dae LP	182	_cleanup_free_ char *line = NULL;
73ad712f	183	unsigned long long ull = 0;
a34f0dae LP	184	int q;
	185
	186	q = read_line(f, LONG_LINE_MAX, &line);
	187	if (q < 0)
	188	return log_warning_errno(q, "Failed to parse /proc/meminfo: %m");
	189	if (q == 0)
	190	break;
73ad712f KW	191
	192	if (!first_word(line, "NFS_Unstable:") && !first_word(line, "Writeback:") && !first_word(line, "Dirty:"))
	193	continue;
	194
	195	errno = 0;
	196	if (sscanf(line, "%s %llu %s", &ull) != 1) {
	197	if (errno != 0)
	198	log_warning_errno(errno, "Failed to parse /proc/meminfo: %m");
	199	else
	200	log_warning("Failed to parse /proc/meminfo");
	201
	202	return false;
	203	}
	204
	205	val += ull;
	206	}
	207
	208	r = *prev_dirty > val;
	209
	210	*prev_dirty = val;
	211
	212	return r;
	213	}
	214
	215	static void sync_with_progress(void) {
d00c2631	216	unsigned long long dirty = ULONG_LONG_MAX;
73ad712f KW	217	unsigned checks;
	218	pid_t pid;
	219	int r;
73ad712f KW	220
	221	BLOCK_SIGNALS(SIGCHLD);
	222
d00c2631 LP	223	/* Due to the possiblity of the sync operation hanging, we fork a child process and monitor the progress. If
	224	* the timeout lapses, the assumption is that that particular sync stalled. */
	225
	226	r = asynchronous_sync(&pid);
4c253ed1	227	if (r < 0) {
d00c2631	228	log_error_errno(r, "Failed to fork sync(): %m");
73ad712f KW	229	return;
73ad712f KW	230	}
73ad712f KW	231
	232	log_info("Syncing filesystems and block devices.");
	233
	234	/* Start monitoring the sync operation. If more than
	235	* SYNC_PROGRESS_ATTEMPTS lapse without progress being made,
	236	* we assume that the sync is stalled */
	237	for (checks = 0; checks < SYNC_PROGRESS_ATTEMPTS; checks++) {
	238	r = wait_for_terminate_with_timeout(pid, SYNC_TIMEOUT_USEC);
	239	if (r == 0)
	240	/* Sync finished without error.
	241	* (The sync itself does not return an error code) */
	242	return;
	243	else if (r == -ETIMEDOUT) {
	244	/* Reset the check counter if the "Dirty" value is
	245	* decreasing */
	246	if (sync_making_progress(&dirty))
	247	checks = 0;
	248	} else {
	249	log_error_errno(r, "Failed to sync filesystems and block devices: %m");
	250	return;
	251	}
	252	}
	253
	254	/* Only reached in the event of a timeout. We should issue a kill
	255	* to the stray process. */
	256	log_error("Syncing filesystems and block devices - timed out, issuing SIGKILL to PID "PID_FMT".", pid);
	257	(void) kill(pid, SIGKILL);
	258	}
	259
b1b2a107	260	int main(int argc, char *argv[]) {
8c977838	261	bool need_umount, need_swapoff, need_loop_detach, need_dm_detach;
456b2199	262	bool in_container, use_watchdog = false, can_initrd;
06beed6d	263	_cleanup_free_ char *cgroup = NULL;
6edd7d0a	264	char *arguments[3];
456b2199	265	int cmd, r, umount_log_level = LOG_INFO;
e801700e	266	static const char* const dirs[] = {SYSTEM_SHUTDOWN_PATH, NULL};
8a2c1fbf	267	char *watchdog_device;
b1b2a107	268
e18805fb LP	269	/* The log target defaults to console, but the original systemd process will pass its log target in through a
	270	* command line argument, which will override this default. Also, ensure we'll never log to the journal or
	271	* syslog, as these logging daemons are either already dead or will die very soon. */
	272
	273	log_set_target(LOG_TARGET_CONSOLE);
	274	log_set_prohibit_ipc(true);
b1e90ec5	275	log_parse_environment();
e18805fb	276
b1e90ec5 ZJS	277	r = parse_argv(argc, argv);
	278	if (r < 0)
	279	goto error;
ec26be51	280
b1b2a107 FF	281	log_open();
b1b2a107 FF	282
4c12626c LP	283	umask(0022);
4c12626c LP	284
df0ff127	285	if (getpid_cached() != 1) {
b1e90ec5	286	log_error("Not executed by init (PID 1).");
b1b2a107 FF	287	r = -EPERM;
	288	goto error;
	289	}
	290
b1e90ec5	291	if (streq(arg_verb, "reboot"))
b1b2a107	292	cmd = RB_AUTOBOOT;
b1e90ec5	293	else if (streq(arg_verb, "poweroff"))
b1b2a107	294	cmd = RB_POWER_OFF;
b1e90ec5	295	else if (streq(arg_verb, "halt"))
b1b2a107	296	cmd = RB_HALT_SYSTEM;
b1e90ec5	297	else if (streq(arg_verb, "kexec"))
b1b2a107	298	cmd = LINUX_REBOOT_CMD_KEXEC;
287419c1 AC	299	else if (streq(arg_verb, "exit"))
287419c1 AC	300	cmd = 0; /* ignored, just checking that arg_verb is valid */
b1b2a107	301	else {
b1e90ec5	302	log_error("Unknown action '%s'.", arg_verb);
e18805fb	303	r = -EINVAL;
b1b2a107 FF	304	goto error;
	305	}
	306
0b9aa270	307	(void) cg_get_root_path(&cgroup);
2e79d182	308	in_container = detect_container() > 0;
41f85451	309
5d904a6a	310	use_watchdog = getenv("WATCHDOG_USEC");
8a2c1fbf EJ	311	watchdog_device = getenv("WATCHDOG_DEVICE");
	312	if (watchdog_device) {
	313	r = watchdog_set_device(watchdog_device);
	314	if (r < 0)
	315	log_warning_errno(r, "Failed to set watchdog device to %s, ignoring: %m",
	316	watchdog_device);
	317	}
e96d6be7	318
2e79d182	319	/* Lock us into memory */
e18805fb	320	(void) mlockall(MCL_CURRENT\|MCL_FUTURE);
b1b2a107	321
2e79d182 LP	322	/* Synchronize everything that is not written to disk yet at this point already. This is a good idea so that
2e79d182 LP	323	* slow IO is processed here already and the final process killing spree is not impacted by processes
73ad712f KW	324	* desperately trying to sync IO to disk within their timeout. Do not remove this sync, data corruption will
73ad712f KW	325	* result. */
2e79d182	326	if (!in_container)
73ad712f	327	sync_with_progress();
2e79d182	328
e557b1a6	329	disable_coredumps();
27b372c1	330
ab58e291	331	log_info("Sending SIGTERM to remaining processes...");
e73c54b8	332	broadcast_signal(SIGTERM, true, true, arg_timeout);
b1b2a107	333
ab58e291	334	log_info("Sending SIGKILL to remaining processes...");
e73c54b8	335	broadcast_signal(SIGKILL, true, false, arg_timeout);
40e85d00	336
d89b5fed	337	need_umount = !in_container;
8c977838 ZJS	338	need_swapoff = !in_container;
	339	need_loop_detach = !in_container;
	340	need_dm_detach = !in_container;
456b2199	341	can_initrd = !in_container && !in_initrd() && access("/run/initramfs/shutdown", X_OK) == 0;
b1b2a107	342
567ea02a	343	/* Unmount all mountpoints, swaps, and loopback devices */
ac9cea5b	344	for (;;) {
12aad1d0 LP	345	bool changed = false;
12aad1d0 LP	346
e96d6be7 LP	347	if (use_watchdog)
	348	watchdog_ping();
	349
41f85451 LP	350	/* Let's trim the cgroup tree on each iteration so
	351	that we leave an empty cgroup tree around, so that
	352	container managers get a nice notify event when we
	353	are down */
	354	if (cgroup)
	355	cg_trim(SYSTEMD_CGROUP_CONTROLLER, cgroup, false);
	356
b1b2a107	357	if (need_umount) {
ab58e291	358	log_info("Unmounting file systems.");
456b2199	359	r = umount_all(&changed, umount_log_level);
bce93b7a	360	if (r == 0) {
b1b2a107	361	need_umount = false;
bce93b7a MS	362	log_info("All filesystems unmounted.");
bce93b7a MS	363	} else if (r > 0)
ab58e291	364	log_info("Not all file systems unmounted, %d left.", r);
b1b2a107	365	else
da927ba9	366	log_error_errno(r, "Failed to unmount file systems: %m");
b1b2a107 FF	367	}
	368
	369	if (need_swapoff) {
735e0712	370	log_info("Deactivating swaps.");
12aad1d0	371	r = swapoff_all(&changed);
bce93b7a	372	if (r == 0) {
b1b2a107	373	need_swapoff = false;
735e0712	374	log_info("All swaps deactivated.");
bce93b7a	375	} else if (r > 0)
735e0712	376	log_info("Not all swaps deactivated, %d left.", r);
b1b2a107	377	else
da927ba9	378	log_error_errno(r, "Failed to deactivate swaps: %m");
b1b2a107 FF	379	}
	380
	381	if (need_loop_detach) {
	382	log_info("Detaching loop devices.");
456b2199	383	r = loopback_detach_all(&changed, umount_log_level);
bce93b7a	384	if (r == 0) {
b1b2a107	385	need_loop_detach = false;
bce93b7a MS	386	log_info("All loop devices detached.");
bce93b7a MS	387	} else if (r > 0)
ab58e291	388	log_info("Not all loop devices detached, %d left.", r);
b1b2a107	389	else
da927ba9	390	log_error_errno(r, "Failed to detach loop devices: %m");
d48141ba	391	}
b1b2a107	392
d48141ba LP	393	if (need_dm_detach) {
d48141ba LP	394	log_info("Detaching DM devices.");
456b2199	395	r = dm_detach_all(&changed, umount_log_level);
bce93b7a	396	if (r == 0) {
d48141ba	397	need_dm_detach = false;
bce93b7a MS	398	log_info("All DM devices detached.");
bce93b7a MS	399	} else if (r > 0)
2569a5ce	400	log_info("Not all DM devices detached, %d left.", r);
d48141ba	401	else
da927ba9	402	log_error_errno(r, "Failed to detach DM devices: %m");
b1b2a107 FF	403	}
b1b2a107 FF	404
a27d2184	405	if (!need_umount && !need_swapoff && !need_loop_detach && !need_dm_detach) {
ac9cea5b	406	log_info("All filesystems, swaps, loop devices and DM devices detached.");
12aad1d0	407	/* Yay, done */
ac9cea5b	408	break;
a27d2184	409	}
b1b2a107	410
456b2199 JJ	411	if (!changed && umount_log_level == LOG_INFO && !can_initrd) {
	412	/* There are things we cannot get rid of. Loop one more time
	413	* with LOG_ERR to inform the user. Note that we don't need
	414	* to do this if there is a initrd to switch to, because that
	415	* one is likely to get rid of the remounting mounts. If not,
	416	* it will log about them. */
	417	umount_log_level = LOG_ERR;
	418	continue;
	419	}
	420
12aad1d0	421	/* If in this iteration we didn't manage to
bd3fa1d2	422	* unmount/deactivate anything, we simply give up */
12aad1d0	423	if (!changed) {
8c977838 ZJS	424	log_info("Cannot finalize remaining%s%s%s%s continuing.",
	425	need_umount ? " file systems," : "",
	426	need_swapoff ? " swap devices," : "",
	427	need_loop_detach ? " loop devices," : "",
	428	need_dm_detach ? " DM devices," : "");
ac9cea5b	429	break;
12aad1d0 LP	430	}
12aad1d0 LP	431
ac9cea5b	432	log_debug("Couldn't finalize remaining %s%s%s%s trying again.",
8c977838 ZJS	433	need_umount ? " file systems," : "",
	434	need_swapoff ? " swap devices," : "",
	435	need_loop_detach ? " loop devices," : "",
	436	need_dm_detach ? " DM devices," : "");
b1b2a107 FF	437	}
b1b2a107 FF	438
8a2c1fbf EJ	439	/* We're done with the watchdog. */
	440	watchdog_free_device();
	441
6edd7d0a	442	arguments[0] = NULL;
b1e90ec5	443	arguments[1] = arg_verb;
6edd7d0a	444	arguments[2] = NULL;
78ec1bb4	445	execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments, NULL);
83cc030f	446
456b2199	447	if (can_initrd) {
5a4bf02f HH	448	r = switch_root_initramfs();
5a4bf02f HH	449	if (r >= 0) {
a2726e5c	450	argv[0] = (char*) "/shutdown";
30d743f4	451
5a4bf02f HH	452	setsid();
	453	make_console_stdio();
	454
	455	log_info("Successfully changed into root pivot.\n"
	456	"Returning to initrd...");
30d743f4	457
a2726e5c	458	execv("/shutdown", argv);
56f64d95	459	log_error_errno(errno, "Failed to execute shutdown binary: %m");
5a4bf02f	460	} else
da927ba9	461	log_error_errno(r, "Failed to switch root to \"/run/initramfs\": %m");
5a4bf02f	462
7cb1094a HH	463	}
7cb1094a HH	464
8c977838 ZJS	465	if (need_umount \|\| need_swapoff \|\| need_loop_detach \|\| need_dm_detach)
	466	log_error("Failed to finalize %s%s%s%s ignoring",
	467	need_umount ? " file systems," : "",
	468	need_swapoff ? " swap devices," : "",
	469	need_loop_detach ? " loop devices," : "",
	470	need_dm_detach ? " DM devices," : "");
	471
2e79d182 LP	472	/* The kernel will automatically flush ATA disks and suchlike on reboot(), but the file systems need to be
	473	* sync'ed explicitly in advance. So let's do this here, but not needlessly slow down containers. Note that we
	474	* sync'ed things already once above, but we did some more work since then which might have caused IO, hence
73ad712f	475	* let's do it once more. Do not remove this sync, data corruption will result. */
0049f05a	476	if (!in_container)
73ad712f	477	sync_with_progress();
0049f05a	478
287419c1 AC	479	if (streq(arg_verb, "exit")) {
287419c1 AC	480	if (in_container)
1f409a0c LP	481	return arg_exit_code;
	482
	483	cmd = RB_POWER_OFF; /* We cannot exit() on the host, fallback on another method. */
287419c1 AC	484	}
287419c1 AC	485
477def80 LP	486	switch (cmd) {
	487
	488	case LINUX_REBOOT_CMD_KEXEC:
cb7ec564 LP	489
	490	if (!in_container) {
	491	/* We cheat and exec kexec to avoid doing all its work */
477def80	492	log_info("Rebooting with kexec.");
cb7ec564	493
1f5d1e02	494	r = safe_fork("(sd-kexec)", FORK_RESET_SIGNALS\|FORK_CLOSE_ALL_FDS\|FORK_LOG\|FORK_WAIT, NULL);
4c253ed1	495	if (r == 0) {
477def80 LP	496	const char * const args[] = {
	497	KEXEC, "-e", NULL
	498	};
	499
cb7ec564	500	/* Child */
477def80	501
cb7ec564	502	execv(args[0], (char * const *) args);
477def80	503	_exit(EXIT_FAILURE);
4c253ed1 LP	504	}
4c253ed1 LP	505
1f5d1e02	506	/* If we are still running, then the kexec can't have worked, let's fall through */
b1b2a107	507	}
e61cd186 LP	508
e61cd186 LP	509	cmd = RB_AUTOBOOT;
4831981d	510	_fallthrough_;
477def80	511
c01dcddf LP	512	case RB_AUTOBOOT:
c01dcddf LP	513	(void) reboot_with_parameter(REBOOT_LOG);
477def80 LP	514	log_info("Rebooting.");
	515	break;
	516
	517	case RB_POWER_OFF:
	518	log_info("Powering off.");
	519	break;
	520
	521	case RB_HALT_SYSTEM:
	522	log_info("Halting system.");
	523	break;
	524
	525	default:
	526	assert_not_reached("Unknown magic");
	527	}
cb7ec564	528
118cf952	529	(void) reboot(cmd);
cb7ec564 LP	530	if (errno == EPERM && in_container) {
	531	/* If we are in a container, and we lacked
	532	* CAP_SYS_BOOT just exit, this will kill our
	533	* container for good. */
477def80	534	log_info("Exiting container.");
1f409a0c	535	return EXIT_SUCCESS;
cb7ec564 LP	536	}
cb7ec564 LP	537
76ef789d	538	r = log_error_errno(errno, "Failed to invoke reboot(): %m");
b1b2a107 FF	539
b1b2a107 FF	540	error:
da927ba9	541	log_emergency_errno(r, "Critical error while doing system shutdown: %m");
b1b2a107	542	freeze();
b1b2a107	543	}