]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/journal/journald-context.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
4 #include <selinux/selinux.h>
7 #include "alloc-util.h"
8 #include "audit-util.h"
9 #include "cgroup-util.h"
14 #include "journal-util.h"
15 #include "journald-context.h"
16 #include "parse-util.h"
17 #include "process-util.h"
18 #include "string-util.h"
19 #include "syslog-util.h"
20 #include "unaligned.h"
21 #include "user-util.h"
23 /* This implements a metadata cache for clients, which are identified by their PID. Requesting metadata through /proc
24 * is expensive, hence let's cache the data if we can. Note that this means the metadata might be out-of-date when we
25 * store it, but it might already be anyway, as we request the data asynchronously from /proc at a different time the
26 * log entry was originally created. We hence just increase the "window of inaccuracy" a bit.
28 * The cache is indexed by the PID. Entries may be "pinned" in the cache, in which case the entries are not removed
29 * until they are unpinned. Unpinned entries are kept around until cache pressure is seen. Cache entries older than 5s
30 * are never used (a sad attempt to deal with the UNIX weakness of PIDs reuse), cache entries older than 1s are
31 * refreshed in an incremental way (meaning: data is reread from /proc, but any old data we can't refresh is not
32 * flushed out). Data newer than 1s is used immediately without refresh.
34 * Log stream clients (i.e. all clients using the AF_UNIX/SOCK_STREAM stdout/stderr transport) will pin a cache entry
35 * as long as their socket is connected. Note that cache entries are shared between different transports. That means a
36 * cache entry pinned for the stream connection logic may be reused for the syslog or native protocols.
38 * Caching metadata like this has two major benefits:
40 * 1. Reading metadata is expensive, and we can thus substantially speed up log processing under flood.
42 * 2. Because metadata caching is shared between stream and datagram transports and stream connections pin a cache
43 * entry there's a good chance we can properly map a substantial set of datagram log messages to their originating
44 * service, as all services (unless explicitly configured otherwise) will have their stdout/stderr connected to a
45 * stream connection. This should improve cases where a service process logs immediately before exiting and we
46 * previously had trouble associating the log message with the service.
48 * NB: With and without the metadata cache: the implicitly added entry metadata in the journal (with the exception of
49 * UID/PID/GID and SELinux label) must be understood as possibly slightly out of sync (i.e. sometimes slighly older
50 * and sometimes slightly newer than what was current at the log event).
53 /* We refresh every 1s */
54 #define REFRESH_USEC (1*USEC_PER_SEC)
56 /* Data older than 5s we flush out */
57 #define MAX_USEC (5*USEC_PER_SEC)
59 /* Keep at most 16K entries in the cache. (Note though that this limit may be violated if enough streams pin entries in
60 * the cache, in which case we *do* permit this limit to be breached. That's safe however, as the number of stream
61 * clients itself is limited.) */
62 #define CACHE_MAX (16*1024)
64 static int client_context_compare(const void *a
, const void *b
) {
65 const ClientContext
*x
= a
, *y
= b
;
68 r
= CMP(x
->timestamp
, y
->timestamp
);
72 return CMP(x
->pid
, y
->pid
);
75 static int client_context_new(Server
*s
, pid_t pid
, ClientContext
**ret
) {
80 assert(pid_is_valid(pid
));
83 r
= hashmap_ensure_allocated(&s
->client_contexts
, NULL
);
87 r
= prioq_ensure_allocated(&s
->client_contexts_lru
, client_context_compare
);
91 c
= new0(ClientContext
, 1);
99 c
->auditid
= AUDIT_SESSION_INVALID
;
100 c
->loginuid
= UID_INVALID
;
101 c
->owner_uid
= UID_INVALID
;
102 c
->lru_index
= PRIOQ_IDX_NULL
;
103 c
->timestamp
= USEC_INFINITY
;
104 c
->extra_fields_mtime
= NSEC_INFINITY
;
105 c
->log_level_max
= -1;
106 c
->log_rate_limit_interval
= s
->rate_limit_interval
;
107 c
->log_rate_limit_burst
= s
->rate_limit_burst
;
109 r
= hashmap_put(s
->client_contexts
, PID_TO_PTR(pid
), c
);
119 static void client_context_reset(Server
*s
, ClientContext
*c
) {
123 c
->timestamp
= USEC_INFINITY
;
125 c
->uid
= UID_INVALID
;
126 c
->gid
= GID_INVALID
;
128 c
->comm
= mfree(c
->comm
);
129 c
->exe
= mfree(c
->exe
);
130 c
->cmdline
= mfree(c
->cmdline
);
131 c
->capeff
= mfree(c
->capeff
);
133 c
->auditid
= AUDIT_SESSION_INVALID
;
134 c
->loginuid
= UID_INVALID
;
136 c
->cgroup
= mfree(c
->cgroup
);
137 c
->session
= mfree(c
->session
);
138 c
->owner_uid
= UID_INVALID
;
139 c
->unit
= mfree(c
->unit
);
140 c
->user_unit
= mfree(c
->user_unit
);
141 c
->slice
= mfree(c
->slice
);
142 c
->user_slice
= mfree(c
->user_slice
);
144 c
->invocation_id
= SD_ID128_NULL
;
146 c
->label
= mfree(c
->label
);
149 c
->extra_fields_iovec
= mfree(c
->extra_fields_iovec
);
150 c
->extra_fields_n_iovec
= 0;
151 c
->extra_fields_data
= mfree(c
->extra_fields_data
);
152 c
->extra_fields_mtime
= NSEC_INFINITY
;
154 c
->log_level_max
= -1;
156 c
->log_rate_limit_interval
= s
->rate_limit_interval
;
157 c
->log_rate_limit_burst
= s
->rate_limit_burst
;
160 static ClientContext
* client_context_free(Server
*s
, ClientContext
*c
) {
166 assert_se(hashmap_remove(s
->client_contexts
, PID_TO_PTR(c
->pid
)) == c
);
169 assert_se(prioq_remove(s
->client_contexts_lru
, c
, &c
->lru_index
) >= 0);
171 client_context_reset(s
, c
);
176 static void client_context_read_uid_gid(ClientContext
*c
, const struct ucred
*ucred
) {
178 assert(pid_is_valid(c
->pid
));
180 /* The ucred data passed in is always the most current and accurate, if we have any. Use it. */
181 if (ucred
&& uid_is_valid(ucred
->uid
))
184 (void) get_process_uid(c
->pid
, &c
->uid
);
186 if (ucred
&& gid_is_valid(ucred
->gid
))
189 (void) get_process_gid(c
->pid
, &c
->gid
);
192 static void client_context_read_basic(ClientContext
*c
) {
196 assert(pid_is_valid(c
->pid
));
198 if (get_process_comm(c
->pid
, &t
) >= 0)
199 free_and_replace(c
->comm
, t
);
201 if (get_process_exe(c
->pid
, &t
) >= 0)
202 free_and_replace(c
->exe
, t
);
204 if (get_process_cmdline(c
->pid
, 0, false, &t
) >= 0)
205 free_and_replace(c
->cmdline
, t
);
207 if (get_process_capeff(c
->pid
, &t
) >= 0)
208 free_and_replace(c
->capeff
, t
);
211 static int client_context_read_label(
213 const char *label
, size_t label_size
) {
216 assert(pid_is_valid(c
->pid
));
217 assert(label_size
== 0 || label
);
219 if (label_size
> 0) {
222 /* If we got an SELinux label passed in it counts. */
224 l
= newdup_suffix0(char, label
, label_size
);
228 free_and_replace(c
->label
, l
);
229 c
->label_size
= label_size
;
235 /* If we got no SELinux label passed in, let's try to acquire one */
237 if (getpidcon(c
->pid
, &con
) >= 0) {
238 free_and_replace(c
->label
, con
);
239 c
->label_size
= strlen(c
->label
);
247 static int client_context_read_cgroup(Server
*s
, ClientContext
*c
, const char *unit_id
) {
253 /* Try to acquire the current cgroup path */
254 r
= cg_pid_get_path_shifted(c
->pid
, s
->cgroup_root
, &t
);
257 /* If that didn't work, we use the unit ID passed in as fallback, if we have nothing cached yet */
258 if (unit_id
&& !c
->unit
) {
259 c
->unit
= strdup(unit_id
);
267 /* Let's shortcut this if the cgroup path didn't change */
268 if (streq_ptr(c
->cgroup
, t
)) {
273 free_and_replace(c
->cgroup
, t
);
275 (void) cg_path_get_session(c
->cgroup
, &t
);
276 free_and_replace(c
->session
, t
);
278 if (cg_path_get_owner_uid(c
->cgroup
, &c
->owner_uid
) < 0)
279 c
->owner_uid
= UID_INVALID
;
281 (void) cg_path_get_unit(c
->cgroup
, &t
);
282 free_and_replace(c
->unit
, t
);
284 (void) cg_path_get_user_unit(c
->cgroup
, &t
);
285 free_and_replace(c
->user_unit
, t
);
287 (void) cg_path_get_slice(c
->cgroup
, &t
);
288 free_and_replace(c
->slice
, t
);
290 (void) cg_path_get_user_slice(c
->cgroup
, &t
);
291 free_and_replace(c
->user_slice
, t
);
296 static int client_context_read_invocation_id(
300 _cleanup_free_
char *value
= NULL
;
307 /* Read the invocation ID of a unit off a unit. PID 1 stores it in a per-unit symlink in /run/systemd/units/ */
312 p
= strjoina("/run/systemd/units/invocation:", c
->unit
);
313 r
= readlink_malloc(p
, &value
);
317 return sd_id128_from_string(value
, &c
->invocation_id
);
320 static int client_context_read_log_level_max(
324 _cleanup_free_
char *value
= NULL
;
331 p
= strjoina("/run/systemd/units/log-level-max:", c
->unit
);
332 r
= readlink_malloc(p
, &value
);
336 ll
= log_level_from_string(value
);
340 c
->log_level_max
= ll
;
344 static int client_context_read_extra_fields(
348 size_t size
= 0, n_iovec
= 0, n_allocated
= 0, left
;
349 _cleanup_free_
struct iovec
*iovec
= NULL
;
350 _cleanup_free_
void *data
= NULL
;
351 _cleanup_fclose_
FILE *f
= NULL
;
360 p
= strjoina("/run/systemd/units/log-extra-fields:", c
->unit
);
362 if (c
->extra_fields_mtime
!= NSEC_INFINITY
) {
363 if (stat(p
, &st
) < 0) {
370 if (timespec_load_nsec(&st
.st_mtim
) == c
->extra_fields_mtime
)
382 if (fstat(fileno(f
), &st
) < 0) /* The file might have been replaced since the stat() above, let's get a new
383 * one, that matches the stuff we are reading */
386 r
= read_full_stream(f
, (char**) &data
, &size
);
390 q
= data
, left
= size
;
395 if (left
< sizeof(uint64_t))
398 v
= unaligned_read_le64(q
);
402 n
= sizeof(uint64_t) + v
;
406 field
= q
+ sizeof(uint64_t);
408 eq
= memchr(field
, '=', v
);
412 if (!journal_field_valid((const char *) field
, eq
- field
, false))
415 if (!GREEDY_REALLOC(iovec
, n_allocated
, n_iovec
+1))
418 iovec
[n_iovec
++] = IOVEC_MAKE(field
, v
);
423 free(c
->extra_fields_iovec
);
424 free(c
->extra_fields_data
);
426 c
->extra_fields_iovec
= TAKE_PTR(iovec
);
427 c
->extra_fields_n_iovec
= n_iovec
;
428 c
->extra_fields_data
= TAKE_PTR(data
);
429 c
->extra_fields_mtime
= timespec_load_nsec(&st
.st_mtim
);
434 static int client_context_read_log_rate_limit_interval(ClientContext
*c
) {
435 _cleanup_free_
char *value
= NULL
;
444 p
= strjoina("/run/systemd/units/log-rate-limit-interval:", c
->unit
);
445 r
= readlink_malloc(p
, &value
);
449 return safe_atou64(value
, &c
->log_rate_limit_interval
);
452 static int client_context_read_log_rate_limit_burst(ClientContext
*c
) {
453 _cleanup_free_
char *value
= NULL
;
462 p
= strjoina("/run/systemd/units/log-rate-limit-burst:", c
->unit
);
463 r
= readlink_malloc(p
, &value
);
467 return safe_atou(value
, &c
->log_rate_limit_burst
);
470 static void client_context_really_refresh(
473 const struct ucred
*ucred
,
474 const char *label
, size_t label_size
,
480 assert(pid_is_valid(c
->pid
));
482 if (timestamp
== USEC_INFINITY
)
483 timestamp
= now(CLOCK_MONOTONIC
);
485 client_context_read_uid_gid(c
, ucred
);
486 client_context_read_basic(c
);
487 (void) client_context_read_label(c
, label
, label_size
);
489 (void) audit_session_from_pid(c
->pid
, &c
->auditid
);
490 (void) audit_loginuid_from_pid(c
->pid
, &c
->loginuid
);
492 (void) client_context_read_cgroup(s
, c
, unit_id
);
493 (void) client_context_read_invocation_id(s
, c
);
494 (void) client_context_read_log_level_max(s
, c
);
495 (void) client_context_read_extra_fields(s
, c
);
496 (void) client_context_read_log_rate_limit_interval(c
);
497 (void) client_context_read_log_rate_limit_burst(c
);
499 c
->timestamp
= timestamp
;
502 assert(c
->n_ref
== 0);
503 assert_se(prioq_reshuffle(s
->client_contexts_lru
, c
, &c
->lru_index
) >= 0);
507 void client_context_maybe_refresh(
510 const struct ucred
*ucred
,
511 const char *label
, size_t label_size
,
518 if (timestamp
== USEC_INFINITY
)
519 timestamp
= now(CLOCK_MONOTONIC
);
521 /* No cached data so far? Let's fill it up */
522 if (c
->timestamp
== USEC_INFINITY
)
525 /* If the data isn't pinned and if the cashed data is older than the upper limit, we flush it out
526 * entirely. This follows the logic that as long as an entry is pinned the PID reuse is unlikely. */
527 if (c
->n_ref
== 0 && c
->timestamp
+ MAX_USEC
< timestamp
) {
528 client_context_reset(s
, c
);
532 /* If the data is older than the lower limit, we refresh, but keep the old data for all we can't update */
533 if (c
->timestamp
+ REFRESH_USEC
< timestamp
)
536 /* If the data passed along doesn't match the cached data we also do a refresh */
537 if (ucred
&& uid_is_valid(ucred
->uid
) && c
->uid
!= ucred
->uid
)
540 if (ucred
&& gid_is_valid(ucred
->gid
) && c
->gid
!= ucred
->gid
)
543 if (label_size
> 0 && (label_size
!= c
->label_size
|| memcmp(label
, c
->label
, label_size
) != 0))
549 client_context_really_refresh(s
, c
, ucred
, label
, label_size
, unit_id
, timestamp
);
552 static void client_context_try_shrink_to(Server
*s
, size_t limit
) {
555 /* Bring the number of cache entries below the indicated limit, so that we can create a new entry without
556 * breaching the limit. Note that we only flush out entries that aren't pinned here. This means the number of
557 * cache entries may very well grow beyond the limit, if all entries stored remain pinned. */
559 while (hashmap_size(s
->client_contexts
) > limit
) {
562 c
= prioq_pop(s
->client_contexts_lru
);
564 break; /* All remaining entries are pinned, give up */
567 assert(c
->n_ref
== 0);
571 client_context_free(s
, c
);
575 void client_context_flush_all(Server
*s
) {
578 /* Flush out all remaining entries. This assumes all references are already dropped. */
580 s
->my_context
= client_context_release(s
, s
->my_context
);
581 s
->pid1_context
= client_context_release(s
, s
->pid1_context
);
583 client_context_try_shrink_to(s
, 0);
585 assert(prioq_size(s
->client_contexts_lru
) == 0);
586 assert(hashmap_size(s
->client_contexts
) == 0);
588 s
->client_contexts_lru
= prioq_free(s
->client_contexts_lru
);
589 s
->client_contexts
= hashmap_free(s
->client_contexts
);
592 static int client_context_get_internal(
595 const struct ucred
*ucred
,
596 const char *label
, size_t label_len
,
599 ClientContext
**ret
) {
607 if (!pid_is_valid(pid
))
610 c
= hashmap_get(s
->client_contexts
, PID_TO_PTR(pid
));
615 /* The entry wasn't pinned so far, let's remove it from the LRU list then */
616 assert(c
->n_ref
== 0);
617 assert_se(prioq_remove(s
->client_contexts_lru
, c
, &c
->lru_index
) >= 0);
624 client_context_maybe_refresh(s
, c
, ucred
, label
, label_len
, unit_id
, USEC_INFINITY
);
630 client_context_try_shrink_to(s
, CACHE_MAX
-1);
632 r
= client_context_new(s
, pid
, &c
);
639 r
= prioq_put(s
->client_contexts_lru
, c
, &c
->lru_index
);
641 client_context_free(s
, c
);
648 client_context_really_refresh(s
, c
, ucred
, label
, label_len
, unit_id
, USEC_INFINITY
);
654 int client_context_get(
657 const struct ucred
*ucred
,
658 const char *label
, size_t label_len
,
660 ClientContext
**ret
) {
662 return client_context_get_internal(s
, pid
, ucred
, label
, label_len
, unit_id
, false, ret
);
665 int client_context_acquire(
668 const struct ucred
*ucred
,
669 const char *label
, size_t label_len
,
671 ClientContext
**ret
) {
673 return client_context_get_internal(s
, pid
, ucred
, label
, label_len
, unit_id
, true, ret
);
676 ClientContext
*client_context_release(Server
*s
, ClientContext
*c
) {
682 assert(c
->n_ref
> 0);
689 /* The entry is not pinned anymore, let's add it to the LRU prioq if we can. If we can't we'll drop it
692 if (prioq_put(s
->client_contexts_lru
, c
, &c
->lru_index
) < 0)
693 client_context_free(s
, c
);
700 void client_context_acquire_default(Server
*s
) {
705 /* Ensure that our own and PID1's contexts are always pinned. Our own context is particularly useful to
706 * generate driver messages. */
708 if (!s
->my_context
) {
709 struct ucred ucred
= {
710 .pid
= getpid_cached(),
715 r
= client_context_acquire(s
, ucred
.pid
, &ucred
, NULL
, 0, NULL
, &s
->my_context
);
717 log_warning_errno(r
, "Failed to acquire our own context, ignoring: %m");
720 if (!s
->pid1_context
) {
722 r
= client_context_acquire(s
, 1, NULL
, NULL
, 0, NULL
, &s
->pid1_context
);
724 log_warning_errno(r
, "Failed to acquire PID1's context, ignoring: %m");