def __init__(self, context):
"""Start privsep daemon using fork()
Assumes we already have required privileges.
"""
sock_a, sock_b = socket.socketpair()
for s in (sock_a, sock_b):
s.setblocking(True)
# Important that these sockets don't get leaked
set_cloexec(s)
# Try to prevent any buffered output from being written by both
# parent and child.
for f in (sys.stdout, sys.stderr):
f.flush()
log_fd = _fd_logger()
if os.fork() == 0:
# child
# replace root logger early (to capture any errors below)
replace_logging(pylogging.StreamHandler(log_fd))
sock_a.close()
Daemon(comm.ServerChannel(sock_b), context=context).run()
LOG.debug('privsep daemon exiting')
os._exit(0)
# parent
sock_b.close()
super(ForkingClientChannel, self).__init__(sock_a)
def helper_main():
"""Start privileged process, serving requests over a Unix socket."""
cfg.CONF.register_cli_opts([
cfg.StrOpt('privsep_context', required=True),
cfg.StrOpt('privsep_sock_path', required=True),
])
logging.register_options(cfg.CONF)
cfg.CONF(args=sys.argv[1:], project='privsep')
logging.setup(cfg.CONF, 'privsep')
# We always log to stderr. Replace the root logger we just set up.
replace_logging(pylogging.StreamHandler(sys.stderr))
LOG.info(_LI('privsep daemon starting'))
context = importutils.import_class(cfg.CONF.privsep_context)
from oslo_privsep import priv_context # Avoid circular import
if not isinstance(context, priv_context.PrivContext):
LOG.fatal(
_LE('--privsep_context must be the (python) name of a '
'PrivContext object'))
sock = socket.socket(socket.AF_UNIX)
sock.connect(cfg.CONF.privsep_sock_path)
set_cloexec(sock)
channel = comm.ServerChannel(sock)
# Channel is set up, so fork off daemon "in the background" and exit
if os.fork() != 0:
# parent
return
# child
# Note we don't move into a new process group/session like a
# regular daemon might, since we _want_ to remain associated with
# the originating (unprivileged) process.
try:
Daemon(channel, context).run()
except Exception as e:
LOG.exception(e)
sys.exit(str(e))
LOG.debug('privsep daemon exiting')
sys.exit(0)