[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RFC: fix for daemon start (2)

Hello everyone,

Here's an updated version of the RFC text, as well as a new version of the
initscriptquery reference script. The fragments.sh script is included just
for completeness, and was not modified.

 * fixed typos, updated documentation to an assertive tone
 * addressed rcS.d issue (I received no comments on this one, BTW)
 * handle multiple links per runlevel nicely
 * detect and block attempt to run initscriptquery at runlevel 0 or 6
 * address pre-depends/depends issue

Another small RFC dealing with administrative policy enforcement on the
start of initscripts will be sent in a few days. Due to the design of
initscriptquery, such policy enforcement could be done without any
additional changes to other packages.

There are no technical issues left for initscriptquery that I know of. It
should be now in its nearly final state.

RFC: Fix for initscripts being run out of their intended runlevel by
     package scripts (during package installs and upgrades).

Interface proposal for /usr/sbin/initscriptquery script:

  Debian uses only sysvinit-compatible initscripts, stored in /etc/init.d/
  (currently true for debian, file-rc uses the same /etc/init.d/ scripts as
  sysvinit does).

  The unique identifier for an initscript is the initscript ID required by
  the update-rc.d command.

Documented Command Line Interface:
  /usr/sbin/initscriptquery [-q] <initscript ID>

  -q : Run initscriptquery in silent mode, errors are NOT reported to stderr
  initscript ID:  the update-rc.d identifier for the initscript

  Future versions to this script MUST be fully backwards compatible.

Documented behaviour of the initscriptquery script:

   stdin shall not be used (it is NOT an interactive script)
   stdout shall be used only to output usage information.
   stderr shall be used to output all error messages.
   Exit status codes:
    0 - the initscript is allowed to be started
    1 - the initscript is NOT allowed be started
    2 - initscript ID unknown
    3 - initscript ID known, but behaviour is undefined
    4 - syntax error
  >=5 - other error (usually means inconsistency in the underlining
        initscript subsystem)

Verbose description of the exit status codes:

    0 - the initscript is allowed to be started

	sysvinit meaning: There is a non-dangling, executable S?? link in
	the rc?.d directory for the given script ID and current runlevel.

        Also, no other administrative reasons for not starting the init
	scripts exist.

	NOTE: If an initscript would be started at the S runlevel, it is
	assumed that this should be true for all runlevels that don't
	actually stop the initscript as well.

	Desired behaviour: Call /etc/init.d/initscript as you'd have done
	before the advent of initscriptquery

    1 - the initscript is NOT allowed be started

        sysvinit meaning: There is a non-dangling, executable K?? link (and
	no S?? link) in the rc?.d directory for the given script ID and
	current runlevel.

	Or, an administrative reason prohibits starting the initscript.

	Desired behaviour: Do not run the initscript. If the daemon is
	running, assume it's because the user started it manually and would
	like it to be left alone (feel free to issue a warning, though).

    2 - initscript ID unknown

        sysvinit meaning: There isn't a normal file with the name matching
	<initscript ID> in /etc/init.d/ (note that the existence of a
	S??initscriptID link/file is NOT enough, as we are constrained to
	the same namespace used by update-rc.d).

	This might happen if update-rc.d fails, if you forget to run
	update-rc.d BEFORE initscriptquery in the package scripts, or if the
	user removed the /etc/init.d/ script.

        Desired behaviour: Do whatever is appropriate for your package.
	Unless -q was given, initscriptquery will have already printed a
	warning to stderr. The calling script might want to try to start the
	script anyway (which will probably fail, BTW). 

    3 - initscript ID known, but behaviour is undefined

        sysvinit meaning: No S?? or K?? link in the proper rc?.d directory
	for the given initscript ID was found, but a /etc/init.d/ file for
	the given initscript iD does exist.

	Desired behaviour: For non-daemon-starting initscripts, it is
	undefined. Do whatever is *safer* for your package (start it anyway,
	do nothing, or stop it).

	Never start a daemon which isn't already running if you receive this
	status code. You can either restart the daemon, stop the daemon, or
	do nothing.  WARNING: don't use "/etc/init.d/initscript restart" for
	this operation unless the initscript is under your control, and
	known not to start a daemon which was not running.

    4 - Syntax error
        There is an error in the command line arguments. Fix your script.
    5 (and above) - something wicked happened (assume it was an error)

        sysvinit meaning: S??initscriptID/K??initscriptID exists but it is
	not a link (this is flagged as an error because postinst scripts
	call the /etc/init.d/ script directly), or a dangling link.

	Do whatever is safer for your package. Warning messages will have
	been printed to stderr describing the problem, unless the -q option
	was given to initscriptquery.

The S runlevel:

  Scripts for the S runlevel are given special treatment. If an initscript
  would be started in the S runlevel, and would not be killed in the current
  runlevel, initscriptquery will return a status code of 0: start daemon
  (unless an error is detected).

  Packages providing runlevel S scripts are NOT exempt of the requirement of
  calling initscriptquery to verify if they're allowed to start an
  initscript automatically.  They might very well issue severe warnings of
  impending doom if told not to run the initscript, however.

Runlevels 0 and 6:

  initscriptquery will return a status code of 1: do not start daemon if it
  detects it's being run while the system is in a shutdown runlevel
  (runlevel 0 or runlevel 6). This is considered an error condition,
  obviously, and a warning message will be sent to stderr.

Important notes:

  1.  All packages which use the initscript system and automatically attempt
      to start an initscript (by using a parameter of start, restart,
      reload, or the force- versions of these) are REQUIRED to call
      initscriptquery beforehand to verify if they're allowed to run the

  2.  Packages depending on any future version of the initscriptquery
      interface will probably need to add versioned dependencies on the
      initscript system base packages (currently sysvinit and file-rc) which
      implement the new version.

      Packages depending on the initial version of the initscriptquery
      interface should not change their dependencies to include the base
      initscript system. They should fallback to the previous behaviour if
      initscriptquery is not available.

  3.  Be warned that initscriptquery adds the following non-optional
      "features" to your package:

      a) The package will do a non-complete integrity check on the
	 underlining initscript system data for their daemons, and will be
	 notified of errors (initscript exit status codes 2 and 5 for the
	 sysvinit version).

      b) Local policy enforcement, if any, may cause the package not to
	 start its initscripts. There is no way to differentiate if
	 initscriptquery returned a "do not start" exit status code because
	 the daemon is not supposed to run in the current runlevel, or
	 because the local administrator disallows it. This is done on
	 purpose, and by design.

	 Using suidregister to force a /etc/init.d/ script to be
	 non-executable is considered a valid administrative measure by
	 initscriptquery; It will return a "do not start" exit status in
	 this case. This is in tune with current practice, and cleaner than
	 the error message it causes currently.

  4.  Any package providing a initscript is REQUIRED to register the
      initscripts using update-rc.d (as per current policy), and to do it
      before using initscriptquery.

Sample code:

  Attached to this rfc, you'll find a reference (functional and somewhat
  tested, as well as written for easy-of-reading) shell script
  implementation of /usr/sbin/initscriptquery for sysvinit.  If someone else
  would like to rewrite it better, or in perl, or whatever... go ahead :-)

  Also attached to this rfc, you'll find a sample fragment of a postinst
  script which uses initscriptquery to run a daemon. It's a bit big because
  of the comments, but it's quite simple and very easy to read and
  understand.  Again, if anyone cares to write a better example, you're

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
# initscriptquery - Queries the underlying initscript system for the
#   current runlevel and verifies if a given script should be started 
#   in that runlevel.  
# $Id: initscriptquery,v 2000/09/13 01:18:04 hmh Exp $
# Usage: 
#   initscriptquery [--help] [-q] <initscript ID>
#   initscript ID - The unique ID for the initscript, as used by
#     update-rc.d
#   if -q is given, the script runs silently (no error messages are
#   displayed and the calling script must do so for status codes 2 and
#   above).
# Exit status codes:
#    0 - the initscript is allowed to be started [in this runlevel]
#    1 - the initscript is NOT allowed be started [in this runlevel]
#    2 - initscript ID unknown
#    3 - initscript ID known, but behaviour is undefined
#    4 - syntax error or --help function called
#  >=5 - other error
# (SysVinit /etc/rc?.d version for Debian's sysvinit package)
# initscriptquery  -  verifies if a initscript should be run
# Copyright (C) 2000 Henrique de Moraes Holschuh <hmh@rcm.org.br>
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation; either version 2 of the License, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc., 59
# Temple Place, Suite 330, Boston, MA 02111-1307 USA


dohelp () {
 # outputs help and usage
cat <<EOF
initscriptquery, SysVinit /etc/rc?.d version.

Usage: initscriptquery [--help] [-q] <initscript ID>
  initscript ID - initscript unique ID, as used for update-rc.d
  --help        - this message
  -q            - no error messages

printerror () {
 # prints an error message
 #  $* - error message
if test x${BEQUIET} = x ; then
    echo `basename $0`: "$*" >&2

##  main

## Verifies command line arguments

if test $# -eq 0 ; then
  printerror "syntax error: missing required parameter"
  exit 4

for i in $* ; do
    case $i in
	--help) dohelp 
		exit 4
	-q)     BEQUIET=yes
	*)      case ${state} in
		*)  printerror "syntax error: invalid parameter $i"
		    exit 4

if test ${state} != II ; then
    printerror "syntax error: missing required parameter"
    exit 4

## Verifies if the given initscript ID is known

if test ! -f "${INITDPREFIX}${INITSCRIPTID}" ; then
    printerror "WARNING: Unknown initscript ${INITDPREFIX}${INITSCRIPTID}"
    exit 2

## Queries sysvinit for the current runlevel

RL=`${RUNLEVEL} | sed 's/.*\ //'`
if test ! $? ; then
    printerror "Could not determine current runlevel"
    exit 5

if test x${RL} = x0 -o x${RL} = x6 ; then
    printerror "WARNING: script called during system shutdown sequence"
    # return a sane status; do not risk aborting a shutdown sequence
    exit 1

## Verifies the existance of proper S??initscriptID and K??initscriptID 
## *links* in the proper /etc/rc?.d/ directory

verifyrclink () {
  # verifies if parameters are non-dangling symlinks
  # all parameters are verified
  while test $# -gt 0 ; do
    if test ! -L "$1" ; then
        printerror "not a symlink: $1"
    if test ! -f "$1" ; then
        printerror "dangling symlink: $1"
  if test x${doexit} != x ; then
     exit ${doexit}
  return 0

# we do handle multiple links per runlevel
SLINK=`ls -d ${RCDPREFIX}${RL}.d/S[0-9][0-9]${INITSCRIPTID} 2>/dev/null | xargs`
KLINK=`ls -d ${RCDPREFIX}${RL}.d/K[0-9][0-9]${INITSCRIPTID} 2>/dev/null | xargs`
SSLINK=`ls -d ${RCDPREFIX}S.d/S[0-9][0-9]${INITSCRIPTID} 2>/dev/null | xargs`

verifyrclink ${SLINK} ${KLINK} ${SSLINK}

## Now, we decide if the daemon should be started or not. We play nice
## with people who make the /etc/init.d/initscript file non-executable
## For the multiple links per runlevel case, one success is enough
## Runlevel S start links are considered the same as a start link in
## every runlevel.

testexec () {
  # returns true if any of the parameters is
  # executable (after following links)
  while test $# -gt 0 ; do
    if test -x "$1" ; then
       return 0
  return 1

if testexec ${SLINK} ; then
    exit 0
elif testexec ${KLINK} ; then
    exit 1
elif testexec ${SSLINK} ; then
    exit 0

# is /etc/init.d/initscript actually executable?
if testexec "${INITDPREFIX}${INITSCRIPTID}" ; then
    # executable: return "undefined behaviour"
    exit 3

# /etc/init.d/initscript is not executable. 
# we assume this is a non-subtle hint ;-)
exit 1
# ...

# Replace all ocourrences of /etc/init.d/initscript start with
# a call to runinitscript initscript (or unroll it in place)
# eg: /etc/init.d/daemonname start
#          becomes 
# runinitscript daemonname

runinitscript () {
  # parameters: $1 = initscript ID

  if test -x ${initscriptquery} ; then
    case `${initscriptquery} ${initscriptid} ; echo $?` in
    	0) /etc/init.d/${initscriptid} start
	   return 0
	1) return 0
           # Something very very bad happened to the update-rc.d call,
           # or the user has deleted our /etc/init.d/ script.
	   # default: this is probably NOT what you want, as it will
	   # probably fail. But that's what would happen without 
	   # initscriptquery
	   /etc/init.d/${initscriptid} start
	   return $?
	   # Undefined behaviour problem, we don't know if the initscript
	   # should be run or not in this runlevel.
	   # a daemon which is not already running.
	   # default: we hope that restart will not start a daemon
           # if it is not running. You might want to change this.
           /etc/init.d/${initscriptid} restart
	   return 0
	   # Should never happen, unless the script is broken
	   exit 1
	   # Something wicked happened to the initscript system.
	   # default: we just try start the daemon anyway.
	   /etc/init.d/${initscriptid} start
	   return 0
    /etc/init.d/${initscriptid} start

Attachment: pgpXAJv46Z3MC.pgp
Description: PGP signature

Reply to: