mixlib-shellout 2.2.5-universal-mingw32 → 2.2.6-universal-mingw32
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +12 -12
- data/LICENSE +201 -201
- data/README.md +54 -54
- data/Rakefile +24 -24
- data/lib/mixlib/shellout/exceptions.rb +7 -7
- data/lib/mixlib/shellout/unix.rb +415 -415
- data/lib/mixlib/shellout/version.rb +5 -5
- data/lib/mixlib/shellout/windows/core_ext.rb +371 -371
- data/lib/mixlib/shellout/windows.rb +362 -362
- data/lib/mixlib/shellout.rb +357 -357
- data/mixlib-shellout-windows.gemspec +8 -8
- data/mixlib-shellout.gemspec +24 -24
- metadata +3 -3
data/lib/mixlib/shellout/unix.rb
CHANGED
@@ -1,415 +1,415 @@
|
|
1
|
-
#--
|
2
|
-
# Author:: Daniel DeLeo (<dan@opscode.com>)
|
3
|
-
# Copyright:: Copyright (c) 2010, 2011 Opscode, Inc.
|
4
|
-
# License:: Apache License, Version 2.0
|
5
|
-
#
|
6
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
-
# you may not use this file except in compliance with the License.
|
8
|
-
# You may obtain a copy of the License at
|
9
|
-
#
|
10
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
-
#
|
12
|
-
# Unless required by applicable law or agreed to in writing, software
|
13
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
-
# See the License for the specific language governing permissions and
|
16
|
-
# limitations under the License.
|
17
|
-
#
|
18
|
-
|
19
|
-
module Mixlib
|
20
|
-
class ShellOut
|
21
|
-
module Unix
|
22
|
-
|
23
|
-
# "1.8.7" as a frozen string. We use this with a hack that disables GC to
|
24
|
-
# avoid segfaults on Ruby 1.8.7, so we need to allocate the fewest
|
25
|
-
# objects we possibly can.
|
26
|
-
ONE_DOT_EIGHT_DOT_SEVEN = "1.8.7".freeze
|
27
|
-
|
28
|
-
# Option validation that is unix specific
|
29
|
-
def validate_options(opts)
|
30
|
-
# No options to validate, raise exceptions here if needed
|
31
|
-
end
|
32
|
-
|
33
|
-
# Whether we're simulating a login shell
|
34
|
-
def using_login?
|
35
|
-
return login && user
|
36
|
-
end
|
37
|
-
|
38
|
-
# Helper method for sgids
|
39
|
-
def all_seconderies
|
40
|
-
ret = []
|
41
|
-
Etc.endgrent
|
42
|
-
while ( g = Etc.getgrent ) do
|
43
|
-
ret << g
|
44
|
-
end
|
45
|
-
Etc.endgrent
|
46
|
-
return ret
|
47
|
-
end
|
48
|
-
|
49
|
-
# The secondary groups that the subprocess will switch to.
|
50
|
-
# Currently valid only if login is used, and is set
|
51
|
-
# to the user's secondary groups
|
52
|
-
def sgids
|
53
|
-
return nil unless using_login?
|
54
|
-
user_name = Etc.getpwuid(uid).name
|
55
|
-
all_seconderies.select{|g| g.mem.include?(user_name)}.map{|g|g.gid}
|
56
|
-
end
|
57
|
-
|
58
|
-
# The environment variables that are deduced from simulating logon
|
59
|
-
# Only valid if login is used
|
60
|
-
def logon_environment
|
61
|
-
return {} unless using_login?
|
62
|
-
entry = Etc.getpwuid(uid)
|
63
|
-
# According to `man su`, the set fields are:
|
64
|
-
# $HOME, $SHELL, $USER, $LOGNAME, $PATH, and $IFS
|
65
|
-
# Values are copied from "shadow" package in Ubuntu 14.10
|
66
|
-
{'HOME'=>entry.dir, 'SHELL'=>entry.shell, 'USER'=>entry.name, 'LOGNAME'=>entry.name, 'PATH'=>'/sbin:/bin:/usr/sbin:/usr/bin', 'IFS'=>"\t\n"}
|
67
|
-
end
|
68
|
-
|
69
|
-
# Merges the two environments for the process
|
70
|
-
def process_environment
|
71
|
-
logon_environment.merge(self.environment)
|
72
|
-
end
|
73
|
-
|
74
|
-
# Run the command, writing the command's standard out and standard error
|
75
|
-
# to +stdout+ and +stderr+, and saving its exit status object to +status+
|
76
|
-
# === Returns
|
77
|
-
# returns +self+; +stdout+, +stderr+, +status+, and +exitstatus+ will be
|
78
|
-
# populated with results of the command.
|
79
|
-
# === Raises
|
80
|
-
# * Errno::EACCES when you are not privileged to execute the command
|
81
|
-
# * Errno::ENOENT when the command is not available on the system (or not
|
82
|
-
# in the current $PATH)
|
83
|
-
# * Chef::Exceptions::CommandTimeout when the command does not complete
|
84
|
-
# within +timeout+ seconds (default: 600s). When this happens, ShellOut
|
85
|
-
# will send a TERM and then KILL to the entire process group to ensure
|
86
|
-
# that any grandchild processes are terminated. If the invocation of
|
87
|
-
# the child process spawned multiple child processes (which commonly
|
88
|
-
# happens if the command is passed as a single string to be interpreted
|
89
|
-
# by bin/sh, and bin/sh is not bash), the exit status object may not
|
90
|
-
# contain the correct exit code of the process (of course there is no
|
91
|
-
# exit code if the command is killed by SIGKILL, also).
|
92
|
-
def run_command
|
93
|
-
@child_pid = fork_subprocess
|
94
|
-
@reaped = false
|
95
|
-
|
96
|
-
configure_parent_process_file_descriptors
|
97
|
-
|
98
|
-
# Ruby 1.8.7 and 1.8.6 from mid 2009 try to allocate objects during GC
|
99
|
-
# when calling IO.select and IO#read. Disabling GC works around the
|
100
|
-
# segfault, but obviously it's a bad workaround. We no longer support
|
101
|
-
# 1.8.6 so we only need this hack for 1.8.7.
|
102
|
-
GC.disable if RUBY_VERSION == ONE_DOT_EIGHT_DOT_SEVEN
|
103
|
-
|
104
|
-
# CHEF-3390: Marshall.load on Ruby < 1.8.7p369 also has a GC bug related
|
105
|
-
# to Marshall.load, so try disabling GC first.
|
106
|
-
propagate_pre_exec_failure
|
107
|
-
|
108
|
-
@status = nil
|
109
|
-
@result = nil
|
110
|
-
@execution_time = 0
|
111
|
-
|
112
|
-
write_to_child_stdin
|
113
|
-
|
114
|
-
until @status
|
115
|
-
ready_buffers = attempt_buffer_read
|
116
|
-
unless ready_buffers
|
117
|
-
@execution_time += READ_WAIT_TIME
|
118
|
-
if @execution_time >= timeout && !@result
|
119
|
-
# kill the bad proccess
|
120
|
-
reap_errant_child
|
121
|
-
# read anything it wrote when we killed it
|
122
|
-
attempt_buffer_read
|
123
|
-
# raise
|
124
|
-
raise CommandTimeout, "Command timed out after #{@execution_time.to_i}s:\n#{format_for_exception}"
|
125
|
-
end
|
126
|
-
end
|
127
|
-
|
128
|
-
attempt_reap
|
129
|
-
end
|
130
|
-
|
131
|
-
self
|
132
|
-
rescue Errno::ENOENT
|
133
|
-
# When ENOENT happens, we can be reasonably sure that the child process
|
134
|
-
# is going to exit quickly, so we use the blocking variant of waitpid2
|
135
|
-
reap
|
136
|
-
raise
|
137
|
-
ensure
|
138
|
-
reap_errant_child if should_reap?
|
139
|
-
# make one more pass to get the last of the output after the
|
140
|
-
# child process dies
|
141
|
-
attempt_buffer_read
|
142
|
-
# no matter what happens, turn the GC back on, and hope whatever busted
|
143
|
-
# version of ruby we're on doesn't allocate some objects during the next
|
144
|
-
# GC run.
|
145
|
-
GC.enable
|
146
|
-
close_all_pipes
|
147
|
-
end
|
148
|
-
|
149
|
-
private
|
150
|
-
|
151
|
-
def set_user
|
152
|
-
if user
|
153
|
-
Process.uid = uid
|
154
|
-
Process.euid = uid
|
155
|
-
end
|
156
|
-
end
|
157
|
-
|
158
|
-
def set_group
|
159
|
-
if group
|
160
|
-
Process.egid = gid
|
161
|
-
Process.gid = gid
|
162
|
-
end
|
163
|
-
end
|
164
|
-
|
165
|
-
def set_secondarygroups
|
166
|
-
if sgids
|
167
|
-
Process.groups = sgids
|
168
|
-
end
|
169
|
-
end
|
170
|
-
|
171
|
-
def set_environment
|
172
|
-
# user-set variables should override the login ones
|
173
|
-
process_environment.each do |env_var,value|
|
174
|
-
ENV[env_var] = value
|
175
|
-
end
|
176
|
-
end
|
177
|
-
|
178
|
-
def set_umask
|
179
|
-
File.umask(umask) if umask
|
180
|
-
end
|
181
|
-
|
182
|
-
def set_cwd
|
183
|
-
Dir.chdir(cwd) if cwd
|
184
|
-
end
|
185
|
-
|
186
|
-
# Since we call setsid the child_pgid will be the child_pid, set to negative here
|
187
|
-
# so it can be directly used in arguments to kill, wait, etc.
|
188
|
-
def child_pgid
|
189
|
-
-@child_pid
|
190
|
-
end
|
191
|
-
|
192
|
-
def initialize_ipc
|
193
|
-
@stdin_pipe, @stdout_pipe, @stderr_pipe, @process_status_pipe = IO.pipe, IO.pipe, IO.pipe, IO.pipe
|
194
|
-
@process_status_pipe.last.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
|
195
|
-
end
|
196
|
-
|
197
|
-
def child_stdin
|
198
|
-
@stdin_pipe[1]
|
199
|
-
end
|
200
|
-
|
201
|
-
def child_stdout
|
202
|
-
@stdout_pipe[0]
|
203
|
-
end
|
204
|
-
|
205
|
-
def child_stderr
|
206
|
-
@stderr_pipe[0]
|
207
|
-
end
|
208
|
-
|
209
|
-
def child_process_status
|
210
|
-
@process_status_pipe[0]
|
211
|
-
end
|
212
|
-
|
213
|
-
def close_all_pipes
|
214
|
-
child_stdin.close unless child_stdin.closed?
|
215
|
-
child_stdout.close unless child_stdout.closed?
|
216
|
-
child_stderr.close unless child_stderr.closed?
|
217
|
-
child_process_status.close unless child_process_status.closed?
|
218
|
-
end
|
219
|
-
|
220
|
-
# Replace stdout, and stderr with pipes to the parent, and close the
|
221
|
-
# reader side of the error marshaling side channel.
|
222
|
-
#
|
223
|
-
# If there is no input, close STDIN so when we exec,
|
224
|
-
# the new program will know it's never getting input ever.
|
225
|
-
def configure_subprocess_file_descriptors
|
226
|
-
process_status_pipe.first.close
|
227
|
-
|
228
|
-
# HACK: for some reason, just STDIN.close isn't good enough when running
|
229
|
-
# under ruby 1.9.2, so make it good enough:
|
230
|
-
stdin_pipe.last.close
|
231
|
-
STDIN.reopen stdin_pipe.first
|
232
|
-
stdin_pipe.first.close unless input
|
233
|
-
|
234
|
-
stdout_pipe.first.close
|
235
|
-
STDOUT.reopen stdout_pipe.last
|
236
|
-
stdout_pipe.last.close
|
237
|
-
|
238
|
-
stderr_pipe.first.close
|
239
|
-
STDERR.reopen stderr_pipe.last
|
240
|
-
stderr_pipe.last.close
|
241
|
-
|
242
|
-
STDOUT.sync = STDERR.sync = true
|
243
|
-
STDIN.sync = true if input
|
244
|
-
end
|
245
|
-
|
246
|
-
def configure_parent_process_file_descriptors
|
247
|
-
# Close the sides of the pipes we don't care about
|
248
|
-
stdin_pipe.first.close
|
249
|
-
stdin_pipe.last.close unless input
|
250
|
-
stdout_pipe.last.close
|
251
|
-
stderr_pipe.last.close
|
252
|
-
process_status_pipe.last.close
|
253
|
-
# Get output as it happens rather than buffered
|
254
|
-
child_stdin.sync = true if input
|
255
|
-
child_stdout.sync = true
|
256
|
-
child_stderr.sync = true
|
257
|
-
|
258
|
-
true
|
259
|
-
end
|
260
|
-
|
261
|
-
# Some patch levels of ruby in wide use (in particular the ruby 1.8.6 on OSX)
|
262
|
-
# segfault when you IO.select a pipe that's reached eof. Weak sauce.
|
263
|
-
def open_pipes
|
264
|
-
@open_pipes ||= [child_stdout, child_stderr, child_process_status]
|
265
|
-
end
|
266
|
-
|
267
|
-
# Keep this unbuffered for now
|
268
|
-
def write_to_child_stdin
|
269
|
-
return unless input
|
270
|
-
child_stdin << input
|
271
|
-
child_stdin.close # Kick things off
|
272
|
-
end
|
273
|
-
|
274
|
-
def attempt_buffer_read
|
275
|
-
ready = IO.select(open_pipes, nil, nil, READ_WAIT_TIME)
|
276
|
-
if ready
|
277
|
-
read_stdout_to_buffer if ready.first.include?(child_stdout)
|
278
|
-
read_stderr_to_buffer if ready.first.include?(child_stderr)
|
279
|
-
read_process_status_to_buffer if ready.first.include?(child_process_status)
|
280
|
-
end
|
281
|
-
ready
|
282
|
-
end
|
283
|
-
|
284
|
-
def read_stdout_to_buffer
|
285
|
-
while chunk = child_stdout.read_nonblock(READ_SIZE)
|
286
|
-
@stdout << chunk
|
287
|
-
@live_stdout << chunk if @live_stdout
|
288
|
-
end
|
289
|
-
rescue Errno::EAGAIN
|
290
|
-
rescue EOFError
|
291
|
-
open_pipes.delete(child_stdout)
|
292
|
-
end
|
293
|
-
|
294
|
-
def read_stderr_to_buffer
|
295
|
-
while chunk = child_stderr.read_nonblock(READ_SIZE)
|
296
|
-
@stderr << chunk
|
297
|
-
@live_stderr << chunk if @live_stderr
|
298
|
-
end
|
299
|
-
rescue Errno::EAGAIN
|
300
|
-
rescue EOFError
|
301
|
-
open_pipes.delete(child_stderr)
|
302
|
-
end
|
303
|
-
|
304
|
-
def read_process_status_to_buffer
|
305
|
-
while chunk = child_process_status.read_nonblock(READ_SIZE)
|
306
|
-
@process_status << chunk
|
307
|
-
end
|
308
|
-
rescue Errno::EAGAIN
|
309
|
-
rescue EOFError
|
310
|
-
open_pipes.delete(child_process_status)
|
311
|
-
end
|
312
|
-
|
313
|
-
def fork_subprocess
|
314
|
-
initialize_ipc
|
315
|
-
|
316
|
-
fork do
|
317
|
-
# Child processes may themselves fork off children. A common case
|
318
|
-
# is when the command is given as a single string (instead of
|
319
|
-
# command name plus Array of arguments) and /bin/sh does not
|
320
|
-
# support the "ONESHOT" optimization (where sh -c does exec without
|
321
|
-
# forking). To support cleaning up all the children, we need to
|
322
|
-
# ensure they're in a unique process group.
|
323
|
-
#
|
324
|
-
# We use setsid here to abandon our controlling tty and get a new session
|
325
|
-
# and process group that are set to the pid of the child process.
|
326
|
-
Process.setsid
|
327
|
-
|
328
|
-
configure_subprocess_file_descriptors
|
329
|
-
|
330
|
-
set_secondarygroups
|
331
|
-
set_group
|
332
|
-
set_user
|
333
|
-
set_environment
|
334
|
-
set_umask
|
335
|
-
set_cwd
|
336
|
-
|
337
|
-
begin
|
338
|
-
command.kind_of?(Array) ? exec(*command, :close_others=>true) : exec(command, :close_others=>true)
|
339
|
-
|
340
|
-
raise 'forty-two' # Should never get here
|
341
|
-
rescue Exception => e
|
342
|
-
Marshal.dump(e, process_status_pipe.last)
|
343
|
-
process_status_pipe.last.flush
|
344
|
-
end
|
345
|
-
process_status_pipe.last.close unless (process_status_pipe.last.closed?)
|
346
|
-
exit!
|
347
|
-
end
|
348
|
-
end
|
349
|
-
|
350
|
-
# Attempt to get a Marshaled error from the side-channel.
|
351
|
-
# If it's there, un-marshal it and raise. If it's not there,
|
352
|
-
# assume everything went well.
|
353
|
-
def propagate_pre_exec_failure
|
354
|
-
begin
|
355
|
-
attempt_buffer_read until child_process_status.eof?
|
356
|
-
e = Marshal.load(@process_status)
|
357
|
-
raise(Exception === e ? e : "unknown failure: #{e.inspect}")
|
358
|
-
rescue ArgumentError # If we get an ArgumentError error, then the exec was successful
|
359
|
-
true
|
360
|
-
ensure
|
361
|
-
child_process_status.close
|
362
|
-
open_pipes.delete(child_process_status)
|
363
|
-
end
|
364
|
-
end
|
365
|
-
|
366
|
-
def reap_errant_child
|
367
|
-
return if attempt_reap
|
368
|
-
@terminate_reason = "Command exceeded allowed execution time, process terminated"
|
369
|
-
logger.error("Command exceeded allowed execution time, sending TERM") if logger
|
370
|
-
Process.kill(:TERM, child_pgid)
|
371
|
-
sleep 3
|
372
|
-
attempt_reap
|
373
|
-
logger.error("Command exceeded allowed execution time, sending KILL") if logger
|
374
|
-
Process.kill(:KILL, child_pgid)
|
375
|
-
reap
|
376
|
-
|
377
|
-
# Should not hit this but it's possible if something is calling waitall
|
378
|
-
# in a separate thread.
|
379
|
-
rescue Errno::ESRCH
|
380
|
-
nil
|
381
|
-
end
|
382
|
-
|
383
|
-
def should_reap?
|
384
|
-
# if we fail to fork, no child pid so nothing to reap
|
385
|
-
@child_pid && !@reaped
|
386
|
-
end
|
387
|
-
|
388
|
-
# Unconditionally reap the child process. This is used in scenarios where
|
389
|
-
# we can be confident the child will exit quickly, and has not spawned
|
390
|
-
# and grandchild processes.
|
391
|
-
def reap
|
392
|
-
results = Process.waitpid2(@child_pid)
|
393
|
-
@reaped = true
|
394
|
-
@status = results.last
|
395
|
-
rescue Errno::ECHILD
|
396
|
-
# When cleaning up timed-out processes, we might send SIGKILL to the
|
397
|
-
# whole process group after we've cleaned up the direct child. In that
|
398
|
-
# case the grandchildren will have been adopted by init so we can't
|
399
|
-
# reap them even if we wanted to (we don't).
|
400
|
-
nil
|
401
|
-
end
|
402
|
-
|
403
|
-
# Try to reap the child process but don't block if it isn't dead yet.
|
404
|
-
def attempt_reap
|
405
|
-
if results = Process.waitpid2(@child_pid, Process::WNOHANG)
|
406
|
-
@reaped = true
|
407
|
-
@status = results.last
|
408
|
-
else
|
409
|
-
nil
|
410
|
-
end
|
411
|
-
end
|
412
|
-
|
413
|
-
end
|
414
|
-
end
|
415
|
-
end
|
1
|
+
#--
|
2
|
+
# Author:: Daniel DeLeo (<dan@opscode.com>)
|
3
|
+
# Copyright:: Copyright (c) 2010, 2011 Opscode, Inc.
|
4
|
+
# License:: Apache License, Version 2.0
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
module Mixlib
|
20
|
+
class ShellOut
|
21
|
+
module Unix
|
22
|
+
|
23
|
+
# "1.8.7" as a frozen string. We use this with a hack that disables GC to
|
24
|
+
# avoid segfaults on Ruby 1.8.7, so we need to allocate the fewest
|
25
|
+
# objects we possibly can.
|
26
|
+
ONE_DOT_EIGHT_DOT_SEVEN = "1.8.7".freeze
|
27
|
+
|
28
|
+
# Option validation that is unix specific
|
29
|
+
def validate_options(opts)
|
30
|
+
# No options to validate, raise exceptions here if needed
|
31
|
+
end
|
32
|
+
|
33
|
+
# Whether we're simulating a login shell
|
34
|
+
def using_login?
|
35
|
+
return login && user
|
36
|
+
end
|
37
|
+
|
38
|
+
# Helper method for sgids
|
39
|
+
def all_seconderies
|
40
|
+
ret = []
|
41
|
+
Etc.endgrent
|
42
|
+
while ( g = Etc.getgrent ) do
|
43
|
+
ret << g
|
44
|
+
end
|
45
|
+
Etc.endgrent
|
46
|
+
return ret
|
47
|
+
end
|
48
|
+
|
49
|
+
# The secondary groups that the subprocess will switch to.
|
50
|
+
# Currently valid only if login is used, and is set
|
51
|
+
# to the user's secondary groups
|
52
|
+
def sgids
|
53
|
+
return nil unless using_login?
|
54
|
+
user_name = Etc.getpwuid(uid).name
|
55
|
+
all_seconderies.select{|g| g.mem.include?(user_name)}.map{|g|g.gid}
|
56
|
+
end
|
57
|
+
|
58
|
+
# The environment variables that are deduced from simulating logon
|
59
|
+
# Only valid if login is used
|
60
|
+
def logon_environment
|
61
|
+
return {} unless using_login?
|
62
|
+
entry = Etc.getpwuid(uid)
|
63
|
+
# According to `man su`, the set fields are:
|
64
|
+
# $HOME, $SHELL, $USER, $LOGNAME, $PATH, and $IFS
|
65
|
+
# Values are copied from "shadow" package in Ubuntu 14.10
|
66
|
+
{'HOME'=>entry.dir, 'SHELL'=>entry.shell, 'USER'=>entry.name, 'LOGNAME'=>entry.name, 'PATH'=>'/sbin:/bin:/usr/sbin:/usr/bin', 'IFS'=>"\t\n"}
|
67
|
+
end
|
68
|
+
|
69
|
+
# Merges the two environments for the process
|
70
|
+
def process_environment
|
71
|
+
logon_environment.merge(self.environment)
|
72
|
+
end
|
73
|
+
|
74
|
+
# Run the command, writing the command's standard out and standard error
|
75
|
+
# to +stdout+ and +stderr+, and saving its exit status object to +status+
|
76
|
+
# === Returns
|
77
|
+
# returns +self+; +stdout+, +stderr+, +status+, and +exitstatus+ will be
|
78
|
+
# populated with results of the command.
|
79
|
+
# === Raises
|
80
|
+
# * Errno::EACCES when you are not privileged to execute the command
|
81
|
+
# * Errno::ENOENT when the command is not available on the system (or not
|
82
|
+
# in the current $PATH)
|
83
|
+
# * Chef::Exceptions::CommandTimeout when the command does not complete
|
84
|
+
# within +timeout+ seconds (default: 600s). When this happens, ShellOut
|
85
|
+
# will send a TERM and then KILL to the entire process group to ensure
|
86
|
+
# that any grandchild processes are terminated. If the invocation of
|
87
|
+
# the child process spawned multiple child processes (which commonly
|
88
|
+
# happens if the command is passed as a single string to be interpreted
|
89
|
+
# by bin/sh, and bin/sh is not bash), the exit status object may not
|
90
|
+
# contain the correct exit code of the process (of course there is no
|
91
|
+
# exit code if the command is killed by SIGKILL, also).
|
92
|
+
def run_command
|
93
|
+
@child_pid = fork_subprocess
|
94
|
+
@reaped = false
|
95
|
+
|
96
|
+
configure_parent_process_file_descriptors
|
97
|
+
|
98
|
+
# Ruby 1.8.7 and 1.8.6 from mid 2009 try to allocate objects during GC
|
99
|
+
# when calling IO.select and IO#read. Disabling GC works around the
|
100
|
+
# segfault, but obviously it's a bad workaround. We no longer support
|
101
|
+
# 1.8.6 so we only need this hack for 1.8.7.
|
102
|
+
GC.disable if RUBY_VERSION == ONE_DOT_EIGHT_DOT_SEVEN
|
103
|
+
|
104
|
+
# CHEF-3390: Marshall.load on Ruby < 1.8.7p369 also has a GC bug related
|
105
|
+
# to Marshall.load, so try disabling GC first.
|
106
|
+
propagate_pre_exec_failure
|
107
|
+
|
108
|
+
@status = nil
|
109
|
+
@result = nil
|
110
|
+
@execution_time = 0
|
111
|
+
|
112
|
+
write_to_child_stdin
|
113
|
+
|
114
|
+
until @status
|
115
|
+
ready_buffers = attempt_buffer_read
|
116
|
+
unless ready_buffers
|
117
|
+
@execution_time += READ_WAIT_TIME
|
118
|
+
if @execution_time >= timeout && !@result
|
119
|
+
# kill the bad proccess
|
120
|
+
reap_errant_child
|
121
|
+
# read anything it wrote when we killed it
|
122
|
+
attempt_buffer_read
|
123
|
+
# raise
|
124
|
+
raise CommandTimeout, "Command timed out after #{@execution_time.to_i}s:\n#{format_for_exception}"
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
128
|
+
attempt_reap
|
129
|
+
end
|
130
|
+
|
131
|
+
self
|
132
|
+
rescue Errno::ENOENT
|
133
|
+
# When ENOENT happens, we can be reasonably sure that the child process
|
134
|
+
# is going to exit quickly, so we use the blocking variant of waitpid2
|
135
|
+
reap
|
136
|
+
raise
|
137
|
+
ensure
|
138
|
+
reap_errant_child if should_reap?
|
139
|
+
# make one more pass to get the last of the output after the
|
140
|
+
# child process dies
|
141
|
+
attempt_buffer_read
|
142
|
+
# no matter what happens, turn the GC back on, and hope whatever busted
|
143
|
+
# version of ruby we're on doesn't allocate some objects during the next
|
144
|
+
# GC run.
|
145
|
+
GC.enable
|
146
|
+
close_all_pipes
|
147
|
+
end
|
148
|
+
|
149
|
+
private
|
150
|
+
|
151
|
+
def set_user
|
152
|
+
if user
|
153
|
+
Process.uid = uid
|
154
|
+
Process.euid = uid
|
155
|
+
end
|
156
|
+
end
|
157
|
+
|
158
|
+
def set_group
|
159
|
+
if group
|
160
|
+
Process.egid = gid
|
161
|
+
Process.gid = gid
|
162
|
+
end
|
163
|
+
end
|
164
|
+
|
165
|
+
def set_secondarygroups
|
166
|
+
if sgids
|
167
|
+
Process.groups = sgids
|
168
|
+
end
|
169
|
+
end
|
170
|
+
|
171
|
+
def set_environment
|
172
|
+
# user-set variables should override the login ones
|
173
|
+
process_environment.each do |env_var,value|
|
174
|
+
ENV[env_var] = value
|
175
|
+
end
|
176
|
+
end
|
177
|
+
|
178
|
+
def set_umask
|
179
|
+
File.umask(umask) if umask
|
180
|
+
end
|
181
|
+
|
182
|
+
def set_cwd
|
183
|
+
Dir.chdir(cwd) if cwd
|
184
|
+
end
|
185
|
+
|
186
|
+
# Since we call setsid the child_pgid will be the child_pid, set to negative here
|
187
|
+
# so it can be directly used in arguments to kill, wait, etc.
|
188
|
+
def child_pgid
|
189
|
+
-@child_pid
|
190
|
+
end
|
191
|
+
|
192
|
+
def initialize_ipc
|
193
|
+
@stdin_pipe, @stdout_pipe, @stderr_pipe, @process_status_pipe = IO.pipe, IO.pipe, IO.pipe, IO.pipe
|
194
|
+
@process_status_pipe.last.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
|
195
|
+
end
|
196
|
+
|
197
|
+
def child_stdin
|
198
|
+
@stdin_pipe[1]
|
199
|
+
end
|
200
|
+
|
201
|
+
def child_stdout
|
202
|
+
@stdout_pipe[0]
|
203
|
+
end
|
204
|
+
|
205
|
+
def child_stderr
|
206
|
+
@stderr_pipe[0]
|
207
|
+
end
|
208
|
+
|
209
|
+
def child_process_status
|
210
|
+
@process_status_pipe[0]
|
211
|
+
end
|
212
|
+
|
213
|
+
def close_all_pipes
|
214
|
+
child_stdin.close unless child_stdin.closed?
|
215
|
+
child_stdout.close unless child_stdout.closed?
|
216
|
+
child_stderr.close unless child_stderr.closed?
|
217
|
+
child_process_status.close unless child_process_status.closed?
|
218
|
+
end
|
219
|
+
|
220
|
+
# Replace stdout, and stderr with pipes to the parent, and close the
|
221
|
+
# reader side of the error marshaling side channel.
|
222
|
+
#
|
223
|
+
# If there is no input, close STDIN so when we exec,
|
224
|
+
# the new program will know it's never getting input ever.
|
225
|
+
def configure_subprocess_file_descriptors
|
226
|
+
process_status_pipe.first.close
|
227
|
+
|
228
|
+
# HACK: for some reason, just STDIN.close isn't good enough when running
|
229
|
+
# under ruby 1.9.2, so make it good enough:
|
230
|
+
stdin_pipe.last.close
|
231
|
+
STDIN.reopen stdin_pipe.first
|
232
|
+
stdin_pipe.first.close unless input
|
233
|
+
|
234
|
+
stdout_pipe.first.close
|
235
|
+
STDOUT.reopen stdout_pipe.last
|
236
|
+
stdout_pipe.last.close
|
237
|
+
|
238
|
+
stderr_pipe.first.close
|
239
|
+
STDERR.reopen stderr_pipe.last
|
240
|
+
stderr_pipe.last.close
|
241
|
+
|
242
|
+
STDOUT.sync = STDERR.sync = true
|
243
|
+
STDIN.sync = true if input
|
244
|
+
end
|
245
|
+
|
246
|
+
def configure_parent_process_file_descriptors
|
247
|
+
# Close the sides of the pipes we don't care about
|
248
|
+
stdin_pipe.first.close
|
249
|
+
stdin_pipe.last.close unless input
|
250
|
+
stdout_pipe.last.close
|
251
|
+
stderr_pipe.last.close
|
252
|
+
process_status_pipe.last.close
|
253
|
+
# Get output as it happens rather than buffered
|
254
|
+
child_stdin.sync = true if input
|
255
|
+
child_stdout.sync = true
|
256
|
+
child_stderr.sync = true
|
257
|
+
|
258
|
+
true
|
259
|
+
end
|
260
|
+
|
261
|
+
# Some patch levels of ruby in wide use (in particular the ruby 1.8.6 on OSX)
|
262
|
+
# segfault when you IO.select a pipe that's reached eof. Weak sauce.
|
263
|
+
def open_pipes
|
264
|
+
@open_pipes ||= [child_stdout, child_stderr, child_process_status]
|
265
|
+
end
|
266
|
+
|
267
|
+
# Keep this unbuffered for now
|
268
|
+
def write_to_child_stdin
|
269
|
+
return unless input
|
270
|
+
child_stdin << input
|
271
|
+
child_stdin.close # Kick things off
|
272
|
+
end
|
273
|
+
|
274
|
+
def attempt_buffer_read
|
275
|
+
ready = IO.select(open_pipes, nil, nil, READ_WAIT_TIME)
|
276
|
+
if ready
|
277
|
+
read_stdout_to_buffer if ready.first.include?(child_stdout)
|
278
|
+
read_stderr_to_buffer if ready.first.include?(child_stderr)
|
279
|
+
read_process_status_to_buffer if ready.first.include?(child_process_status)
|
280
|
+
end
|
281
|
+
ready
|
282
|
+
end
|
283
|
+
|
284
|
+
def read_stdout_to_buffer
|
285
|
+
while chunk = child_stdout.read_nonblock(READ_SIZE)
|
286
|
+
@stdout << chunk
|
287
|
+
@live_stdout << chunk if @live_stdout
|
288
|
+
end
|
289
|
+
rescue Errno::EAGAIN
|
290
|
+
rescue EOFError
|
291
|
+
open_pipes.delete(child_stdout)
|
292
|
+
end
|
293
|
+
|
294
|
+
def read_stderr_to_buffer
|
295
|
+
while chunk = child_stderr.read_nonblock(READ_SIZE)
|
296
|
+
@stderr << chunk
|
297
|
+
@live_stderr << chunk if @live_stderr
|
298
|
+
end
|
299
|
+
rescue Errno::EAGAIN
|
300
|
+
rescue EOFError
|
301
|
+
open_pipes.delete(child_stderr)
|
302
|
+
end
|
303
|
+
|
304
|
+
def read_process_status_to_buffer
|
305
|
+
while chunk = child_process_status.read_nonblock(READ_SIZE)
|
306
|
+
@process_status << chunk
|
307
|
+
end
|
308
|
+
rescue Errno::EAGAIN
|
309
|
+
rescue EOFError
|
310
|
+
open_pipes.delete(child_process_status)
|
311
|
+
end
|
312
|
+
|
313
|
+
def fork_subprocess
|
314
|
+
initialize_ipc
|
315
|
+
|
316
|
+
fork do
|
317
|
+
# Child processes may themselves fork off children. A common case
|
318
|
+
# is when the command is given as a single string (instead of
|
319
|
+
# command name plus Array of arguments) and /bin/sh does not
|
320
|
+
# support the "ONESHOT" optimization (where sh -c does exec without
|
321
|
+
# forking). To support cleaning up all the children, we need to
|
322
|
+
# ensure they're in a unique process group.
|
323
|
+
#
|
324
|
+
# We use setsid here to abandon our controlling tty and get a new session
|
325
|
+
# and process group that are set to the pid of the child process.
|
326
|
+
Process.setsid
|
327
|
+
|
328
|
+
configure_subprocess_file_descriptors
|
329
|
+
|
330
|
+
set_secondarygroups
|
331
|
+
set_group
|
332
|
+
set_user
|
333
|
+
set_environment
|
334
|
+
set_umask
|
335
|
+
set_cwd
|
336
|
+
|
337
|
+
begin
|
338
|
+
command.kind_of?(Array) ? exec(*command, :close_others=>true) : exec(command, :close_others=>true)
|
339
|
+
|
340
|
+
raise 'forty-two' # Should never get here
|
341
|
+
rescue Exception => e
|
342
|
+
Marshal.dump(e, process_status_pipe.last)
|
343
|
+
process_status_pipe.last.flush
|
344
|
+
end
|
345
|
+
process_status_pipe.last.close unless (process_status_pipe.last.closed?)
|
346
|
+
exit!
|
347
|
+
end
|
348
|
+
end
|
349
|
+
|
350
|
+
# Attempt to get a Marshaled error from the side-channel.
|
351
|
+
# If it's there, un-marshal it and raise. If it's not there,
|
352
|
+
# assume everything went well.
|
353
|
+
def propagate_pre_exec_failure
|
354
|
+
begin
|
355
|
+
attempt_buffer_read until child_process_status.eof?
|
356
|
+
e = Marshal.load(@process_status)
|
357
|
+
raise(Exception === e ? e : "unknown failure: #{e.inspect}")
|
358
|
+
rescue ArgumentError # If we get an ArgumentError error, then the exec was successful
|
359
|
+
true
|
360
|
+
ensure
|
361
|
+
child_process_status.close
|
362
|
+
open_pipes.delete(child_process_status)
|
363
|
+
end
|
364
|
+
end
|
365
|
+
|
366
|
+
def reap_errant_child
|
367
|
+
return if attempt_reap
|
368
|
+
@terminate_reason = "Command exceeded allowed execution time, process terminated"
|
369
|
+
logger.error("Command exceeded allowed execution time, sending TERM") if logger
|
370
|
+
Process.kill(:TERM, child_pgid)
|
371
|
+
sleep 3
|
372
|
+
attempt_reap
|
373
|
+
logger.error("Command exceeded allowed execution time, sending KILL") if logger
|
374
|
+
Process.kill(:KILL, child_pgid)
|
375
|
+
reap
|
376
|
+
|
377
|
+
# Should not hit this but it's possible if something is calling waitall
|
378
|
+
# in a separate thread.
|
379
|
+
rescue Errno::ESRCH
|
380
|
+
nil
|
381
|
+
end
|
382
|
+
|
383
|
+
def should_reap?
|
384
|
+
# if we fail to fork, no child pid so nothing to reap
|
385
|
+
@child_pid && !@reaped
|
386
|
+
end
|
387
|
+
|
388
|
+
# Unconditionally reap the child process. This is used in scenarios where
|
389
|
+
# we can be confident the child will exit quickly, and has not spawned
|
390
|
+
# and grandchild processes.
|
391
|
+
def reap
|
392
|
+
results = Process.waitpid2(@child_pid)
|
393
|
+
@reaped = true
|
394
|
+
@status = results.last
|
395
|
+
rescue Errno::ECHILD
|
396
|
+
# When cleaning up timed-out processes, we might send SIGKILL to the
|
397
|
+
# whole process group after we've cleaned up the direct child. In that
|
398
|
+
# case the grandchildren will have been adopted by init so we can't
|
399
|
+
# reap them even if we wanted to (we don't).
|
400
|
+
nil
|
401
|
+
end
|
402
|
+
|
403
|
+
# Try to reap the child process but don't block if it isn't dead yet.
|
404
|
+
def attempt_reap
|
405
|
+
if results = Process.waitpid2(@child_pid, Process::WNOHANG)
|
406
|
+
@reaped = true
|
407
|
+
@status = results.last
|
408
|
+
else
|
409
|
+
nil
|
410
|
+
end
|
411
|
+
end
|
412
|
+
|
413
|
+
end
|
414
|
+
end
|
415
|
+
end
|