passenger 5.0.9 → 5.0.10

data/ext/common/agents/LoggingAgent/OptionParser.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2010-2014 Phusion
+ *  Copyright (c) 2010-2015 Phusion
  *
  *  "Phusion Passenger" is a trademark of Hongli Lai & Ninh Bui.
  *
@@ -55,12 +55,12 @@ loggingAgentUsage() {
 	printf("                              unix:PATH for Unix domain sockets.\n");
 	printf("                              " DEFAULT_LOGGING_AGENT_LISTEN_ADDRESS "\n");
 	printf("\n");
-	printf("      --admin-listen ADDRESS  Listen on the given address for admin commands.\n");
+	printf("      --api-listen ADDRESS    Listen on the given address for API commands.\n");
 	printf("                              The address must be in the same format as that\n");
-	printf("                              of --listen. Default: " DEFAULT_LOGGING_AGENT_ADMIN_LISTEN_ADDRESS "\n");
+	printf("                              of --listen. Default: " DEFAULT_LOGGING_AGENT_API_LISTEN_ADDRESS "\n");
 	printf("      --authorize [LEVEL]:USERNAME:PASSWORDFILE\n");
-	printf("                              Enables authentication on the admin server,\n");
-	printf("                              through the given admin account. LEVEL indicates\n");
+	printf("                              Enables authentication on the API server,\n");
+	printf("                              through the given API account. LEVEL indicates\n");
 	printf("                              the privilege level (see below). PASSWORDFILE must\n");
 	printf("                              point to a file containing the password\n");
 	printf("\n");
@@ -78,7 +78,7 @@ loggingAgentUsage() {
 	printf("\n");
 	printf("  -h, --help                  Show this help\n");
 	printf("\n");
-	printf("Admin account privilege levels (ordered from most to least privileges):\n");
+	printf("API account privilege levels (ordered from most to least privileges):\n");
 	printf("  readonly    Read-only access\n");
 	printf("  full        Full access (default)\n");
 }
@@ -103,20 +103,20 @@ parseLoggingAgentOption(int argc, const char *argv[], int &i, VariantMap &option
 				"for Unix domain sockets.\n");
 			exit(1);
 		}
-	} else if (p.isValueFlag(argc, i, argv[i], '\0', "--admin-listen")) {
+	} else if (p.isValueFlag(argc, i, argv[i], '\0', "--api-listen")) {
 		if (getSocketAddressType(argv[i + 1]) != SAT_UNKNOWN) {
-			vector<string> addresses = options.getStrSet("logging_agent_admin_addresses",
+			vector<string> addresses = options.getStrSet("logging_agent_api_addresses",
 				false);
 			if (addresses.size() == SERVER_KIT_MAX_SERVER_ENDPOINTS) {
-				fprintf(stderr, "ERROR: you may specify up to %u --admin-listen addresses.\n",
+				fprintf(stderr, "ERROR: you may specify up to %u --api-listen addresses.\n",
 					SERVER_KIT_MAX_SERVER_ENDPOINTS);
 				exit(1);
 			}
 			addresses.push_back(argv[i + 1]);
-			options.setStrSet("logging_agent_admin_addresses", addresses);
+			options.setStrSet("logging_agent_api_addresses", addresses);
 			i += 2;
 		} else {
-			fprintf(stderr, "ERROR: invalid address format for --admin-listen. The address "
+			fprintf(stderr, "ERROR: invalid address format for --api-listen. The address "
 				"must be formatted as tcp://IP:PORT for TCP sockets, or unix:PATH "
 				"for Unix domain sockets.\n");
 			exit(1);

data/ext/common/agents/Watchdog/ApiServer.h

@@ -0,0 +1,311 @@
+/*
+ *  Phusion Passenger - https://www.phusionpassenger.com/
+ *  Copyright (c) 2014-2015 Phusion
+ *
+ *  "Phusion Passenger" is a trademark of Hongli Lai & Ninh Bui.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy
+ *  of this software and associated documentation files (the "Software"), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ */
+#ifndef _PASSENGER_WATCHDOG_AGENT_API_SERVER_H_
+#define _PASSENGER_WATCHDOG_AGENT_API_SERVER_H_
+
+#include <sstream>
+#include <string>
+#include <cstring>
+
+#include <agents/ApiServerUtils.h>
+#include <ServerKit/HttpServer.h>
+#include <DataStructures/LString.h>
+#include <Exceptions.h>
+#include <StaticString.h>
+#include <Logging.h>
+#include <Constants.h>
+#include <Utils/StrIntUtils.h>
+#include <Utils/modp_b64.h>
+#include <Utils/json.h>
+#include <Utils/MessageIO.h>
+
+namespace Passenger {
+namespace WatchdogAgent {
+
+using namespace std;
+
+
+class Request: public ServerKit::BaseHttpRequest {
+public:
+	string body;
+	Json::Value jsonBody;
+
+	DEFINE_SERVER_KIT_BASE_HTTP_REQUEST_FOOTER(Request);
+};
+
+class ApiServer: public ServerKit::HttpServer<ApiServer, ServerKit::HttpClient<Request> > {
+private:
+	typedef ServerKit::HttpServer<ApiServer, ServerKit::HttpClient<Request> > ParentClass;
+	typedef ServerKit::HttpClient<Request> Client;
+	typedef ServerKit::HeaderTable HeaderTable;
+
+	void route(Client *client, Request *req, const StaticString &path) {
+		if (path == P_STATIC_STRING("/status.txt")) {
+			processStatusTxt(client, req);
+		} else if (path == P_STATIC_STRING("/ping.json")) {
+			apiServerProcessPing(this, client, req);
+		} else if (path == P_STATIC_STRING("/version.json")) {
+			apiServerProcessVersion(this, client, req);
+		} else if (path == P_STATIC_STRING("/shutdown.json")) {
+			apiServerProcessShutdown(this, client, req);
+		} else if (path == P_STATIC_STRING("/backtraces.txt")) {
+			apiServerProcessBacktraces(this, client, req);
+		} else if (path == P_STATIC_STRING("/config.json")) {
+			processConfig(client, req);
+		} else if (path == P_STATIC_STRING("/config/log_file.fd")) {
+			processConfigLogFileFd(client, req);
+		} else if (path == P_STATIC_STRING("/reopen_logs.json")) {
+			apiServerProcessReopenLogs(this, client, req);
+		} else {
+			apiServerRespondWith404(this, client, req);
+		}
+	}
+
+	void processStatusTxt(Client *client, Request *req) {
+		if (authorizeStateInspectionOperation(this, client, req)) {
+			HeaderTable headers;
+			//stringstream stream;
+			headers.insert(req->pool, "Content-Type", "text/plain");
+			//loggingServer->dump(stream);
+			//writeSimpleResponse(client, 200, &headers, stream.str());
+			if (!req->ended()) {
+				endRequest(&client, &req);
+			}
+		} else {
+			apiServerRespondWith401(this, client, req);
+		}
+	}
+
+	void processConfig(Client *client, Request *req) {
+		if (req->method == HTTP_GET) {
+			if (!authorizeStateInspectionOperation(this, client, req)) {
+				apiServerRespondWith401(this, client, req);
+			}
+
+			HeaderTable headers;
+			Json::Value doc;
+			string logFile = getLogFile();
+			string fileDescriptorLogFile = getFileDescriptorLogFile();
+
+			headers.insert(req->pool, "Content-Type", "application/json");
+			doc["log_level"] = getLogLevel();
+			if (!logFile.empty()) {
+				doc["log_file"] = logFile;
+			}
+			if (!fileDescriptorLogFile.empty()) {
+				doc["file_descriptor_log_file"] = fileDescriptorLogFile;
+			}
+
+			writeSimpleResponse(client, 200, &headers, doc.toStyledString());
+			if (!req->ended()) {
+				endRequest(&client, &req);
+			}
+		} else if (req->method == HTTP_PUT) {
+			if (!authorizeAdminOperation(this, client, req)) {
+				apiServerRespondWith401(this, client, req);
+			} else if (!req->hasBody()) {
+				endAsBadRequest(&client, &req, "Body required");
+			}
+			// Continue in processConfigBody()
+		} else {
+			apiServerRespondWith405(this, client, req);
+		}
+	}
+
+	void processConfigBody(Client *client, Request *req) {
+		HeaderTable headers;
+		Json::Value &json = req->jsonBody;
+
+		headers.insert(req->pool, "Content-Type", "application/json");
+
+		if (json.isMember("log_level")) {
+			setLogLevel(json["log_level"].asInt());
+		}
+		if (json.isMember("log_file")) {
+			string logFile = json["log_file"].asString();
+			try {
+				logFile = absolutizePath(logFile);
+			} catch (const SystemException &e) {
+				unsigned int bufsize = 1024;
+				char *message = (char *) psg_pnalloc(req->pool, bufsize);
+				snprintf(message, bufsize, "{ \"status\": \"error\", "
+					"\"message\": \"Cannot absolutize log file filename: %s\" }",
+					e.what());
+				writeSimpleResponse(client, 500, &headers, message);
+				if (!req->ended()) {
+					endRequest(&client, &req);
+				}
+				return;
+			}
+
+			int e;
+			if (!setLogFile(logFile, &e)) {
+				unsigned int bufsize = 1024;
+				char *message = (char *) psg_pnalloc(req->pool, bufsize);
+				snprintf(message, bufsize, "{ \"status\": \"error\", "
+					"\"message\": \"Cannot open log file: %s (errno=%d)\" }",
+					strerror(e), e);
+				writeSimpleResponse(client, 500, &headers, message);
+				if (!req->ended()) {
+					endRequest(&client, &req);
+				}
+				return;
+			}
+			P_NOTICE("Log file opened.");
+		}
+
+		writeSimpleResponse(client, 200, &headers, "{ \"status\": \"ok\" }");
+		if (!req->ended()) {
+			endRequest(&client, &req);
+		}
+	}
+
+	bool authorizeFdPassingOperation(Client *client, Request *req) {
+		const LString *password = req->headers.lookup("fd-passing-password");
+		if (password == NULL) {
+			return false;
+		}
+
+		password = psg_lstr_make_contiguous(password, req->pool);
+		return constantTimeCompare(StaticString(password->start->data, password->size),
+			fdPassingPassword);
+	}
+
+	void processConfigLogFileFd(Client *client, Request *req) {
+		if (req->method != HTTP_GET) {
+			apiServerRespondWith405(this, client, req);
+		} else if (authorizeFdPassingOperation(client, req)) {
+			HeaderTable headers;
+			headers.insert(req->pool, "Cache-Control", "no-cache, no-store, must-revalidate");
+			headers.insert(req->pool, "Content-Type", "text/plain");
+			headers.insert(req->pool, "Filename", getLogFile());
+			req->wantKeepAlive = false;
+			writeSimpleResponse(client, 200, &headers, "");
+			if (req->ended()) {
+				return;
+			}
+
+			unsigned long long timeout = 1000000;
+			setBlocking(client->getFd());
+			writeFileDescriptorWithNegotiation(client->getFd(), STDERR_FILENO,
+				&timeout);
+			setNonBlocking(client->getFd());
+
+			if (!req->ended()) {
+				endRequest(&client, &req);
+			}
+		} else {
+			apiServerRespondWith401(this, client, req);
+		}
+	}
+
+protected:
+	virtual void onRequestBegin(Client *client, Request *req) {
+		const StaticString path(req->path.start->data, req->path.size);
+
+		P_INFO("API request: " << http_method_str(req->method) <<
+			" " << StaticString(req->path.start->data, req->path.size));
+
+		try {
+			route(client, req, path);
+		} catch (const oxt::tracable_exception &e) {
+			SKC_ERROR(client, "Exception: " << e.what() << "\n" << e.backtrace());
+			if (!req->ended()) {
+				req->wantKeepAlive = false;
+				endRequest(&client, &req);
+			}
+		}
+	}
+
+	virtual ServerKit::Channel::Result onRequestBody(Client *client, Request *req,
+		const MemoryKit::mbuf &buffer, int errcode)
+	{
+		if (buffer.size() > 0) {
+			// Data
+			req->body.append(buffer.start, buffer.size());
+		} else if (errcode == 0) {
+			// EOF
+			Json::Reader reader;
+			if (reader.parse(req->body, req->jsonBody)) {
+				try {
+					processConfigBody(client, req);
+				} catch (const oxt::tracable_exception &e) {
+					SKC_ERROR(client, "Exception: " << e.what() << "\n" << e.backtrace());
+					if (!req->ended()) {
+						req->wantKeepAlive = false;
+						endRequest(&client, &req);
+					}
+				}
+			} else {
+				apiServerRespondWith422(this, client, req, reader.getFormattedErrorMessages());
+			}
+		} else {
+			// Error
+			disconnect(&client);
+		}
+		return ServerKit::Channel::Result(buffer.size(), false);
+	}
+
+	virtual void deinitializeRequest(Client *client, Request *req) {
+		req->body.clear();
+		if (!req->jsonBody.isNull()) {
+			req->jsonBody = Json::Value();
+		}
+		ParentClass::deinitializeRequest(client, req);
+	}
+
+public:
+	ApiAccountDatabase *apiAccountDatabase;
+	EventFd *exitEvent;
+	string fdPassingPassword;
+
+	ApiServer(ServerKit::Context *context)
+		: ParentClass(context),
+		  apiAccountDatabase(NULL),
+		  exitEvent(NULL)
+		{ }
+
+	virtual StaticString getServerName() const {
+		return P_STATIC_STRING("WatchdogApiServer");
+	}
+
+	virtual unsigned int getClientName(const Client *client, char *buf, size_t size) const {
+		return ParentClass::getClientName(client, buf, size);
+	}
+
+	bool authorizeByUid(uid_t uid) const {
+		return uid == 0 || uid == geteuid();
+	}
+
+	bool authorizeByApiKey(const ApplicationPool2::ApiKey &apiKey) const {
+		return apiKey.isSuper();
+	}
+};
+
+
+} // namespace WatchdogAgent
+} // namespace Passenger
+
+#endif /* _PASSENGER_WATCHDOG_AGENT_API_SERVER_H_ */

data/ext/common/agents/Watchdog/Main.cpp

@@ -22,6 +22,9 @@
  *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  *  THE SOFTWARE.
  */
+// Include ev++.h early to avoid macro clash on EV_ERROR.
+#include <ev++.h>
+
 #include <oxt/thread.hpp>
 #include <oxt/system_calls.hpp>
 #include <boost/function.hpp>
@@ -55,9 +58,10 @@
 #include <cerrno>
 
 #include <agents/Base.h>
+#include <agents/ApiServerUtils.h>
 #include <agents/HelperAgent/OptionParser.h>
 #include <agents/LoggingAgent/OptionParser.h>
-#include <agents/Watchdog/AdminServer.h>
+#include <agents/Watchdog/ApiServer.h>
 #include <Constants.h>
 #include <InstanceDirectory.h>
 #include <FileDescriptor.h>
@@ -113,11 +117,11 @@ namespace WatchdogAgent {
 		bool pidsCleanedUp;
 		bool pidFileCleanedUp;
 
-		vector<AdminServer::Authorization> adminAuthorizations;
-		int adminServerFds[SERVER_KIT_MAX_SERVER_ENDPOINTS];
+		ApiAccountDatabase apiAccountDatabase;
+		int apiServerFds[SERVER_KIT_MAX_SERVER_ENDPOINTS];
 		BackgroundEventLoop *bgloop;
 		ServerKit::Context *serverKitContext;
-		AdminServer *adminServer;
+		ApiServer *apiServer;
 
 		WorkingObjects()
 			: errorEvent(__FILE__, __LINE__, "WorkingObjects: errorEvent"),
@@ -127,10 +131,10 @@ namespace WatchdogAgent {
 			  pidFileCleanedUp(false),
 			  bgloop(NULL),
 			  serverKitContext(NULL),
-			  adminServer(NULL)
+			  apiServer(NULL)
 		{
 			for (unsigned int i = 0; i < SERVER_KIT_MAX_SERVER_ENDPOINTS; i++) {
-				adminServerFds[i] = -1;
+				apiServerFds[i] = -1;
 			}
 		}
 	};
@@ -293,11 +297,11 @@ waitForStarterProcessOrWatchers(const WorkingObjectsPtr &wo, vector<AgentWatcher
 	sigaction(SIGINT, &action, NULL);
 	sigaction(SIGTERM, &action, NULL);
 
-	P_DEBUG("Stopping admin server");
+	P_DEBUG("Stopping API server");
 	wo->bgloop->stop();
 	for (unsigned int i = 0; i < SERVER_KIT_MAX_SERVER_ENDPOINTS; i++) {
-		if (wo->adminServerFds[i] != -1) {
-			syscalls::close(wo->adminServerFds[i]);
+		if (wo->apiServerFds[i] != -1) {
+			syscalls::close(wo->apiServerFds[i]);
 		}
 	}
 
@@ -558,16 +562,15 @@ usage() {
 	printf("                              logging server\n");
 	printf("\n");
 	printf("Other options (optional):\n");
-	printf("      --admin-listen ADDRESS\n");
-	printf("                            Listen on the given address for admin commands.\n");
+	printf("      --api-listen ADDRESS  Listen on the given address for API commands.\n");
 	printf("                            The address must be formatted as tcp://IP:PORT for\n");
 	printf("                            TCP sockets, or unix:PATH for Unix domain sockets.\n");
 	printf("                            You can specify this option multiple times (up to\n");
 	printf("                            %u times) to listen on multiple addresses.\n",
 		SERVER_KIT_MAX_SERVER_ENDPOINTS - 1);
 	printf("      --authorize [LEVEL]:USERNAME:PASSWORDFILE\n");
-	printf("                            Enables authentication on the admin server, through\n");
-	printf("                            the given admin account. LEVEL indicates the\n");
+	printf("                            Enables authentication on the API server, through\n");
+	printf("                            the given API account. LEVEL indicates the\n");
 	printf("                            privilege level (see below). PASSWORDFILE must\n");
 	printf("                            point to a file containing the password\n");
 	printf("\n");
@@ -599,7 +602,7 @@ usage() {
 	printf("\n");
 	printf("[A] = Automatically passed to supervised agents\n");
 	printf("\n");
-	printf("Admin account privilege levels (ordered from most to least privileges):\n");
+	printf("API account privilege levels (ordered from most to least privileges):\n");
 	printf("  readonly    Read-only access\n");
 	printf("  full        Full access (default)\n");
 }
@@ -653,20 +656,20 @@ parseOptions(int argc, const char *argv[], VariantMap &options) {
 					exit(1);
 				}
 			}
-		} else if (p.isValueFlag(argc, i, argv[i], '\0', "--admin-listen")) {
+		} else if (p.isValueFlag(argc, i, argv[i], '\0', "--api-listen")) {
 			if (getSocketAddressType(argv[i + 1]) != SAT_UNKNOWN) {
-				vector<string> addresses = options.getStrSet("watchdog_admin_addresses",
+				vector<string> addresses = options.getStrSet("watchdog_api_addresses",
 					false);
 				if (addresses.size() == SERVER_KIT_MAX_SERVER_ENDPOINTS - 1) {
-					fprintf(stderr, "ERROR: you may specify up to %u --admin-listen addresses.\n",
+					fprintf(stderr, "ERROR: you may specify up to %u --api-listen addresses.\n",
 						SERVER_KIT_MAX_SERVER_ENDPOINTS - 1);
 					exit(1);
 				}
 				addresses.push_back(argv[i + 1]);
-				options.setStrSet("watchdog_admin_addresses", addresses);
+				options.setStrSet("watchdog_api_addresses", addresses);
 				i += 2;
 			} else {
-				fprintf(stderr, "ERROR: invalid address format for --admin-listen. The address "
+				fprintf(stderr, "ERROR: invalid address format for --api-listen. The address "
 					"must be formatted as tcp://IP:PORT for TCP sockets, or unix:PATH "
 					"for Unix domain sockets.\n");
 				exit(1);
@@ -1016,6 +1019,7 @@ initializeWorkingObjects(const WorkingObjectsPtr &wo, InstanceDirToucherPtr &ins
 			fullAdminPassword, S_IRUSR | S_IWUSR);
 	}
 	options.setDefault("server_pid_file", wo->instanceDir->getPath() + "/server.pid");
+	options.set("watchdog_fd_passing_password", wo->randomGenerator.generateAsciiString(24));
 
 	UPDATE_TRACE_POINT();
 	strset = options.getStrSet("server_addresses", false);
@@ -1025,20 +1029,20 @@ initializeWorkingObjects(const WorkingObjectsPtr &wo, InstanceDirToucherPtr &ins
 	options.setDefault("server_password",
 		wo->randomGenerator.generateAsciiString(24));
 
-	strset = options.getStrSet("server_admin_addresses", false);
+	strset = options.getStrSet("server_api_addresses", false);
 	strset.insert(strset.begin(),
-		"unix:" + wo->instanceDir->getPath() + "/agents.s/server_admin");
-	options.setStrSet("server_admin_addresses", strset);
+		"unix:" + wo->instanceDir->getPath() + "/agents.s/server_api");
+	options.setStrSet("server_api_addresses", strset);
 
 	UPDATE_TRACE_POINT();
 	options.setDefault("logging_agent_address",
 		"unix:" + wo->instanceDir->getPath() + "/agents.s/logging");
 	options.setDefault("logging_agent_password",
 		wo->randomGenerator.generateAsciiString(24));
-	strset = options.getStrSet("logging_agent_admin_addresses", false);
+	strset = options.getStrSet("logging_agent_api_addresses", false);
 	strset.insert(strset.begin(),
-		"unix:" + wo->instanceDir->getPath() + "/agents.s/logging_admin");
-	options.setStrSet("logging_agent_admin_addresses", strset);
+		"unix:" + wo->instanceDir->getPath() + "/agents.s/logging_api");
+	options.setStrSet("logging_agent_api_addresses", strset);
 
 	UPDATE_TRACE_POINT();
 	strset = options.getStrSet("logging_agent_authorizations", false);
@@ -1077,34 +1081,11 @@ makeFileWorldReadableAndWritable(const string &path) {
 }
 
 static void
-parseAndAddAdminAuthorization(const WorkingObjectsPtr &wo, const string &description) {
-	TRACE_POINT();
-	AdminServer::Authorization auth;
-	vector<string> args;
-
-	split(description, ':', args);
-
-	if (args.size() == 2) {
-		auth.level = AdminServer::FULL;
-		auth.username = args[0];
-		auth.password = strip(readAll(args[1]));
-	} else if (args.size() == 3) {
-		auth.level = AdminServer::parseLevel(args[0]);
-		auth.username = args[1];
-		auth.password = strip(readAll(args[2]));
-	} else {
-		P_BUG("Too many elements in authorization description");
-	}
-
-	wo->adminAuthorizations.push_back(auth);
-}
-
-static void
-initializeAdminServer(const WorkingObjectsPtr &wo) {
+initializeApiServer(const WorkingObjectsPtr &wo) {
 	TRACE_POINT();
 	VariantMap &options = *agentsOptions;
 	vector<string> authorizations = options.getStrSet("watchdog_authorizations", false);
-	vector<string> adminAddresses = options.getStrSet("watchdog_admin_addresses", false);
+	vector<string> apiAddresses = options.getStrSet("watchdog_api_addresses", false);
 	string description;
 
 	UPDATE_TRACE_POINT();
@@ -1117,21 +1098,25 @@ initializeAdminServer(const WorkingObjectsPtr &wo) {
 	options.setStrSet("watchdog_authorizations", authorizations);
 
 	foreach (description, authorizations) {
-		parseAndAddAdminAuthorization(wo, description);
+		try {
+			wo->apiAccountDatabase.add(description);
+		} catch (const ArgumentException &e) {
+			throw std::runtime_error(e.what());
+		}
 	}
 
 	UPDATE_TRACE_POINT();
-	adminAddresses.insert(adminAddresses.begin(),
-		"unix:" + wo->instanceDir->getPath() + "/agents.s/watchdog");
-	options.setStrSet("watchdog_admin_addresses", adminAddresses);
+	apiAddresses.insert(apiAddresses.begin(),
+		"unix:" + wo->instanceDir->getPath() + "/agents.s/watchdog_api");
+	options.setStrSet("watchdog_api_addresses", apiAddresses);
 
 	UPDATE_TRACE_POINT();
-	for (unsigned int i = 0; i < adminAddresses.size(); i++) {
-		P_DEBUG("Admin server will listen on " << adminAddresses[i]);
-		wo->adminServerFds[i] = createServer(adminAddresses[i], 0, true,
+	for (unsigned int i = 0; i < apiAddresses.size(); i++) {
+		P_DEBUG("API server will listen on " << apiAddresses[i]);
+		wo->apiServerFds[i] = createServer(apiAddresses[i], 0, true,
 			__FILE__, __LINE__);
-		if (getSocketAddressType(adminAddresses[i]) == SAT_UNIX) {
-			makeFileWorldReadableAndWritable(parseUnixSocketAddress(adminAddresses[i]));
+		if (getSocketAddressType(apiAddresses[i]) == SAT_UNIX) {
+			makeFileWorldReadableAndWritable(parseUnixSocketAddress(apiAddresses[i]));
 		}
 	}
 
@@ -1143,11 +1128,51 @@ initializeAdminServer(const WorkingObjectsPtr &wo) {
 		absolutizePath(options.get("data_buffer_dir"));
 
 	UPDATE_TRACE_POINT();
-	wo->adminServer = new AdminServer(wo->serverKitContext);
-	wo->adminServer->exitEvent = &wo->exitEvent;
-	wo->adminServer->authorizations = wo->adminAuthorizations;
-	for (unsigned int i = 0; i < adminAddresses.size(); i++) {
-		wo->adminServer->listen(wo->adminServerFds[i]);
+	wo->apiServer = new ApiServer(wo->serverKitContext);
+	wo->apiServer->apiAccountDatabase = &wo->apiAccountDatabase;
+	wo->apiServer->exitEvent = &wo->exitEvent;
+	wo->apiServer->fdPassingPassword = options.get("watchdog_fd_passing_password");
+	for (unsigned int i = 0; i < apiAddresses.size(); i++) {
+		wo->apiServer->listen(wo->apiServerFds[i]);
+	}
+}
+
+static void
+createCompatSymlinks(const WorkingObjectsPtr &wo) {
+	/* In 5.0.10, 'watchdog' has been renamed to 'watchdog_api',
+	 * 'server_admin' has been renamed to 'server_api',
+	 * and 'logging_admin' has been renamed to 'logging_api'.
+	 * To maintain backward compatibility with older versions of
+	 * passenger-status etc, we create compatibility symlinks.
+	 */
+	int ret, e;
+	string prefix = wo->instanceDir->getPath() + "/agents.s/";
+
+	do {
+		ret = symlink("watchdog_api", (prefix + "watchdog").c_str());
+	} while (ret == -1 && errno == EAGAIN);
+	if (ret == -1) {
+		e = errno;
+		throw FileSystemException("Cannot create symlink: " + prefix + "watchdog",
+			e, prefix + "watchdog");
+	}
+
+	do {
+		ret = symlink("server_api", (prefix + "server_admin").c_str());
+	} while (ret == -1 && errno == EAGAIN);
+	if (ret == -1) {
+		e = errno;
+		throw FileSystemException("Cannot create symlink: " + prefix + "server_admin",
+			e, prefix + "server_admin");
+	}
+
+	do {
+		ret = symlink("logging_api", (prefix + "logging_admin").c_str());
+	} while (ret == -1 && errno == EAGAIN);
+	if (ret == -1) {
+		e = errno;
+		throw FileSystemException("Cannot create symlink: " + prefix + "logging_admin",
+			e, prefix + "logging_admin");
 	}
 }
 
@@ -1280,7 +1305,8 @@ watchdogMain(int argc, char *argv[]) {
 		lowerPrivilege();
 		initializeWorkingObjects(wo, instanceDirToucher, uidBeforeLoweringPrivilege);
 		initializeAgentWatchers(wo, watchers);
-		initializeAdminServer(wo);
+		initializeApiServer(wo);
+		createCompatSymlinks(wo);
 		UPDATE_TRACE_POINT();
 		runHookScriptAndThrowOnError("before_watchdog_initialization");
 	} catch (const std::exception &e) {