passenger 5.3.4 → 5.3.5

data/src/agent/Core/OptionParser.h

@@ -94,7 +94,12 @@ coreUsage() {
 	printf("                            Disable the periodic check and notice about\n");
 	printf("                            important security updates\n");
 	printf("      --security-update-check-proxy PROXY\n");
-	printf("                            Use http/SOCKS proxy for the security update check:\n");
+	printf("                            Use HTTP/SOCKS proxy for the security update check:\n");
+	printf("                            scheme://user:password@proxy_host:proxy_port\n");
+	printf("      --disable-anonymous-telemetry\n");
+	printf("                            Disable anonymous telemetry collection\n");
+	printf("      --anonymous-telemetry-proxy PROXY\n");
+	printf("                            Use HTTP/SOCKS proxy for anonymous telemetry sending:\n");
 	printf("                            scheme://user:password@proxy_host:proxy_port\n");
 	printf("\n");
 	printf("Application serving options (optional):\n");
@@ -282,6 +287,12 @@ parseCoreOption(int argc, const char *argv[], int &i, Json::Value &updates) {
 	} else if (p.isValueFlag(argc, i, argv[i], '\0', "--security-update-check-proxy")) {
 		updates["security_update_checker_proxy_url"] = argv[i + 1];
 		i += 2;
+	} else if (p.isFlag(argv[i], '\0', "--disable-anonymous-telemetry")) {
+		updates["telemetry_collector_disabled"] = true;
+		i++;
+	} else if (p.isValueFlag(argc, i, argv[i], '\0', "--anonymous-telemetry-proxy")) {
+		updates["telemetry_collector_proxy_url"] = argv[i + 1];
+		i += 2;
 	} else if (p.isValueFlag(argc, i, argv[i], '\0', "--max-pool-size")) {
 		updates["max_pool_size"] = atoi(argv[i + 1]);
 		i += 2;

data/src/agent/Core/SpawningKit/Config.h

@@ -221,7 +221,7 @@ public:
 	StaticString processTitle;
 
 	/**
-	 * An application type name, e.g. "rack" or "node". The only use for this
+	 * An application type name, e.g. "ruby" or "nodejs". The only use for this
 	 * in SpawningKit is to better format error messages.
 	 *
 	 * @hinted_parseable

data/src/agent/Core/SpawningKit/Context.h

@@ -36,6 +36,7 @@
 #include <ResourceLocator.h>
 #include <RandomGenerator.h>
 #include <Exceptions.h>
+#include <WrapperRegistry/Registry.h>
 #include <Utils/JsonUtils.h>
 #include <ConfigKit/Store.h>
 
@@ -132,7 +133,8 @@ private:
 public:
 	/****** Dependencies ******/
 
-	ResourceLocator *resourceLocator;
+	const ResourceLocator *resourceLocator;
+	const WrapperRegistry::Registry *wrapperRegistry;
 	RandomGeneratorPtr randomGenerator;
 	string integrationMode;
 	string instanceDir;
@@ -147,6 +149,7 @@ public:
 		  nextPort(0),
 
 		  resourceLocator(NULL),
+		  wrapperRegistry(NULL),
 		  debugSupport(NULL)
 	{
 		vector<ConfigKit::Error> errors;
@@ -185,6 +188,9 @@ public:
 		if (resourceLocator == NULL) {
 			throw RuntimeException("ResourceLocator not initialized");
 		}
+		if (wrapperRegistry == NULL) {
+			throw RuntimeException("WrapperRegistry not initialized");
+		}
 		if (randomGenerator == NULL) {
 			randomGenerator = boost::make_shared<RandomGenerator>();
 		}

data/src/agent/Core/SpawningKit/Exceptions.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2011-2017 Phusion Holding B.V.
+ *  Copyright (c) 2011-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -29,6 +29,7 @@
 #include <oxt/tracable_exception.hpp>
 #include <string>
 #include <stdexcept>
+#include <limits>
 
 #include <Constants.h>
 #include <Exceptions.h>
@@ -602,7 +603,7 @@ private:
 					" scripts.</p>");
 				break;
 			case SUBPROCESS_APP_LOAD_OR_EXEC:
-				if (config.appType == "node") {
+				if (config.appType == "nodejs") {
 					message.append(
 						"<h3>Check whether the application calls <code>http.Server.listen()</code></h3>"
 						"<p>" SHORT_PROGRAM_NAME " requires that the application calls"
@@ -736,12 +737,13 @@ private:
 		const char *command[] = { "/bin/sh", "-c", "ulimit -a", NULL };
 		try {
 			SubprocessInfo info;
-			string result;
-			runCommandAndCaptureOutput(command, info, result);
-			if (result.empty()) {
-				result.assign("Error: command 'ulimit -a' failed");
+			SubprocessOutput output;
+			runCommandAndCaptureOutput(command, info, output,
+				std::numeric_limits<size_t>::max());
+			if (output.data.empty()) {
+				output.data.assign("Error: command 'ulimit -a' failed");
 			}
-			return result;
+			return output.data;
 		} catch (const SystemException &e) {
 			return P_STATIC_STRING("Error: command 'ulimit -a' failed: ") + e.what();
 		}
@@ -751,12 +753,13 @@ private:
 		const char *command[] = { "id", "-a", NULL };
 		try {
 			SubprocessInfo info;
-			string result;
-			runCommandAndCaptureOutput(command, info, result);
-			if (result.empty()) {
-				result.assign("Error: command 'id -a' failed");
+			SubprocessOutput output;
+			runCommandAndCaptureOutput(command, info, output,
+				std::numeric_limits<size_t>::max());
+			if (output.data.empty()) {
+				output.data.assign("Error: command 'id -a' failed");
 			}
-			return result;
+			return output.data;
 		} catch (const SystemException &e) {
 			return P_STATIC_STRING("Error: command 'id -a' failed: ") + e.what();
 		}

data/src/agent/Core/SpawningKit/README.md

@@ -6,7 +6,7 @@ Spawning an application process is complex, involving many steps and with many f
 
 Here is how SpawningKit is used. The caller supplies various parameters such as where the application is located, what language it's written in, what environment variables to apply, etc. SpawningKit then spawns the application process, checks whether the application spawned properly or whether it encountered an error, and then either returns an object that describes the resulting process or throws an exception that describes the failure.
 
-Reliability and visibility are core features in SpawningKit. When SpawningKit returns, you know for sure whether the process started correctly or not. If the application did not start correctly, then the resulting exception describes the failure in a detailed enough manner that allows users to pinpoint the source of the problem. SpawningKit also enforces timeouts everywhere so that stuck processes are handled as well.
+Reliability and visibility are core features of SpawningKit. When SpawningKit returns, you know for sure whether the process started correctly or not. If the application did not start correctly, then the resulting exception describes the failure in a detailed enough manner that allows users to pinpoint the source of the problem. SpawningKit also enforces timeouts everywhere so that stuck processes are handled as well.
 
 **Table of contents**:
 
@@ -17,6 +17,13 @@ Reliability and visibility are core features in SpawningKit. When SpawningKit re
    - The start command
    - Summary with examples
  * API and implementation highlights
+   - Context
+   - Spawners (high-level API)
+   - HandshakePrepare and HandshakePerform (low-level API)
+   - Configuration object
+   - Exception object
+   - Journey
+   - ErrorRenderer
  * Overview of the spawning journey
    - When spawning a process without a preloader
    - When starting a preloader
@@ -42,19 +49,39 @@ Reliability and visibility are core features in SpawningKit. When SpawningKit re
 
 ### Generic vs SpawningKit-enabled applications
 
+    All applications
+     |
+     +-- Generic applications
+     |   (without explicit SpawningKit support; `genericApp = true`)
+     |
+     +-- SpawningKit-enabled applications
+         (with explicit SpawningKit support; `genericApp = false`)
+           |
+           +-- Applications with SpawningKit support automatically injected
+           |   through a "wrapper"; no manual modifications
+           |   (`startsUsingWrapper = true`)
+           |
+           +-- Applications manually modified with SpawningKit support
+               (`startsUsingWrapper = false`)
+
 SpawningKit can be used to spawn any web application, both those with and without explicit SpawningKit support.
 
+> A generic application corresponds to setting the SpawningKit config `genericApp = true`.
+
 When SpawningKit is used to spawn a generic application (without explicit SpawningKit support), the only requirement is that the application can be instructed to start and to listen on a specific TCP port on localhost. The user needs to specify a command string that tells SpawningKit how that is to be done. SpawningKit then looks for a free port that the application may use and executes the application using the supplied command string, telling it to listen on that specific port. (This approach is inspired by Heroku's Procfile system.) SpawningKit waits until the application is up by pinging the port. If the application fails (e.g. by terminating early or by not responding to pings in time) then SpawningKit will abort, reporting the application's stdout and stderr output.
 
+> A SpawningKit-enabled application corresponds to setting the SpawningKit config `genericApp = false`.
+
 Applications can also be modified with explicit SpawningKit support. Such applications can improve performance by telling SpawningKit that it wishes to listen on a Unix domain socket instead of a TCP socket; and they can provide more feedback about any spawning failures, such as with HTML-formatted error messages or by providing more information about where internally in the application or web framework the failure occurred.
 
 ### Wrappers
 
-In general, it is better if an application has explicit SpawningKit support, because then it is able to provide a nicer experience and better performance. But having to modify the application's code is a major hurdle.
+As we said, apps with explicit SpawningKit support is preferred (nicer experience, better performance). There are two ways to add SpawningKit support to an app:
 
-Luckily, it is not always necessary to modify the application. Wrappers are small programs that aid in loading applications written in specific languages -- in particular interpreted languages because they allow modifying application behavior without requiring code modifications. When a wrapper is used, SpawningKit executes the wrapper, not the actual application. The wrapper loads the application and modifies its behavior in such a way that SpawningKit support is added (e.g. ability to report HTML-formatted errors), without requiring modifications to the application code.
+ 1. By manually modifying the application's code to add SpawningKit support.
+ 2. By automatically injecting SpawningKit support into the app, without any manual code modifications.
 
-Wrappers are only applicable to apps without explicit SpawningKit support.
+Option 2 is the most desirable, and is available to apps written in interpreted languages. This works by executing the application through a *wrapper* instead of directly. The wrapper, which is typically written in the same language as the app, loads the application and injects SpawningKit support.
 
 Passenger comes with a few wrappers for specific languages, but SpawningKit itself is more generic and requires the caller to specify which wrapper to use (if at all).
 
@@ -86,15 +113,7 @@ Using the preforking technique through SpawningKit requires either application c
 
 ### The start command
 
-Regardless of whether SpawningKit is used to spawn an application with or without explicit SpawningKit support, and regardless of whether a wrapper is used and whether the application/wrapper can function as a preloader, SpawningKit asks the caller to supply a "start command" that tells it how to execute the wrapper or the application. SpawningKit then uses the handshaking procedure (see: "Overview of the spawning journey") to communicate with the wrapper/application whether it should start in preloader mode or not.
-
-### Summary with examples
-
-To help you better understand the concepts, the following summarizes some of the above concepts and how they map to supportable languages.
-
-SpawningKit-enabled wrappers are included in Passenger for these languages: Ruby, Python, Node.js, Meteor, and Perl.
-
-Any existing app that accepts http requests can be used by writing a wrapper, and any new app can be written with SpawningKit compatibility to avoid the need for a wrapper.
+Regardless of whether SpawningKit is used to spawn an application directly with or without explicit SpawningKit support, and regardless of whether a wrapper is used and whether the application/wrapper can function as a preloader, SpawningKit asks the caller to supply a "start command" that tells it how to execute the wrapper or the application. SpawningKit then uses the handshaking procedure (see: "Overview of the spawning journey") to communicate with the wrapper/application whether it should start in preloader mode or not.
 
 
 ## API and implementation highlights
@@ -114,7 +133,7 @@ context.integrationMode = "standalone";
 context.finalize();
 ~~~
 
-### Spawners
+### Spawners (high-level API)
 
 Use Spawners to spawn application processes. There are two main types of Spawners:
 
@@ -144,7 +163,7 @@ P_WARN("Application process spawned, PID is " << result.pid);
 
 There is also a DummySpawner class, which is only used during unit tests.
 
-### HandshakePrepare and HandshakePerform
+### HandshakePrepare and HandshakePerform (low-level API)
 
 Inside SmartSpawner and DirectSpawner, HandshakePrepare and HandshakePerform are used to perform a lot of the heavy lifting. See "Overview of the spawning journey" -- HandshakePrepare and HandshakePerform are responsible for most of the stuff described there.
 
@@ -152,8 +171,6 @@ In fact, DirectSpawner is just a thin wrapper around HandshakePrepare and Handsh
 
 SmartSpawner is a bit bigger because it needs to implement the whole preloading mechanism (see section "Preloaders"), but it still uses HandshakePrepare and HandshakePerform to spawn the preloader, and to negotiate with the subprocess created by the preloader.
 
-Here are some simplified interaction diagrams.
-
 ### Configuration object
 
 HandshakePrepare and HandshakePerform do not accept an ApplicationPool::Options object, but a SpawningKit::Config object. It contains the configuration that HandshakePrepare/Perform need to perform a single spawn. SmartSpawner and DirectSpawner internally convert an ApplicationPool::Options into a SpawningKit::Config.

data/src/agent/Core/SpawningKit/Spawner.h

@@ -79,7 +79,8 @@ protected:
 	void setConfigFromAppPoolOptions(Config *config, Json::Value &extraArgs,
 		const AppPoolOptions &options)
 	{
-		string startCommand = options.getStartCommand(*context->resourceLocator);
+		string startCommand = options.getStartCommand(*context->resourceLocator,
+			*context->wrapperRegistry);
 		string envvarsData;
 		try {
 			envvarsData = modp::b64_decode(options.environmentVariables.data(),
@@ -99,7 +100,7 @@ protected:
 		config->findFreePort = false;
 		config->loadShellEnvvars = options.loadShellEnvvars;
 		config->startCommand = startCommand;
-		config->startupFile = options.getStartupFile();
+		config->startupFile = options.getStartupFile(*context->wrapperRegistry);
 		config->appType = options.appType;
 		config->appEnv = options.environment;
 		config->baseURI = options.baseURI;
@@ -112,7 +113,8 @@ protected:
 		config->fileDescriptorUlimit = options.fileDescriptorUlimit;
 		config->startTimeoutMsec = options.startTimeout;
 
-		UserSwitchingInfo info = prepareUserSwitching(options);
+		UserSwitchingInfo info = prepareUserSwitching(options,
+			*context->wrapperRegistry);
 		config->user = info.username;
 		config->group = info.groupname;
 

data/src/agent/Core/SpawningKit/UserSwitchingRules.h

@@ -35,6 +35,7 @@
 #include <boost/shared_array.hpp>
 #include <oxt/backtrace.hpp>
 #include <oxt/system_calls.hpp>
+#include <WrapperRegistry/Registry.h>
 #include <Exceptions.h>
 #include <Utils.h>
 #include <Core/SpawningKit/Context.h>
@@ -61,7 +62,9 @@ struct UserSwitchingInfo {
 };
 
 inline UserSwitchingInfo
-prepareUserSwitching(const AppPoolOptions &options) {
+prepareUserSwitching(const AppPoolOptions &options,
+	const WrapperRegistry::Registry &wrapperRegistry)
+{
 	TRACE_POINT();
 	UserSwitchingInfo info;
 
@@ -95,7 +98,7 @@ prepareUserSwitching(const AppPoolOptions &options) {
 
 	UPDATE_TRACE_POINT();
 	string defaultGroup;
-	string startupFile = absolutizePath(options.getStartupFile(),
+	string startupFile = absolutizePath(options.getStartupFile(wrapperRegistry),
 		absolutizePath(options.appRoot));
 	struct passwd &pwd = info.lveUserPwd;
 	boost::shared_array<char> &pwdBuf = info.lveUserPwdStrBuf;

data/src/agent/Core/TelemetryCollector.h

@@ -0,0 +1,674 @@
+/*
+ *  Phusion Passenger - https://www.phusionpassenger.com/
+ *  Copyright (c) 2018 Phusion Holding B.V.
+ *
+ *  "Passenger", "Phusion Passenger" and "Union Station" are registered
+ *  trademarks of Phusion Holding B.V.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy
+ *  of this software and associated documentation files (the "Software"), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ */
+#ifndef _PASSENGER_TELEMETRY_COLLECTOR_H_
+#define _PASSENGER_TELEMETRY_COLLECTOR_H_
+
+#include <string>
+#include <vector>
+#include <limits>
+#include <cstddef>
+#include <cstdlib>
+#include <cassert>
+
+#include <boost/cstdint.hpp>
+#include <boost/bind.hpp>
+#include <oxt/thread.hpp>
+#include <oxt/backtrace.hpp>
+
+#include <curl/curl.h>
+
+#include <Constants.h>
+#include <Exceptions.h>
+#include <Core/Controller.h>
+#include <LoggingKit/LoggingKit.h>
+#include <ConfigKit/ConfigKit.h>
+#include <Utils/Curl.h>
+#include <Utils/StrIntUtils.h>
+
+namespace Passenger {
+namespace Core {
+
+using namespace std;
+
+
+class TelemetryCollector {
+public:
+	/*
+	 * BEGIN ConfigKit schema: Passenger::TelemetryCollector::Schema
+	 * (do not edit: following text is automatically generated
+	 * by 'rake configkit_schemas_inline_comments')
+	 *
+	 * (unknown: Passenger::TelemetryCollector::Schema not in dev/configkit-schemas/index.json
+	 *  Please run:
+	 *    touch src/schema_printer/SchemaPrinterMain.cpp.cxxcodebuilder
+	 *    rake configkit_schemas_inline_comments
+	 * )
+	 *
+	 * END
+	 */
+	class Schema: public ConfigKit::Schema {
+	private:
+		static void validateProxyUrl(const ConfigKit::Store &config, vector<ConfigKit::Error> &errors) {
+			if (config["proxy_url"].isNull()) {
+				return;
+			}
+			if (config["proxy_url"].asString().empty()) {
+				errors.push_back(ConfigKit::Error("'{{proxy_url}}', if specified, may not be empty"));
+				return;
+			}
+
+			try {
+				prepareCurlProxy(config["proxy_url"].asString());
+			} catch (const ArgumentException &e) {
+				errors.push_back(ConfigKit::Error(
+					P_STATIC_STRING("'{{proxy_url}}': ")
+					+ e.what()));
+			}
+		}
+
+	public:
+		Schema() {
+			using namespace ConfigKit;
+
+			add("disabled", BOOL_TYPE, OPTIONAL, false);
+			add("url", STRING_TYPE, OPTIONAL, "https://anontelemetry.phusionpassenger.com/v1/collect.json");
+			// Should be in the form: scheme://user:password@proxy_host:proxy_port
+			add("proxy_url", STRING_TYPE, OPTIONAL);
+			add("ca_certificate_path", STRING_TYPE, OPTIONAL);
+			add("verify_server", BOOL_TYPE, OPTIONAL, true);
+			add("first_interval", UINT_TYPE, OPTIONAL, 2 * 60 * 60);
+			add("interval", UINT_TYPE, OPTIONAL, 6 * 60 * 60);
+			add("interval_jitter", UINT_TYPE, OPTIONAL, 2 * 60 * 60);
+			add("debug_curl", BOOL_TYPE, OPTIONAL, false);
+			add("timeout", UINT_TYPE, OPTIONAL, 180);
+			add("final_run_timeout", UINT_TYPE, OPTIONAL, 5);
+
+			addValidator(validateProxyUrl);
+
+			finalize();
+		}
+	};
+
+	struct ConfigRealization {
+		CurlProxyInfo proxyInfo;
+		string url;
+		string caCertificatePath;
+
+		ConfigRealization(const ConfigKit::Store &config)
+			: proxyInfo(prepareCurlProxy(config["proxy_url"].asString())),
+			  url(config["url"].asString()),
+			  caCertificatePath(config["ca_certificate_path"].asString())
+			{ }
+
+		void swap(ConfigRealization &other) BOOST_NOEXCEPT_OR_NOTHROW {
+			proxyInfo.swap(other.proxyInfo);
+			url.swap(other.url);
+			caCertificatePath.swap(other.caCertificatePath);
+		}
+	};
+
+	struct ConfigChangeRequest {
+		boost::scoped_ptr<ConfigKit::Store> config;
+		boost::scoped_ptr<ConfigRealization> configRlz;
+	};
+
+	struct TelemetryData {
+		vector<boost::uint64_t> requestsHandled;
+		MonotonicTimeUsec timestamp;
+	};
+
+private:
+	/*
+	 * Since the telemetry collector runs in a separate thread,
+	 * and the configuration can change while the collector is active,
+	 * we make a copy of the current configuration at the beginning
+	 * of each collection cycle.
+	 */
+	struct SessionState {
+		ConfigKit::Store config;
+		ConfigRealization configRlz;
+
+		SessionState(const ConfigKit::Store &currentConfig,
+			const ConfigRealization &currentConfigRlz)
+			: config(currentConfig),
+			  configRlz(currentConfigRlz)
+			{ }
+	};
+
+	mutable boost::mutex configSyncher;
+	ConfigKit::Store config;
+	ConfigRealization configRlz;
+	TelemetryData lastTelemetryData;
+	oxt::thread *collectorThread;
+
+	void threadMain() {
+		TRACE_POINT();
+
+		{
+			// Sleep for a short while to allow interruption during the Apache integration
+			// double startup procedure, this prevents running the update check twice
+			boost::unique_lock<boost::mutex> l(configSyncher);
+			ConfigKit::Store config(this->config);
+			l.unlock();
+
+			unsigned int backoffSec = config["first_interval"].asUInt()
+				+ calculateIntervalJitter(config);
+			P_DEBUG("Next anonymous telemetry collection in " <<
+				distanceOfTimeInWords(SystemTime::get() + backoffSec));
+			boost::this_thread::sleep_for(boost::chrono::seconds(backoffSec));
+		}
+
+		while (!boost::this_thread::interruption_requested()) {
+			UPDATE_TRACE_POINT();
+			unsigned int backoffSec = 0;
+			try {
+				backoffSec = runOneCycle();
+			} catch (const oxt::tracable_exception &e) {
+				P_ERROR(e.what() << "\n" << e.backtrace());
+			}
+
+			if (backoffSec == 0) {
+				boost::unique_lock<boost::mutex> l(configSyncher);
+				backoffSec = config["interval"].asUInt()
+					+ calculateIntervalJitter(config);
+			}
+
+			UPDATE_TRACE_POINT();
+			P_DEBUG("Next anonymous telemetry collection in "
+				<< distanceOfTimeInWords(SystemTime::get() + backoffSec));
+			boost::this_thread::sleep_for(boost::chrono::seconds(backoffSec));
+		}
+	}
+
+	static unsigned int calculateIntervalJitter(const ConfigKit::Store &config) {
+		unsigned int jitter = config["interval_jitter"].asUInt();
+		if (jitter == 0) {
+			return 0;
+		} else {
+			return std::rand() % jitter;
+		}
+	}
+
+	// Virtual to allow mocking in unit tests.
+	virtual TelemetryData collectTelemetryData(bool isFinalRun) const {
+		TRACE_POINT();
+		TelemetryData tmData;
+		unsigned int counter = 0;
+		boost::mutex syncher;
+		boost::condition_variable cond;
+
+		tmData.requestsHandled.resize(controllers.size(), 0);
+
+		UPDATE_TRACE_POINT();
+		for (unsigned int i = 0; i < controllers.size(); i++) {
+			if (isFinalRun) {
+				inspectController(&tmData, controllers[i], i, &counter,
+					&syncher, &cond);
+			} else {
+				controllers[i]->getContext()->libev->runLater(boost::bind(
+					&TelemetryCollector::inspectController, this, &tmData,
+					controllers[i], i, &counter, &syncher, &cond));
+			}
+		}
+
+		UPDATE_TRACE_POINT();
+		{
+			boost::unique_lock<boost::mutex> l(syncher);
+			while (counter != controllers.size()) {
+				cond.wait(l);
+			}
+		}
+
+		tmData.timestamp = SystemTime::getMonotonicUsecWithGranularity
+			<SystemTime::GRAN_1SEC>();
+		return tmData;
+	}
+
+	void inspectController(TelemetryData *tmData, Controller *controller,
+		unsigned int index, unsigned int *counter, boost::mutex *syncher,
+		boost::condition_variable *cond) const
+	{
+		boost::unique_lock<boost::mutex> l(*syncher);
+		tmData->requestsHandled[index] = controller->totalRequestsBegun;
+		(*counter)++;
+		cond->notify_one();
+	}
+
+	string createRequestBody(const TelemetryData &tmData) const {
+		Json::Value doc;
+		boost::uint64_t totalRequestsHandled = 0;
+
+		P_ASSERT_EQ(tmData.requestsHandled.size(),
+			lastTelemetryData.requestsHandled.size());
+
+		for (unsigned int i = 0; i < tmData.requestsHandled.size(); i++) {
+			if (tmData.requestsHandled[i] >= lastTelemetryData.requestsHandled[i]) {
+				totalRequestsHandled += tmData.requestsHandled[i]
+					- lastTelemetryData.requestsHandled[i];
+			} else {
+				// Counter overflowed
+				totalRequestsHandled += std::numeric_limits<boost::uint64_t>::max()
+					- lastTelemetryData.requestsHandled[i]
+					+ 1
+					+ tmData.requestsHandled[i];
+			}
+		}
+
+		doc["requests_handled"] = (Json::UInt64) totalRequestsHandled;
+		doc["begin_time"] = (Json::UInt64) monoTimeToRealTime(
+			lastTelemetryData.timestamp);
+		doc["end_time"] = (Json::UInt64) monoTimeToRealTime(
+			tmData.timestamp);
+		#ifdef PASSENGER_IS_ENTERPRISE
+			doc["edition"] = "enterprise";
+		#else
+			doc["edition"] = "oss";
+		#endif
+
+		return doc.toStyledString();
+	}
+
+	static time_t monoTimeToRealTime(MonotonicTimeUsec monoTime) {
+		MonotonicTimeUsec monoNow = SystemTime::getMonotonicUsecWithGranularity
+			<SystemTime::GRAN_1SEC>();
+		unsigned long long realNow = SystemTime::getUsec();
+		MonotonicTimeUsec diff;
+
+		if (monoNow >= monoTime) {
+			diff = monoNow - monoTime;
+			return (realNow - diff) / 1000000;
+		} else {
+			diff = monoTime - monoNow;
+			return (realNow + diff) / 1000000;
+		}
+	}
+
+	static CURL *prepareCurlRequest(SessionState &sessionState, bool isFinalRun,
+		struct curl_slist **headers, char *lastErrorMessage,
+		const string &requestBody, string &responseData)
+	{
+		CURL *curl;
+		CURLcode code;
+
+		curl = curl_easy_init();
+		if (curl == NULL) {
+			P_ERROR("Error initializing libcurl");
+			return NULL;
+		}
+
+		code = curl_easy_setopt(curl, CURLOPT_VERBOSE,
+			sessionState.config["debug_curl"].asBool() ? 1L : 0L);
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		code = setCurlDefaultCaInfo(curl);
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		code = setCurlProxy(curl, sessionState.configRlz.proxyInfo);
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		code = curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		code = curl_easy_setopt(curl, CURLOPT_URL,
+			sessionState.configRlz.url.c_str());
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		code = curl_easy_setopt(curl, CURLOPT_HTTPGET, 0);
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		code = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, requestBody.c_str());
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		code = curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, requestBody.length());
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		*headers = curl_slist_append(NULL, "Content-Type: application/json");
+		code = curl_easy_setopt(curl, CURLOPT_HTTPHEADER, *headers);
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		if (!sessionState.configRlz.caCertificatePath.empty()) {
+			code = curl_easy_setopt(curl, CURLOPT_CAINFO,
+				sessionState.configRlz.caCertificatePath.c_str());
+			if (code != CURLE_OK) {
+				goto error;
+			}
+		}
+
+		if (sessionState.config["verify_server"].asBool()) {
+			// These should be on by default, but make sure.
+			code = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
+			if (code != CURLE_OK) {
+				goto error;
+			}
+			code = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L);
+			if (code != CURLE_OK) {
+				goto error;
+			}
+		} else {
+			code = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
+			if (code != CURLE_OK) {
+				goto error;
+			}
+			code = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
+			if (code != CURLE_OK) {
+				goto error;
+			}
+		}
+
+		code = curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, lastErrorMessage);
+		if (code != CURLE_OK) {
+			goto error;
+		}
+		code = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, receiveResponseBytes);
+		if (code != CURLE_OK) {
+			goto error;
+		}
+		code = curl_easy_setopt(curl, CURLOPT_WRITEDATA, &responseData);
+		if (code != CURLE_OK) {
+			goto error;
+		}
+
+		// setopt failure(s) below don't abort the check.
+		if (isFinalRun) {
+			curl_easy_setopt(curl, CURLOPT_TIMEOUT,
+				sessionState.config["final_run_timeout"].asUInt());
+		} else {
+			curl_easy_setopt(curl, CURLOPT_TIMEOUT,
+				sessionState.config["timeout"].asUInt());
+		}
+
+		return curl;
+
+		error:
+		curl_easy_cleanup(curl);
+		curl_slist_free_all(*headers);
+		P_ERROR("Error setting libcurl handle parameters: " << curl_easy_strerror(code));
+		return NULL;
+	}
+
+	static size_t receiveResponseBytes(void *buffer, size_t size,
+		size_t nmemb, void *userData)
+	{
+		string *responseData = (string *) userData;
+		responseData->append((const char *) buffer, size * nmemb);
+		return size * nmemb;
+	}
+
+	// Virtual to allow mocking in unit tests.
+	virtual CURLcode performCurlAction(CURL *curl, const char *lastErrorMessage,
+		const string &_requestBody, // only used by unit tests
+		string &_responseData, // only used by unit tests
+		long &responseCode)
+	{
+		TRACE_POINT();
+		CURLcode code = curl_easy_perform(curl);
+		if (code != CURLE_OK) {
+			P_ERROR("Error contacting anonymous telemetry server: "
+				<< lastErrorMessage);
+			return code;
+		}
+
+		code = curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &responseCode);
+		if (code != CURLE_OK) {
+			P_ERROR("Error querying libcurl handle for HTTP response code: "
+				<< curl_easy_strerror(code));
+			return code;
+		}
+
+		return CURLE_OK;
+	}
+
+	static bool responseCodeSupported(long code) {
+		return code == 200 || code == 400 || code == 422 || code == 500;
+	}
+
+	static bool parseResponseBody(const string &responseData, Json::Value &jsonBody) {
+		Json::Reader reader;
+		if (reader.parse(responseData, jsonBody, false)) {
+			return true;
+		} else {
+			P_ERROR("Error in anonymous telemetry server response:"
+				" JSON response parse error: " << reader.getFormattedErrorMessages()
+				<< "; data: \"" << cEscapeString(responseData) << "\"");
+			return false;
+		}
+	}
+
+	static bool validateResponseBody(const Json::Value &jsonBody) {
+		if (!jsonBody.isObject()) {
+			P_ERROR("Error in anonymous telemetry server response:"
+				" JSON response is not an object (data: "
+				<< stringifyJson(jsonBody) << ")");
+			return false;
+		}
+		if (!jsonBody.isMember("data_processed")) {
+			P_ERROR("Error in anonymous telemetry server response:"
+				" JSON response must contain a 'data_processed' field (data: "
+				<< stringifyJson(jsonBody) << ")");
+			return false;
+		}
+		if (!jsonBody["data_processed"].isBool()) {
+			P_ERROR("Error in anonymous telemetry server response:"
+				" 'data_processed' field must be a boolean (data: "
+				<< stringifyJson(jsonBody) << ")");
+			return false;
+		}
+		if (jsonBody.isMember("backoff") && !jsonBody["backoff"].isUInt()) {
+			P_ERROR("Error in anonymous telemetry server response:"
+				" 'backoff' field must be an unsigned integer (data: "
+				<< stringifyJson(jsonBody) << ")");
+			return false;
+		}
+		if (jsonBody.isMember("log_message") && !jsonBody["log_message"].isString()) {
+			P_ERROR("Error in anonymous telemetry server response:"
+				" 'log_message' field must be a string (data: "
+				<< stringifyJson(jsonBody) << ")");
+			return false;
+		}
+		return true;
+	}
+
+	unsigned int handleResponseBody(const TelemetryData &tmData,
+		const Json::Value &jsonBody)
+	{
+		unsigned int backoffSec = 0;
+
+		if (jsonBody["data_processed"].asBool()) {
+			lastTelemetryData = tmData;
+		}
+		if (jsonBody.isMember("backoff")) {
+			backoffSec = jsonBody["backoff"].asUInt();
+		}
+		if (jsonBody.isMember("log_message")) {
+			P_NOTICE("Message from " PROGRAM_AUTHOR ": " << jsonBody["log_message"].asString());
+		}
+
+		return backoffSec;
+	}
+
+public:
+	// Dependencies
+	vector<Controller *> controllers;
+
+	TelemetryCollector(const Schema &schema,
+		const Json::Value &initialConfig = Json::Value(),
+		const ConfigKit::Translator &translator = ConfigKit::DummyTranslator())
+		: config(schema, initialConfig, translator),
+		  configRlz(config),
+		  collectorThread(NULL)
+		{ }
+
+	virtual ~TelemetryCollector() {
+		stop();
+	}
+
+	void initialize() {
+		if (controllers.empty()) {
+			throw RuntimeException("controllers must be initialized");
+		}
+		lastTelemetryData.requestsHandled.resize(controllers.size(), 0);
+		lastTelemetryData.timestamp =
+			SystemTime::getMonotonicUsecWithGranularity<SystemTime::GRAN_1SEC>();
+	}
+
+	void start() {
+		assert(!lastTelemetryData.requestsHandled.empty());
+		collectorThread = new oxt::thread(
+			boost::bind(&TelemetryCollector::threadMain, this),
+			"Telemetry collector",
+			1024 * 512
+		);
+	}
+
+	void stop() {
+		if (collectorThread != NULL) {
+			collectorThread->interrupt_and_join();
+			delete collectorThread;
+			collectorThread = NULL;
+		}
+	}
+
+	unsigned int runOneCycle(bool isFinalRun = false) {
+		TRACE_POINT();
+		boost::unique_lock<boost::mutex> l(configSyncher);
+		SessionState sessionState(config, configRlz);
+		l.unlock();
+
+		if (sessionState.config["disabled"].asBool()) {
+			P_DEBUG("Telemetry collector disabled; not sending anonymous telemetry data");
+			return 0;
+		}
+
+		UPDATE_TRACE_POINT();
+		TelemetryData tmData = collectTelemetryData(isFinalRun);
+
+		UPDATE_TRACE_POINT();
+		CURL *curl = NULL;
+		CURLcode code;
+		struct curl_slist *headers = NULL;
+		string requestBody = createRequestBody(tmData);
+		string responseData;
+		char lastErrorMessage[CURL_ERROR_SIZE] = "unknown error";
+		Json::Value jsonBody;
+
+		curl = prepareCurlRequest(sessionState, isFinalRun, &headers,
+			lastErrorMessage, requestBody, responseData);
+		if (curl == NULL) {
+			// Error message already printed
+			goto error;
+		}
+
+		P_INFO("Sending anonymous telemetry data to " PROGRAM_AUTHOR);
+		P_DEBUG("Telemetry server URL is: " << sessionState.configRlz.url);
+		P_DEBUG("Telemetry data to be sent is: " << requestBody);
+
+		UPDATE_TRACE_POINT();
+		long responseCode;
+		code = performCurlAction(curl, lastErrorMessage, requestBody,
+			responseData, responseCode);
+		if (code != CURLE_OK) {
+			// Error message already printed
+			goto error;
+		}
+
+		UPDATE_TRACE_POINT();
+		P_DEBUG("Response from telemetry server: status=" << responseCode
+			<< ", body=" << responseData);
+
+		if (!responseCodeSupported(responseCode)) {
+			P_ERROR("Error from anonymous telemetry server:"
+				" response status not supported: " << responseCode);
+			goto error;
+		}
+
+		if (!parseResponseBody(responseData, jsonBody)
+		 || !validateResponseBody(jsonBody))
+		{
+			// Error message already printed
+			goto error;
+		}
+
+		curl_slist_free_all(headers);
+		curl_easy_cleanup(curl);
+
+		return handleResponseBody(tmData, jsonBody);
+
+		error:
+		curl_slist_free_all(headers);
+		if (curl != NULL) {
+			curl_easy_cleanup(curl);
+		}
+		return 0;
+	}
+
+	bool prepareConfigChange(const Json::Value &updates,
+		vector<ConfigKit::Error> &errors, ConfigChangeRequest &req)
+	{
+		{
+			boost::lock_guard<boost::mutex> l(configSyncher);
+			req.config.reset(new ConfigKit::Store(config, updates, errors));
+		}
+		if (errors.empty()) {
+			req.configRlz.reset(new ConfigRealization(*req.config));
+		}
+		return errors.empty();
+	}
+
+	void commitConfigChange(ConfigChangeRequest &req) BOOST_NOEXCEPT_OR_NOTHROW {
+		boost::lock_guard<boost::mutex> l(configSyncher);
+		config.swap(*req.config);
+		configRlz.swap(*req.configRlz);
+	}
+
+	Json::Value inspectConfig() const {
+		boost::lock_guard<boost::mutex> l(configSyncher);
+		return config.inspect();
+	}
+};
+
+
+} // namespace Core
+} // namespace Passenger
+
+#endif /* _PASSENGER_TELEMETRY_COLLECTOR_H_ */