ot Nikolay Hristov(20-04-2012)

reiting (18)   [ dobre ]  [ zle ]

Printer Friendly Variant za otpechatvane

Softuera, napisan ot profesor Daniel J. Bernstein e trudno razbiraem za mnogo hora i mozhe bi za tova ne e tolkova populiaren. V tazi statiia shte se opitam da obiasnia kontsepiiata, stoiashta zad negovite programi.

Bernstein e priel modela na UNIX, toest programite da sa kolkoto se mozhe po-malki, da vurshat strogo opredelena rabota, da komunikirat posredstvom unix pipes. Eto primer, koito vseki administrator izpolzva:

   #ps ax|grep httpd|wc -l
         12

Tipichen pipeline, kudeto izhoda ot programata ps se podava na vhoda na programata grep, koiato puk otbira redovete koito sudurzhat httpd, kato sled tova se podava na programata wc, koiato prebroiava kolko reda sudurzhat httpd i otpechatva stoinostta. V sluchaia - v momenta imame 12 aktivni protsesa na httpd - survur.

Kodut na programite mu e napisan na ANSI C, kompilira se na vsiakakvi OS poddurzhashti POSIX modela.

SHTe zapochnem s daemontools, koito sa osnovata na negoviiat tip softuer. Daemontools predstavliava paket ot malki polezni programki, koito slediat i poddurzhat daden protses da bude aktiven. Dobur analog na tazi sistema e Services v Windows XP/7.

Instalatsiiata e oprostena maksimalno:

   # wget http://cr.yp.to/daemontools/daemontools...
   # zcat daemontools-0.76.tar.gz|tar xvf -
   # cd admin/daemontools-0.76
   # package/install

Programata dobavia red v /etc/inittab:

   SV:123456:respawn:/usr/bin/svscanboot

koito ukazva, che ako protsesut svscanboot zavurshi po niakakuv nachin, triabva da se startira nanovo.

Vsushtnost svscanboot e prosto edin skript:

   #!/bin/sh
   # WARNING: This file was auto-generated. Do not edit!
   PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin
   exec </dev/null
   exec >/dev/null
   exec 2>/dev/null

   svc -dx /service/* /service/*/log
   env - PATH=$PATH svscan /service 2>&1 | \
   env - PATH=$PATH readproctitle service errors: ...............................................................


Skriptut izpulniava svscan, s optsiia direktoriiata s /services, kato izhoda na svscan  e prenasochen kum druga programka - readproctitle. Ako ima greshki pri startiraneto na niakoi service, to suobshtenieto za greshka shte go poluchi readproctitle, koito  ot svoia starna shte go otpechata na miastoto na tochkite. Tova ni dava vuzmozhnostta da prosledim greshkite ot /service eto taka:

   `--# ps ax|grep readproc
     173 ttyE0- IW    0:00.01 readproctitle service errors: ...............................................................

Kakto se vizhda - greshki niama. Eto primer - kogato ima greshki (promenih narochno run faila v koito se startira multilog -> multilog_proba_za_error):

   # ps aux|grep readproc
   root       172  0.0  0.0    16   500 ttyE0- S     2Mar12  0:00.02 readproctitle service errors: ...s not exist\nsetuidgid: fatal: unable to run multilog_proba_za_error: file does not exist\n setuidgid: fatal: unable to run multilog_proba_za_error: file does not exist\nsetuidgid: fatal: unable to run multilog_proba_za_error: file does not exist\nsetuidgid: fatal: unable to run multilog_proba_za_error: file does not exist\nsetuidgid: fatal: unable to run multilog_proba_za_error: file does not exist\n

Struktura na direktoriite pri daemontools. Vseki otdelen service se puska ot otdelna poddirektoriia na osnovnata za daemontools - /service (pri Debian naprimer e /etc/service).

Da kazhem, che iskate da pusnete programa prez daemontools, kato tselta e programata da se sledi dali ne e priklyuchila, i ako e - da se pusne nanovo. Za tselta suzdavame direktoriia v udobno za nas miasto (Primera e puskane na sshd prez daemontools).

   mkdir -p /etc/svc/sshd
   mkdir -p /etc/svc/sshd/log

Vsiaka edna ot tezi 2 direktorii triabva da sudurzha po edin run - fail, v koito se osushtestviava samoto startirane na programata. Iziskvaneto e programata da NE se puska vuv fonov rezhim (background/daemon).

Daemontools shte se pogrizhi tia da si otide vuv fonov rezhim. Ako programata zapisva v logovete prez syslog - sistemata, triabva da potursite optsiia koiato ukazva greshkite, i logovete da se pishat v stderr ili stdout. Ako ne napravite tova, to multilog - programkata niama da mozhe da prihvane i zapishe logovete v log - direktoriiata.

/etc/svc/sshd/run - faila, v koito startirame samiia protses.

   #!/bin/sh
   exec 2>&1
   exec /usr/local/sbin/sshd -D -e

Zabelezhka:

Optsiite na sshd sa, za da se spaziat iziskvaniiata na daemontools (teksta otdolu e izvaden ot man stranitsata na sshd).

-D When this option is specified, sshd will not detach and does not become a daemon. This allows easy monitoring of sshd.
-e When this option is specified, sshd will send the output to the standard error instead of the system log.

exec 2>&1 - ukazva vsichki greshki otpechatani na stderr(2) da se prenasochat kum stdout(1)

/etc/programa1/sshd/log/run - faila, v koito startirame protsesa, koito zapazva logovete na sshd

   #!/bin/sh
   exec setuidgid root multilog t /var/log/sshd

V sluchaiat programkata multilog se puska s pravata na potrebitel root, t oznachava da dobavi timestamp (vuv format tai64 koito shte bude obiasnen po-dolu) v nachaloto na vseki red, i nakraia se ukazva direktoriiata, v koiato shte se suhraniavat logovete. Multilog ima oshte niakolko dopulnitelni optsii, koito sa polezni kato naprimer: n (broi log failove) i s (razmer na log failovete). Ako promenim reda eto taka:

   exec setuidgid root multilog t s500000 n50 /var/log/sshd

to vseki log fail shte ima razmer 500000 bytes i maksimalniia broi na log - failovete shte e 50. Kogato se zapulniat vsichkite 50 faila s po 500 000 bytes, se iztriva nai-stariiat fail i se suzdava nov.

Logovete se zapisvat pod formata na timestamp kato ime na fail osven tekushtiiat, koito e current. Eto izvadka ot spisuk s logove:

   -rwxr--r-- 1 qmaill nogroup 16775307 Mar 14 06:13 @400000004f601b0c36890194.s
   -rwxr--r-- 1 qmaill nogroup 16775283 Mar 17 22:00 @400000004f64ed533284f5e4.s
   -rwxr--r-- 1 qmaill nogroup 16775332 Mar 21 16:57 @400000004f69ec6132814c64.s
   -rwxr--r-- 1 qmaill nogroup 16775234 Mar 26 16:32 @400000004f706ffb12df90dc.s
   -rwxr--r-- 1 qmaill nogroup 16775255 Mar 30 07:42 @400000004f7539d52ef51c4c.s
   -rwxr--r-- 1 qmaill nogroup 16775226 Apr  2 17:13 @400000004f79b3fb24fd9cb4.s
   -rwxr--r-- 1 qmaill nogroup 16775247 Apr  4 12:27 @400000004f7c140f3760cbc4.s
   -rw-r--r-- 1 qmaill nogroup 10108940 Apr 18 15:42 current

Edinstvenoto, koeto ostana za da startirame ssh service prez daemontools e da napravim symbolic link na direktoriiata, koiato suzdadohme (/etc/svc/sshd/) kum /service/. Eto taka:

   # ln -s /etc/svc/sshd/ /services/sshd

sled koeto tozi novosuzdaden ot nas service shte se startira avtomatichno.

Mozhe bi zabeliazahte, che propusnah da obiasnia niakoi ot izpolzvanite programki kato setuidgid ili puk svc. Neka oburnem malko vnimanie i na dopulnitelnite programki, koito idvat s daemontools.

svc - sluzhi za kontrol na services za koito se grizhi supervise. S tazi programka na praktika izprashtate razlichni signali kum dadeniiat service.

-u (up) Startira service. Ako ne e startiran - go startira. Ako protsesut po niakakva prichina zavurshi - protsesut se restartira.
-d (down) Spira service. Ako e startiran, mu izprashta signal TERM. Sled kato e sprian, service ne se restartira.
-o (once) Startira se samo vednuzh. Pri spirane na service ne se restartira.
-p (pause) Izprashta signal STOP..
-t (terminate) Izprashta signal TERM. Na praktika s tazi optsiia se restartira daden service. Protsesut poluchava TERM - signal koito bi triabvalo da go spre i sled niakolko sekundi supervise shte go vdigne otnovo.
-k (kill) Izprashta signal KILL.

Ima i oshte optsii, i za poveche informatsiia poglednete man - stranitsata, ili na http://cr.yp.to/daemontools/svc.html . Primeri:

   svc -t /service/* - restartira vsichki services.
   svc -d /service/qmail-send/ - spira dadeniiat service.
   svc -u /service/qmail-send/ - startira dadeniiat service.

svok - proveriava dali daden service e startiran. Vrushta stoinost 0 ako service e aktiven, i 100  - ako service ne e aktiven. Mozhe da se izpolzva v skritove.

svstat - pokazva tekushtiia status na daden service(s). Mozhe da sudurzha proizvolen broi argumenti, kato vseki ot tiah e put kum daden service. Poddurzha i wildcards. Primer:

   # svstat /service/qmail-send/ /service/qmail-smtpd/
   /service/qmail-send/: up (pid 3540) 1891374 seconds
   /service/qmail-smtpd/: up (pid 3539) 1891374 seconds

   ili

   # svstat /service/*/log
   /service/qmail-send/log: up (pid 7695) 6134915 seconds
   /service/qmail-smtpd/log: up (pid 15281) 3457319 seconds

setuidgid - Startira protses s prava na drug potrebitel. Ako daden service ne sa mu nuzhni root prava, mozhem da go pusnem s drug potrebitel s ogranicheni prava. Primerut ot po-gore:

   #!/bin/sh
   exec setuidgid root multilog t /var/log/sshd

startira multilog s pravata na potrebitel root. Kakto se vizhda, ne e nuzhno multilog da se startira s root prava, i za tselta mozhem da napravim slednoto: suzdavame nov potrebitel (primerno sshlog), promeniame pritezhatelia na direktoriiata /var/log/sshd na sshlog (chown sshlog /var/log/sshd), i sled tova promeniame i reda ,s koito se startira multilog, za da stane taka:

   #!/bin/sh
   exec setuidgid sshlog multilog t /var/log/sshd

Taka protsesut za log - failovete shte e startiran s ogranichenite prava na potrebitelia sshlog.

envuidgid - Startira protses s obkruzhenieto na daden akaunt.

softlimit - Startira protses s ogranicheni resursi kato maksimalna pamet koiato mozhe da zaema, golemina na suzdadenite failove i t.n. (analog na ulimit). Primer:

   # softlimit -m 2000000 /bin/sh
   # mc
   mc: error while loading shared libraries: libslang.so.2: failed to map segment from shared object: Cannot allocate memory

startira /bin/sh s ogranicheno izpolzvane na pamet ot 2 000 000 bytes. Pri opit da se startira neshto, koeto zaema pamet (kato midnight commander) se vizhda kakuv e rezultata.

Tazi optsiia ia izpolzvam pri qmail za limitirane na goleminata na poluchenite suobshteniia.

tai64nlocal - CHete ot stdin, tursi redove, koito zapochvat s @ i sled tiah ima tai64 timestamp, kato gi preobrazuva vuv format: YYYY-MM-DD HH:MM:SS.SSSSSSSSS. Primer:

   originalen timestamp ot log fail na multilog
   @400000004eef68ef060b533c status: local 0/10 remote 2/20

   # echo "@400000004eef68ef060b533c status: local 0/10 remote 2/20"|tai64nlocal
   2011-12-19 18:40:05.101405500 status: local 0/10 remote 2/20

TAI (Temps Atomique International) e mezhdunaroden standart za izmervane na vreme, koito za momenta ne se izpolzva v masovite operatsionni sistemi (http://cr.yp.to/proto/utctai.html).

Tai64 e implementatsiia, napravena ot Dan Bernstein, koiato se izpolzva v negovite programi (http://cr.yp.to/proto/tai64.txt).

fghack - anti-backgrounding tool. Ako imate programa, koiato vinagi se starira vuv fonov rezhim (background/daemon), s tazi programka mozhete da "izluzhete" tia da se startira vuv foreground rezhim. (ne sum go probval a i DJB kazva, che ne raboti vuv vsichki sluchai)

pgrphack - poniakoga ima programi, koito pri izhod izprashtat TERM - signal ne do protses - ID (pid), a do grupoviia ID (gid), pri koeto signalut se poluchava i ot svscan, ot koeto posledstviiata ne sa mnogo priiatni. Za primer e daden pppd programata, koiato triabva da se puska tochno s pgrphack. (tova lichno az ne sum go testval).

Polzvani resursi: http://cr.yp.to/daemontools.html
Alternativen adres (po-dobre formatiran) na statiiata: http://geroyblog.blogspot.com/2012/04/d...


<< Kak raboti DNS, chast 1 - Resolvers i Cache survuri. | DNSCurve, NaCl, CurveCP - suvremenen pogled vurhu zashtitata n >>