From eac28dffdf7f060f41f2b2e95bb0f4c6c033425d Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Tue, 19 Mar 2019 14:40:12 +0100
Subject: [PATCH] qnetd: Check existence of NSS DB dir before fork
Previously, when user tried start corosync-qnetd without
initialized NSS database then generic (not very helpful
and misleading) NSS error was logged
"NSS error (-8015): The certificate/key database is in an old,
unsupported format.".
Solution is to check if it's possible to open NSS DB directory and
display (usually much more informative) result of strerror function.
Such check is called before fork, so init system can return error code
during start.
To make error reporting work with systemd it's also needed to change
unit type from simple to forking.
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
---
init/corosync-qnetd.service.in | 4 ++--
qdevices/corosync-qnetd.c | 12 +++++++++++-
qdevices/nss-sock.c | 23 ++++++++++++++++++++++-
qdevices/nss-sock.h | 4 +++-
4 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/init/corosync-qnetd.service.in b/init/corosync-qnetd.service.in
index 54b9849..8cff766 100644
--- a/init/corosync-qnetd.service.in
+++ b/init/corosync-qnetd.service.in
@@ -7,8 +7,8 @@ After=network-online.target
[Service]
EnvironmentFile=-@INITCONFIGDIR@/corosync-qnetd
-ExecStart=@BINDIR@/corosync-qnetd -f $COROSYNC_QNETD_OPTIONS
-Type=simple
+ExecStart=@BINDIR@/corosync-qnetd $COROSYNC_QNETD_OPTIONS
+Type=forking
Restart=on-abnormal
# Uncomment and set user who should be used for executing qnetd
#User=coroqnetd
diff --git a/qdevices/corosync-qnetd.c b/qdevices/corosync-qnetd.c
index 9af94b7..938e4ce 100644
--- a/qdevices/corosync-qnetd.c
+++ b/qdevices/corosync-qnetd.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2016 Red Hat, Inc.
+ * Copyright (c) 2015-2019 Red Hat, Inc.
*
* All rights reserved.
*
@@ -543,6 +543,16 @@ main(int argc, char * const argv[])
qnetd_log_set_priority_bump(bump_log_priority);
/*
+ * Check that it's possible to open NSS dir if needed
+ */
+ if (nss_sock_check_db_dir((tls_supported != TLV_TLS_UNSUPPORTED ?
+ advanced_settings.nss_db_dir : NULL)) != 0) {
+ qnetd_log_err(LOG_ERR, "Can't open NSS DB directory");
+
+ exit (1);
+ }
+
+ /*
* Daemonize
*/
if (!foreground) {
diff --git a/qdevices/nss-sock.c b/qdevices/nss-sock.c
index 3c63927..483d417 100644
--- a/qdevices/nss-sock.c
+++ b/qdevices/nss-sock.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2016 Red Hat, Inc.
+ * Copyright (c) 2015-2019 Red Hat, Inc.
*
* All rights reserved.
*
@@ -32,6 +32,9 @@
* THE POSSIBILITY OF SUCH DAMAGE.
*/
+#include <sys/types.h>
+
+#include <dirent.h>
#include <limits.h>
#include "nss-sock.h"
@@ -56,6 +59,24 @@ nss_sock_init_nss(char *config_dir)
return (0);
}
+int
+nss_sock_check_db_dir(const char *config_dir)
+{
+ DIR *dirp;
+
+ if (config_dir == NULL) {
+ return (0);
+ }
+
+ if ((dirp = opendir(config_dir)) == NULL) {
+ return (-1);
+ }
+
+ (void)closedir(dirp);
+
+ return (0);
+}
+
/*
* Set NSS socket non-blocking
*/
diff --git a/qdevices/nss-sock.h b/qdevices/nss-sock.h
index cc16d96..4f82e0a 100644
--- a/qdevices/nss-sock.h
+++ b/qdevices/nss-sock.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2016 Red Hat, Inc.
+ * Copyright (c) 2015-2019 Red Hat, Inc.
*
* All rights reserved.
*
@@ -56,6 +56,8 @@ struct nss_sock_non_blocking_client {
extern int nss_sock_init_nss(char *config_dir);
+extern int nss_sock_check_db_dir(const char *config_dir);
+
extern PRFileDesc *nss_sock_create_listen_socket(const char *hostname, uint16_t port,
PRIntn af);
--
1.8.3.1