Add ability to enable core dumps from RESTCONF process

Contributed by Rubicon Communications LLC, dbs Netgate
2021-04-14 09:42:37 -10:00 · 2021-04-14 09:42:37 -10:00 · e4885d51e6
commit e4885d51e6
parent 1cd0eab7ff
3 changed files with 240 additions and 1 deletions
--- a/apps/restconf/restconf_main_native.c
+++ b/apps/restconf/restconf_main_native.c
@ -138,6 +138,7 @@
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <arpa/inet.h>
+#include <sys/resource.h>

 #include <openssl/ssl.h>
 #include <openssl/rand.h>
@ -1448,6 +1449,21 @@ restconf_openssl_init(clicon_handle h,
 	    yang_spec_dump(clicon_dbspec_yang(h), dbg);
 	}
    }
+    if ((x = xpath_first(xrestconf, nsc, "enable-core-dump")) != NULL) {
+	/* core dump is enabled on RESTCONF process */
+	struct rlimit rlp;
+	if (strcmp(xml_body(x), "true") == 0) {
+	    rlp.rlim_cur = RLIM_INFINITY;
+	    rlp.rlim_max = RLIM_INFINITY;
+	    clicon_log(LOG_NOTICE, "%s: core dump emanbled", __func__);
+	} else {
+	    rlp.rlim_cur = 0;
+	    rlp.rlim_max = 0;
+	    clicon_log(LOG_NOTICE, "%s: core dump disnbled", __func__);
+	}
+	int status = setrlimit(RLIMIT_CORE, &rlp);
+	clicon_log(LOG_NOTICE, "%s: setrlimit=%ld", __func__, status);
+    }

    if (init_openssl() < 0)
 	goto done;
--- a/yang/clixon/Makefile.in
+++ b/yang/clixon/Makefile.in
@ -45,7 +45,7 @@ YANGSPECS	 = clixon-config@2021-03-08.yang
 YANGSPECS	+= clixon-lib@2021-03-08.yang
 YANGSPECS	+= clixon-rfc5277@2008-07-01.yang
 YANGSPECS	+= clixon-xml-changelog@2019-03-21.yang
-YANGSPECS	+= clixon-restconf@2021-03-15.yang
+YANGSPECS	+= clixon-restconf@2021-04-12.yang

 APPNAME	        = clixon  # subdir ehere these files are installed

--- a/yang/clixon/clixon-restconf@2021-04-12.yang
+++ b/yang/clixon/clixon-restconf@2021-04-12.yang
@ -0,0 +1,223 @@
+module clixon-restconf {
+    yang-version 1.1;
+    namespace "http://clicon.org/restconf";
+    prefix "clrc";
+
+    import ietf-inet-types {
+	prefix inet;
+    }
+
+    organization
+	"Clixon";
+
+    contact
+	"Olof Hagsand <olof@hagsand.se>";
+
+    description
+	"This YANG module provides a data-model for the Clixon RESTCONF daemon.
+       ***** BEGIN LICENSE BLOCK *****
+       Copyright (C) 2020 Olof Hagsand and Rubicon Communications, LLC(Netgate)
+
+       This file is part of CLIXON
+
+       Licensed under the Apache License, Version 2.0 (the \"License\");
+       you may not use this file except in compliance with the License.
+       You may obtain a copy of the License at
+            http://www.apache.org/licenses/LICENSE-2.0
+       Unless required by applicable law or agreed to in writing, software
+       distributed under the License is distributed on an \"AS IS\" BASIS,
+       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+       See the License for the specific language governing permissions and
+       limitations under the License.
+
+       Alternatively, the contents of this file may be used under the terms of
+       the GNU General Public License Version 3 or later (the \"GPL\"),
+       in which case the provisions of the GPL are applicable instead
+       of those above. If you wish to allow use of your version of this file only
+       under the terms of the GPL, and not to allow others to
+       use your version of this file under the terms of Apache License version 2,
+       indicate your decision by deleting the provisions above and replace them with
+       the notice and other provisions required by the GPL. If you do not delete
+       the provisions above, a recipient may use your version of this file under
+       the terms of any one of the Apache License version 2 or the GPL.
+
+       ***** END LICENSE BLOCK *****";
+
+    revision 2021-04-12 {
+	description
+	    "Added flag to enable core dumps";
+    }
+    revision 2021-03-15 {
+	description
+	    "make authentication-type none a feature";
+    }
+    revision 2020-12-30 {
+	description
+	    "Added: debug field
+             Added 'none' as default value for auth-type
+             Changed http-auth-type enum from 'password' to 'user'";
+    }
+    revision 2020-10-30 {
+	description
+	    "Initial release";
+    }
+
+    feature fcgi {
+	description
+	    "This feature indicates that the restconf server supports the fast-cgi reverse
+             proxy solution.
+             That is, a reverse proxy is the HTTP front-end and the restconf daemon listens
+             to a fcgi socket.
+             The alternative is the internal HTTP solution using evhtp.";
+    }
+
+    feature allow-auth-none {
+        description
+	  "This feature allows the use of authentication-type none.";
+    }
+
+    typedef http-auth-type {
+	type enumeration {
+	    enum none {
+		if-feature "allow-auth-none";
+		description
+		    "Incoming message are set to authenticated by default. No ca-auth callback is called,
+                     Authenticated user is set to special user 'none'.
+                     Typically assumes NACM is not enabled.";
+	    }
+	    enum client-certificate {
+		description
+		    "TLS client certificate validation is made on each incoming message. If it passes
+                    the authenticated user is extracted from the SSL_CN parameter
+                     The ca-auth callback can be used to revise this behavior.";
+	    }
+	    enum user {
+		description
+		    "User-defined authentication as defined by the ca-auth callback.
+                     One example is some form of password authentication, such as basic auth.";
+	    }
+	}
+	description
+	    "Enumeration of HTTP authorization types.";
+    }
+    grouping clixon-restconf{
+	description
+	    "HTTP RESTCONF configuration.";
+	leaf enable {
+	    type boolean;
+	    default "false";
+	    description
+		"Enables RESTCONF functionality.
+                 Note that starting/stopping of a restconf daemon is different from it being
+                 enabled or not.
+                 For example, if the restconf daemon is under systemd management, the restconf
+                 daemon will only start if enable=true.";
+	}
+	leaf auth-type {
+	    type http-auth-type;
+	    description
+		"The authentication type.
+                 Note client-certificate applies only if ssl-enable is true and socket has ssl";
+	    default user;
+	}
+	leaf debug {
+	    description
+		"Set debug level of restconf daemon.
+                 0 is no debug, 1 is debugging, more is detailed debug.
+                 Debug logs will be directed to syslog with
+                    ident: clixon_restconf and PID
+                    facility: LOG_USER
+                    level: LOG_DEBUG";
+	    type uint32;
+	    default 0;
+	}
+	leaf enable-core-dump {
+	    description
+	        "enable core dumps.
+                 this is a no-op on systems that don't support it.";
+	    type boolean;
+	    default false;
+	}
+	leaf pretty {
+	    type boolean;
+	    default true;
+	    description
+		"Restconf return value pretty print.
+                 Restconf clients may add HTTP header:
+                      Accept: application/yang-data+json, or
+                      Accept: application/yang-data+xml
+                 to get return value in XML or JSON.
+                 RFC 8040 examples print XML and JSON in pretty-printed form.
+                 Setting this value to false makes restconf return not pretty-printed
+                 which may be desirable for performance or tests
+                 This replaces the CLICON_RESTCONF_PRETTY option in clixon-config.yang";
+	}
+	/* From this point only specific options
+	 * First fcgi-specific options
+	 */
+	leaf fcgi-socket {
+	    if-feature fcgi; /* Set by default by fcgi clixon_restconf daemon */
+	    type string;
+	    default "/www-data/fastcgi_restconf.sock";
+	    description
+		"Path to FastCGI unix socket. Should be specified in webserver
+         	 Eg in nginx: fastcgi_pass unix:/www-data/clicon_restconf.sock
+                 Only if with-restconf=fcgi, NOT evhtp
+                 This replaces CLICON_RESTCONF_PATH option in clixon-config.yang";
+	}
+	/* Second, evhtp-specific options */
+	leaf server-cert-path {
+	    type string;
+	    description
+		"Path to server certificate file.
+                 Note only applies if socket has ssl enabled";
+	}
+	leaf server-key-path {
+	    type string;
+	    description
+		"Path to server key file
+                 Note only applies if socket has ssl enabled";
+	}
+	leaf server-ca-cert-path {
+	    type string;
+	    description
+		"Path to server CA cert file
+	         Note only applies if socket has ssl enabled";
+	}
+	list socket {
+	    description
+		"List of server sockets that the restconf daemon listens to";
+	    key "namespace address port";
+	    leaf namespace {
+		type string;
+		description
+		    "Network namespace.
+                     On platforms where namespaces are not suppported, always 'default'";
+	    }
+	    leaf address {
+		type inet:ip-address;
+		description "IP address to bind to";
+	    }
+	    leaf port {
+		type inet:port-number;
+		description "TCP port to bind to";
+	    }
+	    leaf ssl {
+		type boolean;
+		default true;
+		description "Enable for HTTPS otherwise HTTP protocol";
+	    }
+	}
+    }
+    container restconf {
+	description
+	    "This presence is strictly not necessary since the enable flag
+             in clixon-restconf is the flag bearing the actual semantics.
+             However, removing the presence leads to default config in all
+             clixon installations, even those which do not use backend-started restconf.
+             One could see this as mostly cosmetically annoying.
+             Alternative would be to make the inclusion of this yang conditional.";
+	presence "Enables RESTCONF";
+	uses clixon-restconf;
+    }
+}