xref: /unit/src/nxt_process.c (revision 1297:f04b5f7d6137)
1 
2 /*
3  * Copyright (C) Igor Sysoev
4  * Copyright (C) NGINX, Inc.
5  */
6 
7 #include <nxt_main.h>
8 #include <nxt_main_process.h>
9 
10 #if (NXT_HAVE_CLONE)
11 #include <nxt_clone.h>
12 #endif
13 
14 #include <signal.h>
15 
16 static void nxt_process_start(nxt_task_t *task, nxt_process_t *process);
17 static nxt_int_t nxt_user_groups_get(nxt_task_t *task, nxt_user_cred_t *uc);
18 static nxt_int_t nxt_process_worker_setup(nxt_task_t *task,
19     nxt_process_t *process, int parentfd);
20 
21 /* A cached process pid. */
22 nxt_pid_t  nxt_pid;
23 
24 /* An original parent process pid. */
25 nxt_pid_t  nxt_ppid;
26 
27 nxt_bool_t  nxt_proc_conn_matrix[NXT_PROCESS_MAX][NXT_PROCESS_MAX] = {
28     { 1, 1, 1, 1, 1 },
29     { 1, 0, 0, 0, 0 },
30     { 1, 0, 0, 1, 0 },
31     { 1, 0, 1, 0, 1 },
32     { 1, 0, 0, 0, 0 },
33 };
34 
35 nxt_bool_t  nxt_proc_remove_notify_matrix[NXT_PROCESS_MAX][NXT_PROCESS_MAX] = {
36     { 0, 0, 0, 0, 0 },
37     { 0, 0, 0, 0, 0 },
38     { 0, 0, 0, 1, 0 },
39     { 0, 0, 1, 0, 1 },
40     { 0, 0, 0, 1, 0 },
41 };
42 
43 
44 static nxt_int_t
45 nxt_process_worker_setup(nxt_task_t *task, nxt_process_t *process, int parentfd)
46 {
47     pid_t               rpid, pid;
48     ssize_t             n;
49     nxt_int_t           parent_status;
50     nxt_process_t       *p;
51     nxt_runtime_t       *rt;
52     nxt_process_init_t  *init;
53     nxt_process_type_t  ptype;
54 
55     pid  = getpid();
56     rpid = 0;
57     rt   = task->thread->runtime;
58     init = process->init;
59 
60     /* Setup the worker process. */
61 
62     n = read(parentfd, &rpid, sizeof(rpid));
63     if (nxt_slow_path(n == -1 || n != sizeof(rpid))) {
64         nxt_alert(task, "failed to read real pid");
65         return NXT_ERROR;
66     }
67 
68     if (nxt_slow_path(rpid == 0)) {
69         nxt_alert(task, "failed to get real pid from parent");
70         return NXT_ERROR;
71     }
72 
73     nxt_pid = rpid;
74 
75     /* Clean inherited cached thread tid. */
76     task->thread->tid = 0;
77 
78     process->pid = nxt_pid;
79 
80     if (nxt_pid != pid) {
81         nxt_debug(task, "app \"%s\" real pid %d", init->name, nxt_pid);
82         nxt_debug(task, "app \"%s\" isolated pid: %d", init->name, pid);
83     }
84 
85     n = read(parentfd, &parent_status, sizeof(parent_status));
86     if (nxt_slow_path(n == -1 || n != sizeof(parent_status))) {
87         nxt_alert(task, "failed to read parent status");
88         return NXT_ERROR;
89     }
90 
91     if (nxt_slow_path(parent_status != NXT_OK)) {
92         return parent_status;
93     }
94 
95     ptype = init->type;
96 
97     nxt_port_reset_next_id();
98 
99     nxt_event_engine_thread_adopt(task->thread->engine);
100 
101     /* Remove not ready processes. */
102     nxt_runtime_process_each(rt, p) {
103 
104         if (nxt_proc_conn_matrix[ptype][nxt_process_type(p)] == 0) {
105             nxt_debug(task, "remove not required process %PI", p->pid);
106 
107             nxt_process_close_ports(task, p);
108 
109             continue;
110         }
111 
112         if (!p->ready) {
113             nxt_debug(task, "remove not ready process %PI", p->pid);
114 
115             nxt_process_close_ports(task, p);
116 
117             continue;
118         }
119 
120         nxt_port_mmaps_destroy(&p->incoming, 0);
121         nxt_port_mmaps_destroy(&p->outgoing, 0);
122 
123     } nxt_runtime_process_loop;
124 
125     nxt_runtime_process_add(task, process);
126 
127     nxt_process_start(task, process);
128 
129     process->ready = 1;
130 
131     return NXT_OK;
132 }
133 
134 
135 nxt_pid_t
136 nxt_process_create(nxt_task_t *task, nxt_process_t *process)
137 {
138     int                 pipefd[2];
139     nxt_int_t           ret;
140     nxt_pid_t           pid;
141     nxt_process_init_t  *init;
142 
143     if (nxt_slow_path(pipe(pipefd) == -1)) {
144         nxt_alert(task, "failed to create process pipe for passing rpid");
145         return -1;
146     }
147 
148     init = process->init;
149 
150 #if (NXT_HAVE_CLONE)
151     pid = nxt_clone(SIGCHLD | init->isolation.clone.flags);
152     if (nxt_slow_path(pid < 0)) {
153         nxt_alert(task, "clone() failed while creating \"%s\" %E",
154                   init->name, nxt_errno);
155         goto cleanup;
156     }
157 #else
158     pid = fork();
159     if (nxt_slow_path(pid < 0)) {
160         nxt_alert(task, "fork() failed while creating \"%s\" %E",
161                   init->name, nxt_errno);
162         goto cleanup;
163     }
164 #endif
165 
166     if (pid == 0) {
167         /* Child. */
168 
169         if (nxt_slow_path(close(pipefd[1]) == -1)) {
170             nxt_alert(task, "failed to close writer pipe fd");
171         }
172 
173         ret = nxt_process_worker_setup(task, process, pipefd[0]);
174         if (nxt_slow_path(ret != NXT_OK)) {
175             exit(1);
176         }
177 
178         if (nxt_slow_path(close(pipefd[0]) == -1)) {
179             nxt_alert(task, "failed to close writer pipe fd");
180         }
181 
182         /*
183          * Explicitly return 0 to notice the caller function this is the child.
184          * The caller must return to the event engine work queue loop.
185          */
186         return 0;
187     }
188 
189     /* Parent. */
190 
191     /*
192      * At this point, the child process is blocked reading the
193      * pipe fd to get its real pid (rpid).
194      *
195      * If anything goes wrong now, we need to terminate the child
196      * process by sending a NXT_ERROR in the pipe.
197      */
198 
199 #if (NXT_HAVE_CLONE)
200     nxt_debug(task, "clone(\"%s\"): %PI", init->name, pid);
201 #else
202     nxt_debug(task, "fork(\"%s\"): %PI", init->name, pid);
203 #endif
204 
205     if (nxt_slow_path(write(pipefd[1], &pid, sizeof(pid)) == -1)) {
206         nxt_alert(task, "failed to write real pid");
207         goto fail;
208     }
209 
210 #if (NXT_HAVE_CLONE && NXT_HAVE_CLONE_NEWUSER)
211     if ((init->isolation.clone.flags & CLONE_NEWUSER) == CLONE_NEWUSER) {
212         ret = nxt_clone_proc_map(task, pid, &init->isolation.clone);
213         if (nxt_slow_path(ret != NXT_OK)) {
214             goto fail;
215         }
216     }
217 #endif
218 
219     ret = NXT_OK;
220 
221     if (nxt_slow_path(write(pipefd[1], &ret, sizeof(ret)) == -1)) {
222         nxt_alert(task, "failed to write status");
223         goto fail;
224     }
225 
226     process->pid = pid;
227 
228     nxt_runtime_process_add(task, process);
229 
230     goto cleanup;
231 
232 fail:
233 
234     ret = NXT_ERROR;
235 
236     if (nxt_slow_path(write(pipefd[1], &ret, sizeof(ret)) == -1)) {
237         nxt_alert(task, "failed to write status");
238     }
239 
240     waitpid(pid, NULL, 0);
241 
242     pid = -1;
243 
244 cleanup:
245 
246     if (nxt_slow_path(close(pipefd[0]) != 0)) {
247         nxt_alert(task, "failed to close pipe: %E", nxt_errno);
248     }
249 
250     if (nxt_slow_path(close(pipefd[1]) != 0)) {
251         nxt_alert(task, "failed to close pipe: %E", nxt_errno);
252     }
253 
254     return pid;
255 }
256 
257 
258 static void
259 nxt_process_start(nxt_task_t *task, nxt_process_t *process)
260 {
261     nxt_int_t                    ret;
262     nxt_port_t                   *port, *main_port;
263     nxt_thread_t                 *thread;
264     nxt_runtime_t                *rt;
265     nxt_process_init_t           *init;
266     nxt_event_engine_t           *engine;
267     const nxt_event_interface_t  *interface;
268 
269     init = process->init;
270 
271     nxt_log(task, NXT_LOG_INFO, "%s started", init->name);
272 
273     nxt_process_title(task, "unit: %s", init->name);
274 
275     thread = task->thread;
276     rt     = thread->runtime;
277 
278     nxt_random_init(&thread->random);
279 
280     if (rt->capabilities.setid && init->user_cred != NULL) {
281         ret = nxt_user_cred_set(task, init->user_cred);
282         if (ret != NXT_OK) {
283             goto fail;
284         }
285     }
286 
287     rt->type = init->type;
288 
289     engine = thread->engine;
290 
291     /* Update inherited main process event engine and signals processing. */
292     engine->signals->sigev = init->signals;
293 
294     interface = nxt_service_get(rt->services, "engine", rt->engine);
295     if (nxt_slow_path(interface == NULL)) {
296         goto fail;
297     }
298 
299     if (nxt_event_engine_change(engine, interface, rt->batch) != NXT_OK) {
300         goto fail;
301     }
302 
303     ret = nxt_runtime_thread_pool_create(thread, rt, rt->auxiliary_threads,
304                                          60000 * 1000000LL);
305     if (nxt_slow_path(ret != NXT_OK)) {
306         goto fail;
307     }
308 
309     main_port = rt->port_by_type[NXT_PROCESS_MAIN];
310 
311     nxt_port_read_close(main_port);
312     nxt_port_write_enable(task, main_port);
313 
314     port = nxt_process_port_first(process);
315 
316     nxt_port_write_close(port);
317 
318     ret = init->start(task, init->data);
319 
320     if (nxt_slow_path(ret != NXT_OK)) {
321         goto fail;
322     }
323 
324     nxt_port_enable(task, port, init->port_handlers);
325 
326     ret = nxt_port_socket_write(task, main_port, NXT_PORT_MSG_PROCESS_READY,
327                                 -1, init->stream, 0, NULL);
328 
329     if (nxt_slow_path(ret != NXT_OK)) {
330         nxt_log(task, NXT_LOG_ERR, "failed to send READY message to main");
331 
332         goto fail;
333     }
334 
335     return;
336 
337 fail:
338 
339     exit(1);
340 }
341 
342 
343 #if (NXT_HAVE_POSIX_SPAWN)
344 
345 /*
346  * Linux glibc 2.2 posix_spawn() is implemented via fork()/execve().
347  * Linux glibc 2.4 posix_spawn() without file actions and spawn
348  * attributes uses vfork()/execve().
349  *
350  * On FreeBSD 8.0 posix_spawn() is implemented via vfork()/execve().
351  *
352  * Solaris 10:
353  *   In the Solaris 10 OS, posix_spawn() is currently implemented using
354  *   private-to-libc vfork(), execve(), and exit() functions.  They are
355  *   identical to regular vfork(), execve(), and exit() in functionality,
356  *   but they are not exported from libc and therefore don't cause the
357  *   deadlock-in-the-dynamic-linker problem that any multithreaded code
358  *   outside of libc that calls vfork() can cause.
359  *
360  * On MacOSX 10.5 (Leoprad) and NetBSD 6.0 posix_spawn() is implemented
361  * as syscall.
362  */
363 
364 nxt_pid_t
365 nxt_process_execute(nxt_task_t *task, char *name, char **argv, char **envp)
366 {
367     nxt_pid_t  pid;
368 
369     nxt_debug(task, "posix_spawn(\"%s\")", name);
370 
371     if (posix_spawn(&pid, name, NULL, NULL, argv, envp) != 0) {
372         nxt_alert(task, "posix_spawn(\"%s\") failed %E", name, nxt_errno);
373         return -1;
374     }
375 
376     return pid;
377 }
378 
379 #else
380 
381 nxt_pid_t
382 nxt_process_execute(nxt_task_t *task, char *name, char **argv, char **envp)
383 {
384     nxt_pid_t  pid;
385 
386     /*
387      * vfork() is better than fork() because:
388      *   it is faster several times;
389      *   its execution time does not depend on private memory mapping size;
390      *   it has lesser chances to fail due to the ENOMEM error.
391      */
392 
393     pid = vfork();
394 
395     switch (pid) {
396 
397     case -1:
398         nxt_alert(task, "vfork() failed while executing \"%s\" %E",
399                   name, nxt_errno);
400         break;
401 
402     case 0:
403         /* A child. */
404         nxt_debug(task, "execve(\"%s\")", name);
405 
406         (void) execve(name, argv, envp);
407 
408         nxt_alert(task, "execve(\"%s\") failed %E", name, nxt_errno);
409 
410         exit(1);
411         nxt_unreachable();
412         break;
413 
414     default:
415         /* A parent. */
416         nxt_debug(task, "vfork(): %PI", pid);
417         break;
418     }
419 
420     return pid;
421 }
422 
423 #endif
424 
425 
426 nxt_int_t
427 nxt_process_daemon(nxt_task_t *task)
428 {
429     nxt_fd_t      fd;
430     nxt_pid_t     pid;
431     const char    *msg;
432 
433     fd = -1;
434 
435     /*
436      * fork() followed by a parent process's exit() detaches a child process
437      * from an init script or terminal shell process which has started the
438      * parent process and allows the child process to run in background.
439      */
440 
441     pid = fork();
442 
443     switch (pid) {
444 
445     case -1:
446         msg = "fork() failed %E";
447         goto fail;
448 
449     case 0:
450         /* A child. */
451         break;
452 
453     default:
454         /* A parent. */
455         nxt_debug(task, "fork(): %PI", pid);
456         exit(0);
457         nxt_unreachable();
458     }
459 
460     nxt_pid = getpid();
461 
462     /* Clean inherited cached thread tid. */
463     task->thread->tid = 0;
464 
465     nxt_debug(task, "daemon");
466 
467     /* Detach from controlling terminal. */
468 
469     if (setsid() == -1) {
470         nxt_alert(task, "setsid() failed %E", nxt_errno);
471         return NXT_ERROR;
472     }
473 
474     /*
475      * Reset file mode creation mask: any access
476      * rights can be set on file creation.
477      */
478     umask(0);
479 
480     /* Redirect STDIN and STDOUT to the "/dev/null". */
481 
482     fd = open("/dev/null", O_RDWR);
483     if (fd == -1) {
484         msg = "open(\"/dev/null\") failed %E";
485         goto fail;
486     }
487 
488     if (dup2(fd, STDIN_FILENO) == -1) {
489         msg = "dup2(\"/dev/null\", STDIN) failed %E";
490         goto fail;
491     }
492 
493     if (dup2(fd, STDOUT_FILENO) == -1) {
494         msg = "dup2(\"/dev/null\", STDOUT) failed %E";
495         goto fail;
496     }
497 
498     if (fd > STDERR_FILENO) {
499         nxt_fd_close(fd);
500     }
501 
502     return NXT_OK;
503 
504 fail:
505 
506     nxt_alert(task, msg, nxt_errno);
507 
508     if (fd != -1) {
509         nxt_fd_close(fd);
510     }
511 
512     return NXT_ERROR;
513 }
514 
515 
516 void
517 nxt_nanosleep(nxt_nsec_t ns)
518 {
519     struct timespec  ts;
520 
521     ts.tv_sec = ns / 1000000000;
522     ts.tv_nsec = ns % 1000000000;
523 
524     (void) nanosleep(&ts, NULL);
525 }
526 
527 
528 nxt_int_t
529 nxt_user_cred_get(nxt_task_t *task, nxt_user_cred_t *uc, const char *group)
530 {
531     struct group   *grp;
532     struct passwd  *pwd;
533 
534     nxt_errno = 0;
535 
536     pwd = getpwnam(uc->user);
537 
538     if (nxt_slow_path(pwd == NULL)) {
539 
540         if (nxt_errno == 0) {
541             nxt_alert(task, "getpwnam(\"%s\") failed, user \"%s\" not found",
542                       uc->user, uc->user);
543         } else {
544             nxt_alert(task, "getpwnam(\"%s\") failed %E", uc->user, nxt_errno);
545         }
546 
547         return NXT_ERROR;
548     }
549 
550     uc->uid = pwd->pw_uid;
551     uc->base_gid = pwd->pw_gid;
552 
553     if (group != NULL && group[0] != '\0') {
554         nxt_errno = 0;
555 
556         grp = getgrnam(group);
557 
558         if (nxt_slow_path(grp == NULL)) {
559 
560             if (nxt_errno == 0) {
561                 nxt_alert(task,
562                           "getgrnam(\"%s\") failed, group \"%s\" not found",
563                           group, group);
564             } else {
565                 nxt_alert(task, "getgrnam(\"%s\") failed %E", group, nxt_errno);
566             }
567 
568             return NXT_ERROR;
569         }
570 
571         uc->base_gid = grp->gr_gid;
572     }
573 
574     nxt_debug(task, "about to get \"%s\" groups (uid:%d, base gid:%d)",
575               uc->user, uc->uid, uc->base_gid);
576 
577     if (nxt_user_groups_get(task, uc) != NXT_OK) {
578         return NXT_ERROR;
579     }
580 
581 #if (NXT_DEBUG)
582     {
583         u_char      *p, *end;
584         nxt_uint_t  i;
585         u_char      msg[NXT_MAX_ERROR_STR];
586 
587         p = msg;
588         end = msg + NXT_MAX_ERROR_STR;
589 
590         for (i = 0; i < uc->ngroups; i++) {
591             p = nxt_sprintf(p, end, "%d%c", uc->gids[i],
592                             i+1 < uc->ngroups ? ',' : '\0');
593         }
594 
595         nxt_debug(task, "user \"%s\" has gids:%*s", uc->user, p - msg, msg);
596     }
597 #endif
598 
599     return NXT_OK;
600 }
601 
602 
603 #if (NXT_HAVE_GETGROUPLIST && !NXT_MACOSX)
604 
605 #define NXT_NGROUPS nxt_min(256, NGROUPS_MAX)
606 
607 
608 static nxt_int_t
609 nxt_user_groups_get(nxt_task_t *task, nxt_user_cred_t *uc)
610 {
611     int    ngroups;
612     gid_t  groups[NXT_NGROUPS];
613 
614     ngroups = NXT_NGROUPS;
615 
616     if (getgrouplist(uc->user, uc->base_gid, groups, &ngroups) < 0) {
617         if (nxt_slow_path(ngroups <= NXT_NGROUPS)) {
618             nxt_alert(task, "getgrouplist(\"%s\", %d, ...) failed %E", uc->user,
619                       uc->base_gid, nxt_errno);
620 
621             return NXT_ERROR;
622         }
623     }
624 
625     if (ngroups > NXT_NGROUPS) {
626         if (ngroups > NGROUPS_MAX) {
627             ngroups = NGROUPS_MAX;
628         }
629 
630         uc->ngroups = ngroups;
631 
632         uc->gids = nxt_malloc(ngroups * sizeof(gid_t));
633         if (nxt_slow_path(uc->gids == NULL)) {
634             return NXT_ERROR;
635         }
636 
637         if (nxt_slow_path(getgrouplist(uc->user, uc->base_gid, uc->gids,
638                                        &ngroups) < 0)) {
639 
640             nxt_alert(task, "getgrouplist(\"%s\", %d) failed %E", uc->user,
641                       uc->base_gid, nxt_errno);
642 
643             nxt_free(uc->gids);
644 
645             return NXT_ERROR;
646         }
647 
648         return NXT_OK;
649     }
650 
651     uc->ngroups = ngroups;
652 
653     uc->gids = nxt_malloc(ngroups * sizeof(gid_t));
654     if (nxt_slow_path(uc->gids == NULL)) {
655         return NXT_ERROR;
656     }
657 
658     nxt_memcpy(uc->gids, groups, ngroups * sizeof(gid_t));
659 
660     return NXT_OK;
661 }
662 
663 
664 #else
665 
666 /*
667  * For operating systems that lack getgrouplist(3) or it's buggy (MacOS),
668  * nxt_user_groups_get() stores an array of groups IDs which should be
669  * set by the setgroups() function for a given user.  The initgroups()
670  * may block a just forked worker process for some time if LDAP or NDIS+
671  * is used, so nxt_user_groups_get() allows to get worker user groups in
672  * main process.  In a nutshell the initgroups() calls getgrouplist()
673  * followed by setgroups().  However older Solaris lacks the getgrouplist().
674  * Besides getgrouplist() does not allow to query the exact number of
675  * groups in some platforms, while NGROUPS_MAX can be quite large (e.g.
676  * 65536 on Linux).
677  * So nxt_user_groups_get() emulates getgrouplist(): at first the function
678  * saves the super-user groups IDs, then calls initgroups() and saves the
679  * specified user groups IDs, and then restores the super-user groups IDs.
680  * This works at least on Linux, FreeBSD, and Solaris, but does not work
681  * on MacOSX, getgroups(2):
682  *
683  *   To provide compatibility with applications that use getgroups() in
684  *   environments where users may be in more than {NGROUPS_MAX} groups,
685  *   a variant of getgroups(), obtained when compiling with either the
686  *   macros _DARWIN_UNLIMITED_GETGROUPS or _DARWIN_C_SOURCE defined, can
687  *   be used that is not limited to {NGROUPS_MAX} groups.  However, this
688  *   variant only returns the user's default group access list and not
689  *   the group list modified by a call to setgroups(2).
690  *
691  * For such cases initgroups() is used in worker process as fallback.
692  */
693 
694 static nxt_int_t
695 nxt_user_groups_get(nxt_task_t *task, nxt_user_cred_t *uc)
696 {
697     int        nsaved, ngroups;
698     nxt_int_t  ret;
699     nxt_gid_t  *saved;
700 
701     nsaved = getgroups(0, NULL);
702 
703     if (nxt_slow_path(nsaved == -1)) {
704         nxt_alert(task, "getgroups(0, NULL) failed %E", nxt_errno);
705         return NXT_ERROR;
706     }
707 
708     nxt_debug(task, "getgroups(0, NULL): %d", nsaved);
709 
710     if (nsaved > NGROUPS_MAX) {
711         /* MacOSX case. */
712 
713         uc->gids = NULL;
714         uc->ngroups = 0;
715 
716         return NXT_OK;
717     }
718 
719     saved = nxt_malloc(nsaved * sizeof(nxt_gid_t));
720 
721     if (nxt_slow_path(saved == NULL)) {
722         return NXT_ERROR;
723     }
724 
725     ret = NXT_ERROR;
726 
727     nsaved = getgroups(nsaved, saved);
728 
729     if (nxt_slow_path(nsaved == -1)) {
730         nxt_alert(task, "getgroups(%d) failed %E", nsaved, nxt_errno);
731         goto free;
732     }
733 
734     nxt_debug(task, "getgroups(): %d", nsaved);
735 
736     if (initgroups(uc->user, uc->base_gid) != 0) {
737         if (nxt_errno == NXT_EPERM) {
738             nxt_log(task, NXT_LOG_NOTICE,
739                     "initgroups(%s, %d) failed %E, ignored",
740                     uc->user, uc->base_gid, nxt_errno);
741 
742             ret = NXT_OK;
743 
744             goto free;
745 
746         } else {
747             nxt_alert(task, "initgroups(%s, %d) failed %E",
748                       uc->user, uc->base_gid, nxt_errno);
749             goto restore;
750         }
751     }
752 
753     ngroups = getgroups(0, NULL);
754 
755     if (nxt_slow_path(ngroups == -1)) {
756         nxt_alert(task, "getgroups(0, NULL) failed %E", nxt_errno);
757         goto restore;
758     }
759 
760     nxt_debug(task, "getgroups(0, NULL): %d", ngroups);
761 
762     uc->gids = nxt_malloc(ngroups * sizeof(nxt_gid_t));
763 
764     if (nxt_slow_path(uc->gids == NULL)) {
765         goto restore;
766     }
767 
768     ngroups = getgroups(ngroups, uc->gids);
769 
770     if (nxt_slow_path(ngroups == -1)) {
771         nxt_alert(task, "getgroups(%d) failed %E", ngroups, nxt_errno);
772         goto restore;
773     }
774 
775     uc->ngroups = ngroups;
776 
777     ret = NXT_OK;
778 
779 restore:
780 
781     if (nxt_slow_path(setgroups(nsaved, saved) != 0)) {
782         nxt_alert(task, "setgroups(%d) failed %E", nsaved, nxt_errno);
783         ret = NXT_ERROR;
784     }
785 
786 free:
787 
788     nxt_free(saved);
789 
790     return ret;
791 }
792 
793 
794 #endif
795 
796 
797 nxt_int_t
798 nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc)
799 {
800     nxt_debug(task, "user cred set: \"%s\" uid:%d base gid:%d",
801               uc->user, uc->uid, uc->base_gid);
802 
803     if (setgid(uc->base_gid) != 0) {
804 
805 #if (NXT_HAVE_CLONE)
806         if (nxt_errno == EINVAL) {
807             nxt_log(task, NXT_LOG_ERR, "The gid %d isn't valid in the "
808                     "application namespace.", uc->base_gid);
809             return NXT_ERROR;
810         }
811 #endif
812 
813         nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno);
814         return NXT_ERROR;
815     }
816 
817     if (uc->gids != NULL) {
818         if (setgroups(uc->ngroups, uc->gids) != 0) {
819 
820 #if (NXT_HAVE_CLONE)
821             if (nxt_errno == EINVAL) {
822                 nxt_log(task, NXT_LOG_ERR, "The user \"%s\" (uid: %d) has "
823                         "supplementary group ids not valid in the application "
824                         "namespace.", uc->user, uc->uid);
825                 return NXT_ERROR;
826             }
827 #endif
828 
829             nxt_alert(task, "setgroups(%i) failed %E", uc->ngroups, nxt_errno);
830             return NXT_ERROR;
831         }
832 
833     } else {
834         /* MacOSX fallback. */
835         if (initgroups(uc->user, uc->base_gid) != 0) {
836             nxt_alert(task, "initgroups(%s, %d) failed %E",
837                       uc->user, uc->base_gid, nxt_errno);
838             return NXT_ERROR;
839         }
840     }
841 
842     if (setuid(uc->uid) != 0) {
843 
844 #if (NXT_HAVE_CLONE)
845         if (nxt_errno == EINVAL) {
846             nxt_log(task, NXT_LOG_ERR, "The uid %d (user \"%s\") isn't "
847                     "valid in the application namespace.", uc->uid, uc->user);
848             return NXT_ERROR;
849         }
850 #endif
851 
852         nxt_alert(task, "setuid(%d) failed %E", uc->uid, nxt_errno);
853         return NXT_ERROR;
854     }
855 
856     return NXT_OK;
857 }
858 
859 
860 void
861 nxt_process_use(nxt_task_t *task, nxt_process_t *process, int i)
862 {
863     process->use_count += i;
864 
865     if (process->use_count == 0) {
866         nxt_runtime_process_release(task->thread->runtime, process);
867     }
868 }
869 
870 
871 void
872 nxt_process_port_add(nxt_task_t *task, nxt_process_t *process, nxt_port_t *port)
873 {
874     nxt_assert(port->process == NULL);
875 
876     port->process = process;
877     nxt_queue_insert_tail(&process->ports, &port->link);
878 
879     nxt_process_use(task, process, 1);
880 }
881 
882 
883 nxt_process_type_t
884 nxt_process_type(nxt_process_t *process)
885 {
886     return nxt_queue_is_empty(&process->ports) ? 0 :
887         (nxt_process_port_first(process))->type;
888 }
889 
890 
891 void
892 nxt_process_close_ports(nxt_task_t *task, nxt_process_t *process)
893 {
894     nxt_port_t  *port;
895 
896     nxt_process_port_each(process, port) {
897 
898         nxt_port_close(task, port);
899 
900         nxt_runtime_port_remove(task, port);
901 
902     } nxt_process_port_loop;
903 }
904 
905 
906 void
907 nxt_process_connected_port_add(nxt_process_t *process, nxt_port_t *port)
908 {
909     nxt_thread_mutex_lock(&process->cp_mutex);
910 
911     nxt_port_hash_add(&process->connected_ports, port);
912 
913     nxt_thread_mutex_unlock(&process->cp_mutex);
914 }
915 
916 
917 void
918 nxt_process_connected_port_remove(nxt_process_t *process, nxt_port_t *port)
919 {
920     nxt_thread_mutex_lock(&process->cp_mutex);
921 
922     nxt_port_hash_remove(&process->connected_ports, port);
923 
924     nxt_thread_mutex_unlock(&process->cp_mutex);
925 }
926 
927 
928 nxt_port_t *
929 nxt_process_connected_port_find(nxt_process_t *process, nxt_pid_t pid,
930     nxt_port_id_t port_id)
931 {
932     nxt_port_t  *res;
933 
934     nxt_thread_mutex_lock(&process->cp_mutex);
935 
936     res = nxt_port_hash_find(&process->connected_ports, pid, port_id);
937 
938     nxt_thread_mutex_unlock(&process->cp_mutex);
939 
940     return res;
941 }
942