The recipe:

1. Compatible CPU with VT-x/AMD-V enabled in the BIOS
2. Innotek/Oracle/Sun VirtualBox (a current version) with hardware virtualization enabled
3. Profit!

The one downside to this? 64-bit VM’s running on 32-bit host OS can’t see multiple cpu’s. Boo. Hoo. I’ll just run more VM’s!

I think this is as simple as I can possibly make it:

<?
define( 'MAX_COPIES', 3 );
$back_fname = "/path/to/log/file/abc.log";

function trace( $msg ) {
    echo "- $msg\n";
}

exec( "ls -r ${back_fname}*", $copies, $succ );
while( count($copies) >= MAX_COPIES ) {
    $fname = array_shift($copies);
    trace( "deleting ".$fname );
}
$next = count($copies);
while( $fname = array_shift($copies) ) {
    --$next;
    trace( "rotating $fname -> $next" );
    rename( $fname, "$back_fname.$next" );
}

trace( "creating $back_fname" );
touch( $back_fname );
?>

A sample series of executions might look like this:

ammon@wernstrom:/path/to/log/file$ touch abc.log
ammon@wernstrom:/path/to/log/file$ php rotate.php
- rotating /path/to/log/file/abc.log -> 0
- creating /path/to/log/file/abc.log
ammon@wernstrom:/path/to/log/file$ php rotate.php
- rotating /path/to/log/file/abc.log.0 -> 1
- rotating /path/to/log/file/abc.log -> 0
- creating /path/to/log/file/abc.log
ammon@wernstrom:/path/to/log/file$ php rotate.php
- rotating /path/to/log/file/abc.log.1 -> 2
- rotating /path/to/log/file/abc.log.0 -> 1
- rotating /path/to/log/file/abc.log -> 0
- creating /path/to/log/file/abc.log
ammon@wernstrom:/path/to/log/file$ php rotate.php
- deleting /path/to/log/file/abc.log.2
- rotating /path/to/log/file/abc.log.1 -> 2
- rotating /path/to/log/file/abc.log.0 -> 1
- rotating /path/to/log/file/abc.log -> 0
- creating /path/to/log/file/abc.log

This doesn’t have any failsafes, doesn’t compress anything, depends on an external call to ‘ls’, and it actually deletes old files in stead of overwriting them… but it is the shortest, simplest method I’ve come up with to get the job done.

If I feel like making this a full-fledged series, I might actually post a more thorough implementation later

This simple script scans all normal files in a log directory, and if they are older than a certain cutoff, moves them into a holding directory for old logs. Future passes will check files in the old directory for another age setting and will delete them. That’s all there is to it.

Configure your cutoffs, directories of interest, and optionally plug in a better logging mechanism and you’re set. (Oh, and change the #! if necessary, of course).

#!/usr/bin/php
<?
$cutoff_rotate = "3 days";
$cutoff_delete = "7 days";
$dir_log = "/logs";
$dir_old = "/logs.old";

function trace( $msg, $debug = FALSE ) {
	// appropriate logging mechanism can be plugged in here
	echo "[] $msg\n";
}

// scan old files for deletion
if( is_dir($dir_old) ) {
	$dh = opendir( $dir_old );
	if( $dh !== FALSE ) {
		chdir( $dir_old );
		trace( "scanning $dir_old for logs more than $cutoff_delete old" );
		$cutoff = strtotime( "-$cutoff_delete" );
		trace( "cutoff is ".date('r',$cutoff) );
		while( ($file = readdir($dh)) !== FALSE ) {
			if( is_dir($file) ) {
				trace( "skipping $file", true );
				continue;
			} else {
				$ts = filemtime($file);
				if( $ts < $cutoff ) {
					trace( "deleting $file, ".date('r',$ts) );
					$succ = @unlink($file);
					if( !$succ )
						trace( "failed to unlink $file!" );
				} else {
					trace( "ignoring $file, ".date('r',$ts), true );
				}
			}
		}
	}
	closedir( $dh );
} else {
	trace( "no old log dir $dir_old to scan yet" );
}

// scan current files for rotation
if( file_exists($dir_old) ) {
	trace( "creating $dir_old" );
	$succ = @mkdir( $dir_old, 0775, true );
	if( !$succ ) {
		trace( "mkdir failed, aborting rotation" );
		exit( 1 );
	}
}
if( is_dir($dir_log) ) {
	$dh = opendir( $dir_log );
	if( $dh !== FALSE ) {
		chdir( $dir_log );
		trace( "scanning $dir_log for logs more than $cutoff_rotate old" );
		$cutoff = strtotime( "-$cutoff_delete" );
		trace( "cutoff is ".date('r',$cutoff) );
		while( ($file = readdir($dh)) !== FALSE ) {
			if( is_dir($file) ) {
				trace( "skipping $file", true );
				continue;
			} else {
				$ts = filemtime($file);
				if( $ts < $cutoff ) {
					trace( "rotating $file, ".date('r',$ts), true );
					$succ = @rename( $file, $dir_old );
					if( !$succ )
						trace( "failed to rotate $file!" );
				} else {
					trace( "ignoring $file, ".date('r',$ts), true );
				}
			}
		}
	}
	closedir( $dh );
}
?>

The FILES variable should be populated with a whitespace separated list of files, directories, and block devices to track.

The DB_ABCD variables should be populated with appropriate credentials to talk to a mysql server.

The actual script looks something like this:

#!/bin/bash

FILES='/var/lib/mysql/ibdata1 /var/lib/mysql/db/table.ibd /dev/sda1 /var/log/mysql'

LOCAL=`hostname -s`
DB_HOST='aaa'
DB_USER='bbb'
DB_PASS='ccc'

function insert {
    FILE=$1
    SIZE=$2
    QUERY="replace into metrics.storage_usage values( now(), '$LOCAL', '$FILE', $SIZE )"
    mysql --host=${DB_HOST} --user=${DB_USER} --password="${DB_PASS}" -e "${QUERY}"
}

for FILE in $FILES
do
    if [ -d $FILE ]; then
        BASE=$FILE
        SIZE=`du -ks $FILE/ | awk '{print $1}'`
    elif [ -b $FILE ]; then
        TMP=`df -k -P $FILE | tail -n1 | awk '{print $3 " " $6}'`
        SIZE=`echo $TMP | awk '{print $1}'`
        BASE=`echo $TMP | awk '{print $2}'`
    else
        BASE=`basename $FILE`
        SIZE=`du -k $FILE | awk '{print $1}'`
    fi

    echo "$BASE = $SIZE"
    insert $BASE $SIZE
done

I am putting my data into a table called “storage_usage” in a database called “metrics”:

CREATE TABLE `storage_usage` (
  `ts` date NOT NULL,
  `host` varchar(25) NOT NULL,
  `file` varchar(64) NOT NULL,
  `size` int(10) unsigned NOT NULL COMMENT 'in kbytes',
  PRIMARY KEY (`ts`,`host`,`file`)
)

Obviously, this could be tweaked in any different number of ways, based on your needs. One tweak you might want to consider if you’re running it in a daily cron is to remove the echo so you don’t get an email report of every run. Also, if you might want to record more than one snapshot per file per host per day – in the which case you probably need to change the type of the timestamp column to a datetime. Or there might be cases where you want to change the replace to an insert or… whatever

Last week, I needed to set up new replication of an 80gb database. This should have been routine by now, but when I attempted to prepare the backup this time, it whined and complained and failed. I was kind of frazzled by the time I gave up on the issue and declared it a fluke of one sort or another.

Last night, I tried again from Sunday’s full backup, and it happened again:

ammon@amy:/var/lib/2009-08-16_04-02-17$ sudo xtrabackup --prepare --target-dir=.
xtrabackup  Ver 0.8.1rc Rev 78 for 5.0.83 unknown-linux-gnu (x86_64)
xtrabackup: cd to .
xtrabackup: This target seems to be not prepared yet.
xtrabackup: xtrabackup_logfile detected: size=75546624, start_lsn=(86 1293090752)
xtrabackup: Temporary instance for recovery is set as followings.
xtrabackup:   innodb_data_home_dir = ./
xtrabackup:   innodb_data_file_path = ibdata1:512M:autoextend
xtrabackup:   innodb_log_group_home_dir = ./
xtrabackup:   innodb_log_files_in_group = 1
xtrabackup:   innodb_log_file_size = 75546624
xtrabackup: Starting InnoDB instance for recovery.
xtrabackup: Using 104857600 bytes for buffer pool (set by --use-memory parameter)
InnoDB: Log scan progressed past the checkpoint lsn 86 1293090752
090818  2:54:34  InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Reading tablespace information from the .ibd files...
090818  2:54:34  InnoDB: Operating system error number 2 in a file operation.
InnoDB: The error means the system cannot find the path specified.
InnoDB: If you are installing InnoDB, remember that you must create
InnoDB: directories yourself, InnoDB does not create them.
InnoDB: File name .//tmp/#sql6e1e_8cce1_0.ibd
InnoDB: File operation call: 'create'.
InnoDB: Cannot continue operation.

I gave up after poking a few things.

This morning’s fresh look turned up this bug report.

ammon@amy:/var/lib/2009-08-16_04-02-17$ sudo mkdir tmp
ammon@amy:/var/lib/2009-08-16_04-02-17$ sudo xtrabackup --prepare --target-dir=.
xtrabackup  Ver 0.8.1rc Rev 78 for 5.0.83 unknown-linux-gnu (x86_64)
xtrabackup: cd to .
xtrabackup: This target seems to be not prepared yet.
090818 12:27:41  InnoDB: Operating system error number 2 in a file operation.
InnoDB: The error means the system cannot find the path specified.
xtrabackup: Warning: cannot open ./xtrabackup_logfile. will try to find.
xtrabackup: 'ib_logfile0' seems to be 'xtrabackup_logfile'. will retry.
xtrabackup: xtrabackup_logfile detected: size=84983808, start_lsn=(86 1293090752)
xtrabackup: Temporary instance for recovery is set as followings.
xtrabackup:   innodb_data_home_dir = ./
xtrabackup:   innodb_data_file_path = ibdata1:512M:autoextend
xtrabackup:   innodb_log_group_home_dir = ./
xtrabackup:   innodb_log_files_in_group = 1
xtrabackup:   innodb_log_file_size = 84983808
xtrabackup: Starting InnoDB instance for recovery.
xtrabackup: Using 104857600 bytes for buffer pool (set by --use-memory parameter)
InnoDB: Log scan progressed past the checkpoint lsn 86 1293090752
090818 12:27:41  InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Reading tablespace information from the .ibd files...
InnoDB: Doing recovery: scanned up to log sequence number 86 1298333184 (6 %)
InnoDB: Doing recovery: scanned up to log sequence number 86 1303576064 (13 %)
InnoDB: Doing recovery: scanned up to log sequence number 86 1308818944 (20 %)
InnoDB: Doing recovery: scanned up to log sequence number 86 1314061824 (27 %)
InnoDB: Doing recovery: scanned up to log sequence number 86 1319304704 (34 %)
090818 12:27:44  InnoDB: Starting an apply batch of log records to the database...
... snip ...

That’s right. There’s a bug in innodb restoration that interprets location of /tmp (configurable in my.cnf) to be relative in stead of absolute.

So, if you have problems while trying to restore from an xtrabackup/ibbackup snapshot (or if you’re trying to recover innodb after a crash), just creating the offending tmp directory appears to work.

It works under the assumption that your server daemon has a unique name and only ever runs a single instance – this also means that the binary and the init.d script cannot share a name – otherwise strange things happen

Actual invocation logic may need to be updated on a per-service basis and chkconfig style headers would have to be added manually, but it works well for what it is.

#!/bin/bash

DIR=''	# path to the daemon executable
CMD=''	# name of the command itself
ARG=''	# optional. any arguments to pass when starting
NAM=''	# descriptive name of the daemon so it shows up pretty

function get_ps {
	ps --no-header -C${CMD}
}

function do_start {
	echo -n "Starting ${NAM}... "
	cd ${DIR}
	nohup ./${CMD} ${ARG} &
	SUCC=`get_ps | wc -l`
	if [ "1" == "$SUCC" ]; then
		echo "[SUCCESS]"
	else
		echo "[FAILURE]"
	fi
}

function do_stop {
	echo -n "Stopping ${NAM}... "
	PID=`get_ps | awk '{print $1}'`
	kill $PID
	SUCC=`get_ps | wc -l`
	if [ "0" == "$SUCC" ]; then
		echo "[SUCCESS]"
	else
		echo "[FAILURE]"
	fi
}

case "${1:-''}" in
	'start')
		do_start
		;;
	'stop')
		do_stop
		;;
	'restart')
		do_stop
		do_start
		;;
	*)
		#echo "Usage: $SELF start|stop|restart|reload|force-reload|status"
		echo "Usage: $SELF start|stop|restart"
		exit 1
		;;
esac

I’ve been doing a lot of backup scripting recently. Yes, there are tons of commercial apps out there, but none of them that I’ve looked into are a perfect match for all of our needs. I’ll eventually settle on one and it will probably replace 80% of my scripts, but plenty will remain.

One problem that I’ve encountered while doing the whole backup juggling bit is the ferocious rate of change in the nature of the data we’re archiving. Code I’d written a year ago was obsoleted 6 months ago by code that was obsoleted 3 months ago by code that I replaced a few weeks back that is being replaced by the code I’m writing right now.

Another one of the problems is that the sheer quantity of data involved is growing in a very uncontrolled way. Early last May (the oldest archive I have easy access to), a full archive of the entire system was barely 3gb in size. Today, it is closer to 60gb. ~20x growth over the last 9 months.

It’s been fun, if somewhat frustrating, dealing with all of the growth.

On January 20th, I needed to perform a long-deprecated sort of snapshot. The code that generated this sort of file no longer worked because so many things had changed. I wound up digging out old scripts from SVN and updating them to run against the new environment.

Because of the amount of data involved, this took a very long time. It didn’t help that the scripts consumed an unfair amount of system resources – I couldn’t run them with any meaningful priority during the day without crippling everyone else.

Lots of low priority io later, I finally had a 54gb tar file… In one of the three places I needed it.

The first transfer was simple, the hosts are on the same gigabit switch as each other. Unfortunately, scping that much data between two hosts at that kind of speed has negative effects on the systems involved. I had to throttle the transfer way down to before it could run without visibly impacting performance.

rsync --partial --bwlimit=10000 -e "ssh -i ${RSA_KEYFILE}" ${LOCAL_FNAME} {REMOTE_USER}@${REMOTE_HOST}:${REMOTE_FNAME}

The second transfer… wasn’t so easy. I needed to move the file to my office without negatively impacting everyone’s ability to work – and I couldn’t wait for the transfer to run at low enough speeds not to cripple the T1.

We have a backup 6mbit DSL link that I only use for emergencies and for testing. Even at a full 6mbit, the transfer would have taken more than 36 hours. Compressing the file took a while but brought the file size down to a much more manageable 24gb (~11 hours over the DSL).

The only remaining gotcha was that DSL link can’t actually SSH through the firewall into the colo So… I started the transfer over https last night and went home.

This morning, it was finally time to decompress the monstrosity locally, but I noticed a hiccup in dsl traffic overnight and figured I’d run a check on things first – just to make sure that http resume had worked correctly.

ammon@scruffy:~$ gunzip --test archive_2009_01_20.tar.gz
gunzip: archive_2009_01_20.tar.gz: invalid compressed data--format violated

This was not good. I had a 24gb file that was somehow corrupted… somewhere.

Since re-downloading the whole thing would cost me another whole day… I had to find out a way to repair the file in a reasonable amount of time. Some research and suggestion gathering later, it was confirmed that rsync would probably handle the task.

Assuming that I wouldn’t be using an unfair amount of bandwidth for this, I switched back to the T1 link so I could tunnel through SSH again.

ammon@scruffy:~$ rsync --checksum --inplace -e "ssh" wernstrom:/tmp/archive_2009_01_20.tar.gz archive_2009_01_20.tar.gz 

sent 1280578 bytes  received 1440757 bytes  2622.97 bytes/sec
total size is 25619572576  speedup is 9414.34

ammon@scruffy:~$ gunzip --test archive_2009_01_20.tar.gz
ammon@scruffy:~$

(remember, this is unix, no output implies success)

So, yeah. Rsync, I love it when you work.

It took some time and generated a lot of disk activity when the process started, but it worked almost painlessly and only transferred the data I needed – thus leaving the shared network resource free for everyone else

I never really cared about networking much beyond that needed to make sure clients on a lan can talk to their dns server… but we’ve been growing enough here at work that the needs quickly outpaced my prior skillset. And since I was the closest thing we had to a network admin, I got signed up for classes

It’s been fun and profoundly enlightening. I didn’t expect to have my way of thinking so radically altered, but I’m hardly complaining.

I’ll be starting up the second class in a week or two. This’ll include such topics as VLANs, IPv6, and fancy routing protocols. I’m stoked.

It’s funny. I never finished college (though I took classes for roughly 10 years), so this is actually the first certificate of education I’ve received since highschool.

The comment was made at work that I’d dinged as a sysadmin. I haven’t. I’m just cherry picking my next few levels in netadmin

What I want:

ammon@hermes:~/repo$ svn info --get-revision .
1234

But of course, nothing like this exists.

Thankfully, svn info’s output IS easy enough to parse. You just have to do it your self.

ammon@hermes:~/repo$ svn info | grep Revision | awk -- '{print $2}'
1234

Will give you the revision of your current checkout without the network hit of a call to svn log.

To get the current version of the repo itself (hits the network), add “-r HEAD” to the svn info call:

ammon@hermes:~/repo$ svn info -r HEAD | grep Revision | awk -- '{print $2}'
1280

Of course, svn info also supports outputting info as xml, so you could use that to parse things in a more advanced environment but one where you’re still not using the svn api bindings.

Well, it’s been months since I promised to post some usable socket policy service code, so I will.

The script here is meant to serve as a good starting point for people whose servers need to allow flash clients to make socket connections. I have not actually used this exact code in a production environment, but I have been using code that is 99% identical for a while now. I am confident that any blatant flaws are the result of simple copy-paste errors as I compiled the package. Please let me know if you find any.

I have however, stress tested the heck out of this service. One instance successfully served up over 16000 policy file requests fed into it as rapidly as I could send them. The same networking code has also handled requests from at least 100 different hosts at roughly the same time.

Everything has been combined into a single cli php script that requires no special installation. Just plop it down on the server and run it as root. It will take care of the rest. The config defaults should be safe, but you probably want to specify them more clearly – just to be safe.

The daemon is made of three classes:

• Logger – A rudimentary log file management class that I copy from project to project in one form or another. The included version is stripped down from some of the other versions I’ve written, and I’m planning on releasing a more feature-rich version in the future.
• Daemon – A simple class for daemonizing a process. Adapted and re-adapted countless times from an original php4 class I found on the net a few years ago by some guy named Seth (whose email domain no longer exists).
• FlashPolicyService – The meat and potatoes, a child of Daemon. Mostly, this is just the requisite networking code and glue to make everything work together.

As with any of my other code, this is licensed under CC Attribution 3.0.

Download:

• FlashPolicyService-09c.zip (4.4kb)

Source code after the jump.

#!/usr/local/bin/php
<?php
/**
 * Flash Policy Service v0.9.c
 *
 * This script listens for <policy-file-request/> on port 843 and serves up
 * an xml crossdomain policy file. This sort of service is necessary if any
 * flash content is going to connect to sockets on the running host.
 *
 * I have made every effort to package everything you need into a single
 * file here, even though it could easily have been split into 3 or more
 * scripts.
 *
 * Requirements:
 *  - PHP 5 with sockets, pcntl, and posix extensions
 *  - Root access (to bind to a <1024 port)
 *
 * Use:
 *  Simply execute the script from the command line as root:
 *    # ./FlashPolicyService.php
 *  You can enable debug mode by invoking the script with '-d' as a parameter:
 *    # ./FlashPolicyService.php -d
 *  To stop the daemon, simply send it a SIGTERM and it should attempt to
 *  exit cleanly.
 *
 *  If you get 'bad interpreter' errors or the like, change the #! line to
 *  reflect the actual installed location of your php cli.
 *
 * Configuration:
 *  At present, there aren't very many config options. Simply edit the
 *  section immediately following this header. Options are commented.
 *
 * License:
 *  This code is made available under a Creative Commons Attribution 3.0
 *  License. Basically, you can use it however you like, but I would
 *  appreciate some credit when you do.
 *
 * Disclaimer:
 *  I make no guarantees that this code won't make your server explode in a
 *  shower of blue flames. However, I don't expect that it will. I am actually
 *  confident that this code will be helpful.
 *
 *  That said, this is still my beta release. If you find any bugs, please
 *  let me know so I can fix them.
 *
 * - Ammon Lauritzen [Apr 21, '08]
 *   http://ammonlauritzen.com/blog/2008/04/22/flash-policy-service-daemon/
 *
 * Changelog
 * 0.9.c
 *   - Fixed some typoes that were the result of how I combined everything
 *     into a single file. Thanks Alex!
 * 0.9.b
 *   - Original version to be posted at this url.
 * 0.9.a
 *   - Original proof of concept code posted online.
 */

/*** Config ***/

// where should we save the log output?
$log_filename = "/tmp/flash-policy.log";

// uncomment these lines to choose which user to run the daemon as
// default behavior is to look up and attempt to run as 'nobody'
# $daemon_uid = 99;
# $daemon_gid = 99;

// set this if you want to use an external file in stead of the default
$xml_filename = "";
$default_xml =
	'<'.'?xml version="1.0" encoding="UTF-8"?'.'>'.
    '<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFileSocket.xsd">'.
        '<allow-access-from domain="*" to-ports="*" secure="false" />'.
        '<site-control permitted-cross-domain-policies="all" />'.
    '</cross-domain-policy>';

/*** You shouldn't have to edit anything below here ***/

/////////////////////////////////////////////////////////////////////////////
class Logger {
	public function __construct( $logfile ) {
        $this->logfile = $logfile;
        $this->open_log();
    }// end: constructor

    public function __destruct() {
        @fflush( $this->fh );
        @fclose( $this->fh );
    }// end: destructor

    public function log( $msg ) {
		// deal with redundant log spam
		if( $msg == $this->last_msg ) {
			$this->last_msg_count++;
			return;
		} else if( $this->last_msg_count ) {
			$this->write( "Last message repeated ".$this->last_msg_count." times." );
		}
		$this->lasg_msg = $msg;
		$this->last_msg_count = 0;

		// actually write the log message out
		$this->write( $msg );
	}// end: log

	private function write( $msg ) {
        $msg = sprintf("[%s] %s\\n",date("y-m-d H:i:s"),$msg);
        $succ = @fwrite( $this->fh, $msg );
        if( $succ === FALSE ) {
            echo $msg;
        }
    }// end: write

	private function open_log() {
        if( !file_exists($this->logfile) ) {
            touch( $this->logfile );
            chmod( $this->logfile, 0664 );
        }
        $this->fh = @fopen( $this->logfile, "a" );
    }
}// end: logger class

/////////////////////////////////////////////////////////////////////////////
class Daemon {
	public function __construct() {
		error_reporting(0);
		set_time_limit(0);

		global $log_filename, $pid_filename;
		$this->logger = new Logger( $log_filename );
		$this->pid_filename = $pid_filename;

		$this->log_tag = $this->daemon_tag = "launcher";
		$this->debug( "constructed", $this->daemon_tag );
	}// end: constructor

	public function __destruct() {
		$this->debug( "destructing", $this->daemon_tag );
	}// end: destructor

	protected function log( $msg, $tag = false ) {
		if( $tag == false )
			$tag = $this->log_tag;
		$this->logger->log( $tag.": ".$msg );
	}// end: log
	protected function debug( $msg, $tag = false ) {
		if( DEBUG )
			$this->log( $msg, $tag );
	}// end: debug

	protected function main() {
		$this->log( "override main() in daemon subclass", $this->daemon_tag );
		$this->stop();
	}// end: main

	public function start() {
		$this->log( "starting daemon", $this->daemon_tag );
		if( !$this->_start() ) {
			$this->log( "unable to start daemon", $this->daemon_tag );
			return;
		}

		// report execution details
		$this->log( "uid = ".posix_getuid().", gid = ".posix_getgid() );
		$this->log( "cwd = ".getcwd() );

		// invoke main loop
		$this->running = true;
		while( $this->running ) {
			$this->main();
		}
	}// end: start
	private function _start() {
		if( !$this->_fork() ) {
			return false;
		}// end: try to fork

		if( !posix_setsid() ) {
			$this->log( "unable to setsid()", $this->daemon_tag );
			return false;
		}// end: try to set sid

		if( !$this->_suid() ) {
			return false;
		}// end: try to set uid

		// register signal handler
		declare(ticks = 1);
		pcntl_signal( SIGTERM, array(&$this, "on_sigterm") );
		// chdir somewhere moderately safe by default
		chdir( '/tmp' );
		return true;
	}// end: _start
	private function _fork() {
		$this->log( "forking...", $this->daemon_tag );
		$pid = pcntl_fork();
		if( $pid == -1 ) {
			// error
			$this->log( "unable to fork", $this->daemon_tag );
			return false;
		} else if( $pid ) {
			// parent
			$this->debug( "done with parent", $this->daemon_tag );
			exit( 0 );
		} else {
			// child
			$this->daemon_tag = "daemon";
			$this->child = true;
			$this->pid = posix_getpid();
			$this->debug( "child pid = ".$this->pid );
			return true;
		}
	}// end: _fork
	private function _suid() {
		global $daemon_uid, $daemon_gid;
		if( !isset($daemon_uid) || !isset($daemon_gid) ) {
			// we didn't get a uid/gid, try to make one up
			$this->debug( "searching for info on 'nobody'", $this->daemon_tag );
			$res = posix_getpwnam("nobody");
			if( $res !== FALSE ) {
				$uid = $res['uid'];
				$gid = $res['gid'];
			} else {
				// the 'nobody' user doesn't exist on this system, refuse
				// to daemonize as root
				$this->log( "unable to find info on 'nobody' user", $this->daemon_tag );
				return false;
			}
		} else {
			$this->debug( "got uid/gid of $daemon_uid/$daemon_gid", $this->daemon_tag );
			$uid = $daemon_uid;
			$gid = $daemon_gid;
		}
		// actually try to switch now
		if( !posix_setgid($gid) ) {
			$this->log( "unable to set gid to ".$gid, $this->daemon_tag );
			return false;
		} else if( !posix_setuid($uid) ) {
			$this->log( "unable to set uid to ".$uid, $this->daemon_tag );
			return false;
		} else {
			return true;
		}
	}// end: _suid

	public function stop() {
		$this->log( "stopping daemon", $this->daemon_tag );
		$this->running = false;
	}// end: stop

	protected function on_sigterm( $sig ) {
		if( $sig == SIGTERM ) {
			$this->log( "got SIGTERM", $this->daemon_tag );
			$this->stop();
			exit( 0 );
		}
	}// end: on_sigterm
}// end: daemon class

/////////////////////////////////////////////////////////////////////////////
class FlashPolicyService extends Daemon {
	public function __construct() {
		parent::__construct();
		$this->log_tag = "fps";
		$this->debug( "constructing" );

		$this->connections = array();
		$this->request_str = "<policy-file-request/>";
		$this->port = 843;

		// get our xml
		global $xml_filename, $default_xml;
		if( strlen($xml_filename) == 0 || !file_exists($xml_filename) ) {
			$this->log( "unable to read xml from '$xml_filename', using default" );
			$this->xml = $default_xml;
		} else {
			$this->log( "reading policy xml from $xml_filename" );
			$this->xml = file_get_contents( $xml_filename );
		}
		$this->debug( "policy xml: ".$this->xml );
		// make sure we're null terminated
		$this->xml = trim($this->xml)."\\n\\0";

		// and get going
		$this->init();
	}// end: constructor

	public function __destruct() {
		parent::__destruct();
		if( $this->sock )
			@fclose($this->sock);
	}// end: destructor

	private function init() {
		$this->debug( "init..." );
		if( $this->check_socket() ) {
			parent::start();
		} else {
			$this->log( "not starting daemon" );
		}
	}// end: init

	protected function main() {
		if( $this->sock ) {
			while( true ) {
				$this->accept_socket();
			}
		} else {
			$this->log( "server socket is closed?!" );
			parent::stop();
		}
		// paranoia to keep from absolutely hosing cpu if something goes wrong
		usleep( 10000 );	// 10ms
	}// end: main

	private function check_socket() {
		$this->sock = @socket_create( AF_INET, SOCK_STREAM, SOL_TCP );
		if( !$this->sock ) {
			$this->log( "unable to create socket" );
		} else {
			$succ = @socket_bind( $this->sock, "0.0.0.0", $this->port );
			if( !$succ ) {
				$this->log( "unable to bind to port ".$this->port );
			} else {
				$backlog = 100;
				$succ = @socket_listen( $this->sock, $backlog );
				if( !$succ ) {
					$this->log( "unable to listen with backlog of $backlog" );
				} else {
					// everything's good
					return true;
				}
			}// end: able to bind
		}// end: able to create socket

		// if we got here, it's an error. abort.
		$errno = socket_last_error( $this->sock );
		$errstr = socket_strerror( $errno );
		$this->log( "socket error: $errno: $errstr" );
		return false;
	}// end: check_socket

	private function accept_socket() {
		$r_socks = array_merge( array($this->sock), $this->connections );
		$this->debug( "selecting on ".count($r_socks)." sockets" );

		// block until something interesting happens
		$select = @socket_select( $r_socks, $w_socks = NULL, $e_socks = NULL, NULL );
		if( !$select )
			return;

		// did we get a new connection?
		if( in_array($this->sock, $r_socks) ) {
			$conn = @socket_accept( $this->sock );
			if( $conn !== false )
				@socket_getpeername( $conn, $addr );
			$this->log( "connection accepted from $addr, $conn" );
			$this->connections[] = $conn;
		}// end: got a new connection

		// check for policy requests
		foreach( $r_socks as $conn ) {
			// ignore the server socket
			if( $conn == $this->sock )
				continue;

			// read from the client
			$data = @socket_read( $conn, 1024 );
			if( $data === FALSE ) {
				$this->log( "got disconnect from $conn" );
			}// end: client closed connection
			else {
				$this->debug( "read '".trim($data)."' from $conn" );
				if( strpos($data, $this->request_str) !== FALSE ) {
					$this->log( "sending policy xml to $conn" );
					@socket_write( $conn, $this->xml );
				} else {
					$this->log( "got invalid request from $conn" );
				}
			}// end: got data from the client

			// and always disconnect after having read something, whether
			// it was a valid request or not - especially if it wasn't 
			@socket_close( $conn );
			$key = array_search( $conn, $this->connections );
			if( $key !== FALSE )
				unset( $this->connections[$key] );
		}// end: foreach socket
	}// end: accept_socket

}// end: flash policy service class

/////////////////////////////////////////////////////////////////////////////
/**
 * Actual execution code here. This checks if the php install has all of our
 * requisite extensions, makes sure we're launching as root, and checks if
 * debug mode was requested before actually starting the daemon.
 */

// make sure we have required extensions
$required_extensions = array( "sockets", "posix", "pcntl" );
$missing_extension = false;
foreach( $required_extensions as $ext ) {
	if( !extension_loaded($ext) ) {
		echo "Missing required php extension '$ext'.\n";
		$missing_extension = true;
	}
}
if( $missing_extension ) {
	exit( 1 );
}

// make sure we launch as root, otherwise we can't bind to 843
if( posix_getuid() != 0 || posix_getgid() != 0 ) {
	echo "Policy service must be started as root.\n";
	exit( 1 );
}

// see if we're in debug mode
define( "DEBUG", in_array('-d',$argv) );

// start the daemon
$fps = new FlashPolicyService();
?>