MINOR: debug: make most debug CLI commands accessible in expert mode

Instead of relying on DEBUG_DEV for most debugging commands, which is limiting, let's condition them to expert mode. Only one ("debug dev exec") remains conditionned to DEBUG_DEV because it can have a security implication on the system. The commands are not listed unless "expert-mode on" was first entered on the CLI : > expert-mode on > help debug dev close <fd> : close this file descriptor debug dev delay [ms] : sleep this long debug dev exec [cmd] ... : show this command's output debug dev exit [code] : immediately exit the process debug dev hex <addr> [len]: dump a memory area debug dev log [msg] ... : send this msg to global logs debug dev loop [ms] : loop this long debug dev panic : immediately trigger a panic debug dev stream ... : show/manipulate stream flags debug dev tkill [thr] [sig] : send signal to thread > debug dev stream Usage: debug dev stream { <obj> <op> <value> | wake }* <obj> = {strm | strm.f | sif.f | sif.s | sif.x | sib.f | sib.s | sib.x | txn.f | req.f | req.r | req.w | res.f | res.r | res.w} <op> = {'' (show) | '=' (assign) | '^' (xor) | '+' (or) | '-' (andnot)} <value> = 'now' | 64-bit dec/hex integer (0x prefix supported) 'wake' wakes the stream asssigned to 'strm' (default: current)
2025-09-22 14:21:25 +02:00 · 2019-10-24 18:03:39 +02:00 · 2019-10-24 18:03:39 +02:00 · b24ab22ac0
commit b24ab22ac0
parent abb9f9b057
2 changed files with 21 additions and 18 deletions
--- a/doc/management.txt
+++ b/doc/management.txt
@ -1459,10 +1459,14 @@ clear table <table> [ data.<type> <operator> <value> ] | [ key <key> ]
    >>> # table: http_proxy, type: ip, size:204800, used:1
 debug dev <command> [args]*
-  Call a developer-specific command. Only supported when haproxy is built with
+  Call a developer-specific command. Only supported on a CLI connection running
-  DEBUG_DEV defined. Supported commands are then listed in the help message.
+  in expert mode (see "expert-mode on"). Such commands are extremely dangerous
-  All of these commands require admin privileges, and must never appear on a
+  and not forgiving, any misuse may result in a crash of the process. They are
-  production system as most of them are unsafe and dangerous.
+  intended for experts only, and must really not be used unless told to do so.
  Some of them are only available when haproxy is built with DEBUG_DEV defined
  because they may have security implications. All of these commands require
  admin privileges, and are purposely not documented to avoid encouraging their
  use by people who are not at ease with the source code.
 del acl <acl> [<key>|#<ref>]
  Delete all the acl entries from the acl <acl> corresponding to the key <key>.
--- a/src/debug.c
+++ b/src/debug.c
@ -206,7 +206,6 @@ void ha_panic()
 		abort();
 }
 #if defined(DEBUG_DEV)
 /* parse a "debug dev exit" command. It always returns 1, though it should never return. */
 static int debug_parse_cli_exit(char **args, char *payload, struct appctx *appctx, void *private)
 {
@ -301,6 +300,7 @@ static int debug_parse_cli_panic(char **args, char *payload, struct appctx *appc
 }
 /* parse a "debug dev exec" command. It always returns 1. */
 #if defined(DEBUG_DEV)
 static int debug_parse_cli_exec(char **args, char *payload, struct appctx *appctx, void *private)
 {
 	FILE *f;
@ -336,6 +336,7 @@ static int debug_parse_cli_exec(char **args, char *payload, struct appctx *appct
 	trash.area[trash.data] = 0;
 	return cli_msg(appctx, LOG_INFO, trash.area);
 }
 #endif
 /* parse a "debug dev hex" command. It always returns 1. */
 static int debug_parse_cli_hex(char **args, char *payload, struct appctx *appctx, void *private)
@ -539,8 +540,6 @@ static int debug_parse_cli_stream(char **args, char *payload, struct appctx *app
 	return 1;
 }
 #endif
 #ifndef USE_THREAD_DUMP
 /* This function dumps all threads' state to the trash. This version is the
@ -661,19 +660,19 @@ REGISTER_PER_THREAD_INIT(init_debug_per_thread);
 /* register cli keywords */
 static struct cli_kw_list cli_kws = {{ },{
 	{{ "debug", "dev", "close", NULL }, "debug dev close <fd>        : close this file descriptor",      debug_parse_cli_close, NULL, NULL, NULL, ACCESS_EXPERT },
 	{{ "debug", "dev", "delay", NULL }, "debug dev delay [ms]        : sleep this long",                 debug_parse_cli_delay, NULL, NULL, NULL, ACCESS_EXPERT },
 #if defined(DEBUG_DEV)
-	{{ "debug", "dev", "close", NULL }, "debug dev close <fd>        : close this file descriptor",      debug_parse_cli_close, NULL },
+	{{ "debug", "dev", "exec",  NULL }, "debug dev exec  [cmd] ...   : show this command's output",      debug_parse_cli_exec,  NULL, NULL, NULL, ACCESS_EXPERT },
 	{{ "debug", "dev", "delay", NULL }, "debug dev delay [ms]        : sleep this long",                 debug_parse_cli_delay, NULL },
 	{{ "debug", "dev", "exec",  NULL }, "debug dev exec  [cmd] ...   : show this command's output",      debug_parse_cli_exec,  NULL },
 	{{ "debug", "dev", "exit",  NULL }, "debug dev exit  [code]      : immediately exit the process",    debug_parse_cli_exit,  NULL },
 	{{ "debug", "dev", "hex",   NULL }, "debug dev hex   <addr> [len]: dump a memory area",              debug_parse_cli_hex,   NULL },
 	{{ "debug", "dev", "log",   NULL }, "debug dev log   [msg] ...   : send this msg to global logs",    debug_parse_cli_log,   NULL },
 	{{ "debug", "dev", "loop",  NULL }, "debug dev loop  [ms]        : loop this long",                  debug_parse_cli_loop,  NULL },
 	{{ "debug", "dev", "panic", NULL }, "debug dev panic             : immediately trigger a panic",     debug_parse_cli_panic, NULL },
 	{{ "debug", "dev", "stream",NULL }, "debug dev stream ...        : show/manipulate stream flags",    debug_parse_cli_stream,NULL },
 	{{ "debug", "dev", "tkill", NULL }, "debug dev tkill [thr] [sig] : send signal to thread",           debug_parse_cli_tkill, NULL },
 #endif
-	{ { "show", "threads", NULL },    "show threads   : show some threads debugging information",   NULL, cli_io_handler_show_threads, NULL },
+	{{ "debug", "dev", "exit",  NULL }, "debug dev exit  [code]      : immediately exit the process",    debug_parse_cli_exit,  NULL, NULL, NULL, ACCESS_EXPERT },
 	{{ "debug", "dev", "hex",   NULL }, "debug dev hex   <addr> [len]: dump a memory area",              debug_parse_cli_hex,   NULL, NULL, NULL, ACCESS_EXPERT },
 	{{ "debug", "dev", "log",   NULL }, "debug dev log   [msg] ...   : send this msg to global logs",    debug_parse_cli_log,   NULL, NULL, NULL, ACCESS_EXPERT },
 	{{ "debug", "dev", "loop",  NULL }, "debug dev loop  [ms]        : loop this long",                  debug_parse_cli_loop,  NULL, NULL, NULL, ACCESS_EXPERT },
 	{{ "debug", "dev", "panic", NULL }, "debug dev panic             : immediately trigger a panic",     debug_parse_cli_panic, NULL, NULL, NULL, ACCESS_EXPERT },
 	{{ "debug", "dev", "stream",NULL }, "debug dev stream ...        : show/manipulate stream flags",    debug_parse_cli_stream,NULL, NULL, NULL, ACCESS_EXPERT },
 	{{ "debug", "dev", "tkill", NULL }, "debug dev tkill [thr] [sig] : send signal to thread",           debug_parse_cli_tkill, NULL, NULL, NULL, ACCESS_EXPERT },
 	{{ "show", "threads", NULL, NULL }, "show threads   : show some threads debugging information",  NULL, cli_io_handler_show_threads, NULL },
 	{{},}
 }};