android init 进程详解（基于AOSP master分支）

init 进程是linux 类系统重要的一个进程。 负责初始化各种用户空间的守护进程和服务。

启动流程：

这里只是分析了ARM 和 ARM64架构的启动流程， 其他架构大同小异，都是BOOTLOADER启动一个head.S汇编程序，最后启动到start_kernel 函数， 该函数定义位于 内核源码中的init/main.c 文件中。具体流程如下

ARM kernel/head.S __mmap_switched -》kernel/head-common.S start_kernel

ARM64 kernel/head.S __primary_switch -》 __primary_switched -》 start_kernel

init/main.c start_kernel -》 rest_init -》 kernel_thread(kernel_init, NULL, CLONE_FS) -》

if (!try_to_run_init_process(“/sbin/init”) ||
!try_to_run_init_process(“/etc/init”) ||
!try_to_run_init_process(“/bin/init”) ||
!try_to_run_init_process(“/bin/sh”))

最后通过执行可执行文件init来启动用户空间的init程序。 init可执行程序可以位于sbin etc 或者 bin 目录下。

下面就来看看ANDROID的init程序。

程序源码位于AOSP中的system/core/init 目录下。

和普通程序一样， 我们可以找到入口的 main函数，来开始分析过程。main函数位于init.cpp

int main(int argc, char** argv) {//这里会根据启动的init程序传入的参数决定运行的是什么。//init模块包含三个部分，分别有两个守护进程ueventd  watchdogd。//而默认启动的才是init进程本身    if (!strcmp(basename(argv[0]), "ueventd")) {        return ueventd_main(argc, argv);    }    if (!strcmp(basename(argv[0]), "watchdogd")) {        return watchdogd_main(argc, argv);    }    //REBOOT_BOOTLOADER_ON_PANIC是否定义由init模块的 .mk 决定    //只有userdebug eng 这两个版本会打开这个选项，user 版本没有。     //主要作用，当init进程崩溃后，不是让内核崩溃，而是重启bootloader，让开发者容易定位问题。    if (REBOOT_BOOTLOADER_ON_PANIC) {        //主要作用将各种信号量，如SIGABRT,SIGABRT等的行为设置为SA_RESTART        install_reboot_signal_handlers();    }    //设置环境变量， 其中_PATH_DEFPATH 在C库中定义    add_environment("PATH", _PATH_DEFPATH);    // main 函数会执行两次，第一次只会运行到if (is_first_stage)  里面的内容为止    // 通过设置INIT_SECOND_STAGE 来控制    bool is_first_stage = (getenv("INIT_SECOND_STAGE") == nullptr);    if (is_first_stage) {        boot_clock::time_point start_time = boot_clock::now();        // Clear the umask.        umask(0);        // Get the basic filesystem setup we need put together in the initramdisk        // on / and then we'll let the rc file figure out the rest.        mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");        mkdir("/dev/pts", 0755);        mkdir("/dev/socket", 0755);        mount("devpts", "/dev/pts", "devpts", 0, NULL);        #define MAKE_STR(x) __STRING(x)        mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));        // Don't expose the raw commandline to unprivileged processes.        chmod("/proc/cmdline", 0440);        gid_t groups[] = { AID_READPROC };        setgroups(arraysize(groups), groups);        mount("sysfs", "/sys", "sysfs", 0, NULL);        mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL);        mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11));        if constexpr (WORLD_WRITABLE_KMSG) {          mknod("/dev/kmsg_debug", S_IFCHR | 0622, makedev(1, 11));        }        mknod("/dev/random", S_IFCHR | 0666, makedev(1, 8));        mknod("/dev/urandom", S_IFCHR | 0666, makedev(1, 9));        // Now that tmpfs is mounted on /dev and we have /dev/kmsg, we can actually        // talk to the outside world...        InitKernelLogging(argv);        LOG(INFO) << "init first stage started!";        if (!DoFirstStageMount()) {            LOG(ERROR) << "Failed to mount required partitions early ...";            panic();        }        SetInitAvbVersionInRecovery();        // Set up SELinux, loading the SELinux policy.        selinux_initialize(true);        // We're in the kernel domain, so re-exec init to transition to the init domain now        //init_task 在执行 rest_init 函数时，会执行 kernel_thread 创建 init 内核线程。它的 PID 为 1，用来完成内核空间初始化。//在内核空间完成初始化后，会调用 exceve 执行 init 可执行程序 (/sbin/init)。之后，init 内核线程变成了一个普通的进程，运行在用户空间中。//    init 内核线程没有地址空间，且它的 task_struct 对象中的 mm 为 NULL。因此，执行 exceve 会使这个 mm 指向一个 mm_struct，而不会影响到 init_task 进程的地址空间。也正因为此，init 在转变为进程后，其 PID 没变，仍为 1。创建完 init 内核线程后，init_task 进程演变为 idle 进程（PID 仍为 0）。之后，init 进程再根据再启动其它系统进程。        // that the SELinux policy has been loaded.        if (selinux_android_restorecon("/init", 0) == -1) {            PLOG(ERROR) << "restorecon failed";            security_failure();        }        setenv("INIT_SECOND_STAGE", "true", 1);        static constexpr uint32_t kNanosecondsPerMillisecond = 1e6;        uint64_t start_ms = start_time.time_since_epoch().count() / kNanosecondsPerMillisecond;        setenv("INIT_STARTED_AT", std::to_string(start_ms).c_str(), 1);        char* path = argv[0];        char* args[] = { path, nullptr };        execv(path, args);        // execv() only returns if an error happened, in which case we        // panic and never fall through this conditional.        PLOG(ERROR) << "execv(\"" << path << "\") failed";        security_failure();    }    // At this point we're in the second stage of init.    InitKernelLogging(argv);    LOG(INFO) << "init second stage started!";    // Set up a session keyring that all processes will have access to. It    // will hold things like FBE encryption keys. No process should override    // its session keyring.    keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);    // Indicate that booting is in progress to background fw loaders, etc.    close(open("/dev/.booting", O_WRONLY | O_CREAT | O_CLOEXEC, 0000));    property_init();    // If arguments are passed both on the command line and in DT,    // properties set in DT always have priority over the command-line ones.    process_kernel_dt();    process_kernel_cmdline();    // Propagate the kernel variables to internal variables    // used by init as well as the current required properties.    export_kernel_boot_props();    // Make the time that init started available for bootstat to log.    property_set("ro.boottime.init", getenv("INIT_STARTED_AT"));    property_set("ro.boottime.init.selinux", getenv("INIT_SELINUX_TOOK"));    // Set libavb version for Framework-only OTA match in Treble build.    const char* avb_version = getenv("INIT_AVB_VERSION");    if (avb_version) property_set("ro.boot.avb_version", avb_version);    // Clean up our environment.    unsetenv("INIT_SECOND_STAGE");    unsetenv("INIT_STARTED_AT");    unsetenv("INIT_SELINUX_TOOK");    unsetenv("INIT_AVB_VERSION");    // Now set up SELinux for second stage.    selinux_initialize(false);    selinux_restore_context();    epoll_fd = epoll_create1(EPOLL_CLOEXEC);    if (epoll_fd == -1) {        PLOG(ERROR) << "epoll_create1 failed";        exit(1);    }    //初始化信号处理， 对exit的进程进行资源释放    signal_handler_init();    //加载default.prop 配置和USB配置    property_load_boot_defaults();    export_oem_lock_status();    start_property_service();    set_usb_controller();    const BuiltinFunctionMap function_map;    Action::set_function_map(&function_map);    //开始解析init.rc文件    ActionManager& am = ActionManager::GetInstance();    ServiceManager& sm = ServiceManager::GetInstance();    Parser& parser = Parser::GetInstance();    parser.AddSectionParser("service", std::make_unique<ServiceParser>(&sm));    parser.AddSectionParser("on", std::make_unique<ActionParser>(&am));    parser.AddSectionParser("import", std::make_unique<ImportParser>(&parser));    std::string bootscript = GetProperty("ro.boot.init_rc", "");    if (bootscript.empty()) {        parser.ParseConfig("/init.rc");        parser.set_is_system_etc_init_loaded(                parser.ParseConfig("/system/etc/init"));        parser.set_is_vendor_etc_init_loaded(                parser.ParseConfig("/vendor/etc/init"));        parser.set_is_odm_etc_init_loaded(parser.ParseConfig("/odm/etc/init"));    } else {        parser.ParseConfig(bootscript);        parser.set_is_system_etc_init_loaded(true);        parser.set_is_vendor_etc_init_loaded(true);        parser.set_is_odm_etc_init_loaded(true);    }    // Turning this on and letting the INFO logging be discarded adds 0.2s to    // Nexus 9 boot time, so it's disabled by default.    if (false) DumpState();    am.QueueEventTrigger("early-init");    // Queue an action that waits for coldboot done so we know ueventd has set up all of /dev...    am.QueueBuiltinAction(wait_for_coldboot_done_action, "wait_for_coldboot_done");    // ... so that we can start queuing up actions that require stuff from /dev.    am.QueueBuiltinAction(mix_hwrng_into_linux_rng_action, "mix_hwrng_into_linux_rng");    am.QueueBuiltinAction(set_mmap_rnd_bits_action, "set_mmap_rnd_bits");    am.QueueBuiltinAction(set_kptr_restrict_action, "set_kptr_restrict");    am.QueueBuiltinAction(keychord_init_action, "keychord_init");    am.QueueBuiltinAction(console_init_action, "console_init");    // Trigger all the boot actions to get us started.    am.QueueEventTrigger("init");    // Repeat mix_hwrng_into_linux_rng in case /dev/hw_random or /dev/random    // wasn't ready immediately after wait_for_coldboot_done    am.QueueBuiltinAction(mix_hwrng_into_linux_rng_action, "mix_hwrng_into_linux_rng");    // Don't mount filesystems or start core system services in charger mode.    std::string bootmode = GetProperty("ro.bootmode", "");    if (bootmode == "charger") {        am.QueueEventTrigger("charger");    } else {        am.QueueEventTrigger("late-init");    }    // Run all property triggers based on current state of the properties.    am.QueueBuiltinAction(queue_property_triggers_action, "queue_property_triggers");    while (true) {        // By default, sleep until something happens.        int epoll_timeout_ms = -1;        if (!(waiting_for_prop || sm.IsWaitingForExec())) {            am.ExecuteOneCommand();        }        if (!(waiting_for_prop || sm.IsWaitingForExec())) {            if (!shutting_down) restart_processes();            // If there's a process that needs restarting, wake up in time for that.            if (process_needs_restart_at != 0) {                epoll_timeout_ms = (process_needs_restart_at - time(nullptr)) * 1000;                if (epoll_timeout_ms < 0) epoll_timeout_ms = 0;            }            // If there's more work to do, wake up again immediately.            if (am.HasMoreCommands()) epoll_timeout_ms = 0;        }        epoll_event ev;        int nr = TEMP_FAILURE_RETRY(epoll_wait(epoll_fd, &ev, 1, epoll_timeout_ms));        if (nr == -1) {            PLOG(ERROR) << "epoll_wait failed";        } else if (nr == 1) {            ((void (*)()) ev.data.ptr)();        }    }    return 0;}