From nobody Sat Oct 08 23:07:57 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MlLSG2pChz4fHLk; Sat, 8 Oct 2022 23:07:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MlLSG2GJ2z3Wt6; Sat, 8 Oct 2022 23:07:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665270478; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cGUMgOivexctYwkDK5hZ56BQQ0muuIBHnzXhLIMFIj8=; b=imJSmdDr5X58vo/yJBU5TY2fCH9xqbkEDCwWG0NvC+KNhTIM1ngmhozx3M+6aAzpBrILQs Ri5qn/BhccP2prWW5xZJLxean6A2UHwfq9Ft1pLqEicmOpf/u/cJ9HW7JKb7VK/xNcWItH QiaBsrGfOn3I05ojpYqRgAfg91j1UI04sq+um+77RApXcP1u1TlbhiswSIGgotKjU7x0Ax syqaW5LSyz/6OsV+3fJ54CjR3Q8CJzmfwl5XDJ+15Gdu1x4yR9V4reyLF0WeZdzC5rnjhy EqaETPiK0BdXrCjTFPR/vgb64oK+QOReS66UvXZgh5eSzDqKPc/Be1myZJ5MQQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MlLSG13JRz15RF; Sat, 8 Oct 2022 23:07:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 298N7vQc010130; Sat, 8 Oct 2022 23:07:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 298N7vsw010129; Sat, 8 Oct 2022 23:07:57 GMT (envelope-from git) Date: Sat, 8 Oct 2022 23:07:57 GMT Message-Id: <202210082307.298N7vsw010129@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Rick Macklem Subject: git: 1e588a9ceb36 - main - rpc.tlsservd: Add an option to run multiple daemons List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1e588a9ceb366a49f58ad708c5a097ef8fa98c88 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665270478; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cGUMgOivexctYwkDK5hZ56BQQ0muuIBHnzXhLIMFIj8=; b=PCrSJ12ZUvlM99NS+hxwE0TLShG14+khn0OPVG72dWhhsUmpx2BRtpVjXWN2w4w0eo58Po 6uMcsfhdNxxTH1VesofvP55q2/1uyi9uIOEji/YaadqgbcV0rGVrxATDmsWauuByHsuBue iF6KaREc3ZnD9QiTWhH39i2/ICDCZMYUdcPHN5g/BcfpJC+xMpi9Ht4ZIBVsfD/lpxoM5W sTKtiDgqR/LtDKO0dpGO7bfAfI2fdeCDiwxuXqLWveokFTcfr8ebv4AkCifzP/haZb6Zrj FNEjkeamrJh3rE8yZuo4BTTtB+S3FkJOswm2C6o58EUR4GrPUJiqWdbZq8AiDw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665270478; a=rsa-sha256; cv=none; b=IRjs+4xf1kEuSLlk3pO/lFGokx6h4CHmadvLdZeeI5TJG1pT1+nDgrGxu+dDspI8fHx4jQ QbYWYxMwIPDNM1tadPOQW6s2UeFlgnaJxIcn0rO3npq3OZ+1WBmVRc6+oEUNLkAaxSN5rt 09Z9aJ4/SgkJakanwjfEb4a0PHahoJjwx1KORnzhZxSzLXZ5vYbsVLYfg2coq9wqdATRgL kxZqgBkclaHxKAvvEd9pC3EJUd4i1bUWWNPsDbgwFarwnnOycj6EJQhvJYkRRZipAMGPbm RT7ou/DT1PtuxdeSp0qIZRznTWCzjlKLjAEDimCndZju/C6JsM2iwnHUT6fImQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=1e588a9ceb366a49f58ad708c5a097ef8fa98c88 commit 1e588a9ceb366a49f58ad708c5a097ef8fa98c88 Author: Rick Macklem AuthorDate: 2022-10-08 23:06:16 +0000 Commit: Rick Macklem CommitDate: 2022-10-08 23:06:16 +0000 rpc.tlsservd: Add an option to run multiple daemons During discussions with someone that was doing NFS-over-TLS development for Solaris, we had a concern that the server might become overloaded after rebooting, due to a large number of TLS handshake requests from clients. To alleviate this potential problem, this patch modifies rpc.tlsservd so that it supports the "-N/--numdaemons" command line option, which specifies that up to RPCTLS_SRV_MAXNPROCS (currently defined as 16 in the patch) may be started. When there are multiple daemons, one is selected by the patched kernel in a round-robin fashion, to serve a TLS handshake request. The man page update will be done in a future commit. Reviewed by: emaste, karels Differential Revision: https://reviews.freebsd.org/D35886 --- usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 110 ++++++++++++++++++++++++++++++----- 1 file changed, 97 insertions(+), 13 deletions(-) diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c index 8c364584a76c..2d520ac8e3d1 100644 --- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c +++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c @@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -106,8 +107,12 @@ static char *rpctls_dnsname; static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1"; static const char *rpctls_ciphers = NULL; static int rpctls_mintls = TLS1_3_VERSION; +static int rpctls_procs = 1; +static char *rpctls_sockname[RPCTLS_SRV_MAXNPROCS]; +static pid_t rpctls_workers[RPCTLS_SRV_MAXNPROCS - 1]; +static bool rpctls_im_a_worker = false; -static void rpctlssd_terminate(int); +static void rpctls_cleanup_term(int sig); static SSL_CTX *rpctls_setup_ssl(const char *certdir); static SSL *rpctls_server(SSL_CTX *ctx, int s, uint32_t *flags, uint32_t *uidp, @@ -127,6 +132,7 @@ static struct option longopts[] = { { "checkhost", no_argument, NULL, 'h' }, { "verifylocs", required_argument, NULL, 'l' }, { "mutualverf", no_argument, NULL, 'm' }, + { "numdaemons", required_argument, NULL, 'N' }, { "domain", required_argument, NULL, 'n' }, { "verifydir", required_argument, NULL, 'p' }, { "crl", required_argument, NULL, 'r' }, @@ -146,7 +152,7 @@ main(int argc, char **argv) * TLS handshake. */ struct sockaddr_un sun; - int ch, fd, oldmask; + int ch, fd, i, mypos, oldmask; SVCXPRT *xprt; struct timeval tm; struct timezone tz; @@ -154,6 +160,7 @@ main(int argc, char **argv) pid_t otherpid; bool tls_enable; size_t tls_enable_len; + sigset_t signew; /* Check that another rpctlssd isn't already running. */ rpctls_pfh = pidfile_open(_PATH_RPCTLSSDPID, 0600, &otherpid); @@ -181,8 +188,15 @@ main(int argc, char **argv) rpctls_dnsname = hostname; } + /* Initialize socket names. */ + for (i = 0; i < RPCTLS_SRV_MAXNPROCS; i++) { + asprintf(&rpctls_sockname[i], "%s.%d", _PATH_RPCTLSSDSOCK, i); + if (rpctls_sockname[i] == NULL) + errx(1, "Cannot malloc socknames"); + } + rpctls_verbose = false; - while ((ch = getopt_long(argc, argv, "2C:D:dhl:n:mp:r:uvWw", longopts, + while ((ch = getopt_long(argc, argv, "2C:D:dhl:N:n:mp:r:uvWw", longopts, NULL)) != -1) { switch (ch) { case '2': @@ -206,6 +220,13 @@ main(int argc, char **argv) case 'm': rpctls_do_mutual = true; break; + case 'N': + rpctls_procs = atoi(optarg); + if (rpctls_procs < 1 || + rpctls_procs > RPCTLS_SRV_MAXNPROCS) + errx(1, "numdaemons/-N must be between 1 and " + "%d", RPCTLS_SRV_MAXNPROCS); + break; case 'n': hostname[0] = '@'; strlcpy(&hostname[1], optarg, MAXHOSTNAMELEN + 1); @@ -242,6 +263,7 @@ main(int argc, char **argv) "[-D/--certdir certdir] [-d/--debuglevel] " "[-h/--checkhost] " "[-l/--verifylocs CAfile] [-m/--mutualverf] " + "[-N/--numdaemons num] " "[-n/--domain domain_name] " "[-p/--verifydir CApath] [-r/--crl CRLfile] " "[-u/--certuser] [-v/--verbose] [-W/--multiwild] " @@ -271,23 +293,60 @@ main(int argc, char **argv) errx(1, "Kernel RPC is not available"); } + for (i = 0; i < rpctls_procs - 1; i++) + rpctls_workers[i] = -1; + mypos = 0; + if (rpctls_debug_level == 0) { + /* + * Temporarily block SIGTERM and SIGCHLD, so workers[] can't + * end up bogus. + */ + sigemptyset(&signew); + sigaddset(&signew, SIGTERM); + sigaddset(&signew, SIGCHLD); + sigprocmask(SIG_BLOCK, &signew, NULL); + if (daemon(0, 0) != 0) err(1, "Can't daemonize"); signal(SIGINT, SIG_IGN); signal(SIGQUIT, SIG_IGN); - signal(SIGHUP, SIG_IGN); } - signal(SIGTERM, rpctlssd_terminate); signal(SIGPIPE, SIG_IGN); signal(SIGHUP, rpctls_huphandler); + signal(SIGTERM, rpctls_cleanup_term); + signal(SIGCHLD, rpctls_cleanup_term); pidfile_write(rpctls_pfh); + rpctls_syscall(RPCTLS_SYSC_SRVSTARTUP, ""); + + if (rpctls_debug_level == 0) { + /* Fork off the worker daemons. */ + for (i = 0; i < rpctls_procs - 1; i++) { + rpctls_workers[i] = fork(); + if (rpctls_workers[i] == 0) { + rpctls_im_a_worker = true; + mypos = i + 1; + setproctitle("server"); + break; + } else if (rpctls_workers[i] < 0) { + syslog(LOG_ERR, "fork: %m"); + } + } + + if (!rpctls_im_a_worker && rpctls_procs > 1) + setproctitle("master"); + } + sigemptyset(&signew); + sigaddset(&signew, SIGTERM); + sigaddset(&signew, SIGCHLD); + sigprocmask(SIG_UNBLOCK, &signew, NULL); + memset(&sun, 0, sizeof sun); sun.sun_family = AF_LOCAL; - unlink(_PATH_RPCTLSSDSOCK); - strcpy(sun.sun_path, _PATH_RPCTLSSDSOCK); + unlink(rpctls_sockname[mypos]); + strcpy(sun.sun_path, rpctls_sockname[mypos]); sun.sun_len = SUN_LEN(&sun); fd = socket(AF_LOCAL, SOCK_STREAM, 0); if (fd < 0) { @@ -343,12 +402,10 @@ main(int argc, char **argv) rpctls_gothup = false; LIST_INIT(&rpctls_ssllist); - rpctls_syscall(RPCTLS_SYSC_SRVSETPATH, _PATH_RPCTLSSDSOCK); + rpctls_syscall(RPCTLS_SYSC_SRVSETPATH, rpctls_sockname[mypos]); rpctls_svc_run(); - rpctls_syscall(RPCTLS_SYSC_SRVSHUTDOWN, ""); - SSL_CTX_free(rpctls_ctx); EVP_cleanup(); return (0); @@ -529,16 +586,43 @@ rpctlssd_1_freeresult(__unused SVCXPRT *transp, xdrproc_t xdr_result, return (TRUE); } +/* + * cleanup_term() called via SIGTERM (or SIGCHLD if a child dies). + */ static void -rpctlssd_terminate(int sig __unused) +rpctls_cleanup_term(int sig) { struct ssl_entry *slp; + int i, cnt; + + if (rpctls_im_a_worker && sig == SIGCHLD) + return; + LIST_FOREACH(slp, &rpctls_ssllist, next) + shutdown(slp->s, SHUT_RD); + SSL_CTX_free(rpctls_ctx); + EVP_cleanup(); + + if (rpctls_im_a_worker) + exit(0); + + /* I'm the server, so terminate the workers. */ + cnt = 0; + for (i = 0; i < rpctls_procs - 1; i++) { + if (rpctls_workers[i] != -1) { + cnt++; + kill(rpctls_workers[i], SIGTERM); + } + } + + /* + * Wait for them to die. + */ + for (i = 0; i < cnt; i++) + wait3(NULL, 0, NULL); rpctls_syscall(RPCTLS_SYSC_SRVSHUTDOWN, ""); pidfile_remove(rpctls_pfh); - LIST_FOREACH(slp, &rpctls_ssllist, next) - shutdown(slp->s, SHUT_RD); exit(0); }