[Bug 256148] [patch] rc.subr handling of ${name}_oomprotect for services with multiple processes

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 25 May 2021 13:59:35 UTC

            Bug ID: 256148
           Summary: [patch] rc.subr handling of ${name}_oomprotect for
                    services with multiple processes
           Product: Base System
           Version: 12.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: conf
          Assignee: bugs@FreeBSD.org
          Reporter: mwalker@carbonhouse.com

Created attachment 225247
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=225247&action=edit
rc.subr support for services with multiple processes

For ports which install services managed by the rc subsystem, such as haproxy
and nginx, which result in multiple processes being started, attempting to set
e.g. either "haproxy_oomprotect=yes" or "haproxy_oomprotect=all" results in the
following error:

root@hostname:~# service haproxy start
Starting haproxy.
usage: protect [-i] command
       protect [-cdi] -g pgrp | -p pid

As well as none of the haproxy processes obtaining protection:

root@hostname:~# ps -ax -o flags,flags2,pid,command | grep haproxy
10000180 00000000 26037 /usr/local/sbin/haproxy -q -f
/usr/local/etc/haproxy.conf -p /var/run/haproxy.pid
10000000 00000000 41907 /usr/local/sbin/haproxy -q -f
/usr/local/etc/haproxy.conf -p /var/run/haproxy.pid

Due to the fact that /etc/rc.subr passes the output of "check_process $command"
( a list of one or more space-separated PIDs) straight to "protect", e.g.
"protect -i -p 123 456", whereas protect's "-p" argument can only handle one

The attached patch instead uses the result of "check_process $command" in a for
loop to iterate through potentially multiple PIDs that are passed to "protect".

Example correct output using attached patch:

root@hostname:~# ps -ax -o flags,flags2,pid,command | grep haproxy
10100180 00000001 75344 /usr/local/sbin/haproxy -q -f
/usr/local/etc/haproxy.conf -p /var/run/haproxy.pid
10100000 00000001 87137 /usr/local/sbin/haproxy -q -f
/usr/local/etc/haproxy.conf -p /var/run/haproxy.pid

"OOM Protect" status accurately reflected in third digit of first column
(flags) as well as "inherit OOM Protect" status reflected in final digit of
second column (flags2)

I've also tested this patch against services which only return one PID from
"check_process $command" and it works as expected.

You are receiving this mail because:
You are the assignee for the bug.