From patchwork Sun Mar 7 05:15:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 1608 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id ENm3IsP/RGDXCAAAIUCqbw (envelope-from ) for ; Sun, 07 Mar 2021 11:30:59 -0500 Received: from proxy1.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net with LMTP id +AiHIsP/RGBQFAAAfY0hYg (envelope-from ) for ; Sun, 07 Mar 2021 11:30:59 -0500 Received: from smtp35.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.iad3b.rsapps.net with LMTPS id 2MciGsP/RGCVQgAALM5PBw (envelope-from ) for ; Sun, 07 Mar 2021 11:30:59 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=greenie.muc.de X-Suspicious-Flag: YES X-Classification-ID: 7f0726ac-7f62-11eb-85a8-525400503131-1-1 Received: from [216.105.38.7] ([216.105.38.7:37858] helo=lists.sourceforge.net) by smtp35.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 97/E1-09064-2CFF4406; Sun, 07 Mar 2021 11:30:58 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lIwIM-0002uc-Ar; Sun, 07 Mar 2021 16:30:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIwIL-0002uO-IN for openvpn-devel@lists.sourceforge.net; Sun, 07 Mar 2021 16:30:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=npqHIvZwi5sqlpuCMG1/oE7v7pObA7SSHfz2lAniEQg=; b=A0cQNVLjZAVdYH0NhgEdsVa/Ux cTV+1Y1vwgK/P0CfMr8O6gHcWD5S9CLt2SODXLm6svsZAE+4CzizUQCcRE0S2D/V90GmC5rAp48JK itEz9jlDfxucIHe8XD6WqzvptVHhujdlOfXWuMBBUbVSkTuBCfpI0A0YrfZUUcGK87Qk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=npqHIvZwi5sqlpuCMG1/oE7v7pObA7SSHfz2lAniEQg=; b=I GBeinVL1OmDI6VD8Qsuz/4E+Qh+O1ewc1adjm7W0OnkOmbsBgreezTq1A8D50MpQ8lxueH/7gHplq 4q8sZIirrCTrKi2zPcMb/dFknqhUqpiJdwij8gVUZKVo9Z88Z8tlNcORGjYZWI/1FKojBh8cAEHgH zlD9hXJy1GN0xQa4=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lIwI9-00HTyI-64 for openvpn-devel@lists.sourceforge.net; Sun, 07 Mar 2021 16:30:17 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.15.2/8.14.9) with ESMTP id 127GFp7E025178 for ; Sun, 7 Mar 2021 17:15:51 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.15.2/8.14.9/Submit) id 127GFpl8025177 for openvpn-devel@lists.sourceforge.net; Sun, 7 Mar 2021 17:15:51 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sun, 7 Mar 2021 17:15:47 +0100 Message-Id: <20210307161547.25130-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: muc.de] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1lIwI9-00HTyI-64 Subject: [Openvpn-devel] [PATCH] Require at least 20MB of mlock()-able memory if --mlock is used. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox If --mlock is used, the amount of memory OpenVPN can use is guarded by the RLIMIT_MEMLOCK value (see mlockall(2)). The OS default for this is usually 64 Kbyte, which is enough for OpenVPN to initialize, but as soon as the first TLS handshake comes it, OpenVPN will crash due to "ouf of memory", and might even end up in a crash loop. Steady-state OpenVPN requires between 8 MB and 30-50 MB (servers with many concurrent clients) of memory. So: with this patch, we check if getrlimit() is available, and if yes, log the amount of mlock'able memory. If the amount is below 20 MB, which is an arbitrary value "large enough for most smaller deployments", we abort. Trac: #1390 Signed-off-by: Gert Doering Signed-off-by: Gert Doering <gert@greenie.muc.de>
--- configure.ac | 2 +- doc/man-sections/generic-options.rst | 6 ++++++ src/openvpn/platform.c | 18 ++++++++++++++++++ src/openvpn/platform.h | 4 ++++ 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 1ab8fe59..c65df3e2 100644 --- a/configure.ac +++ b/configure.ac @@ -645,7 +645,7 @@ AC_FUNC_FORK AC_CHECK_FUNCS([ \ daemon chroot getpwnam setuid nice system getpid dup dup2 \ - getpass syslog openlog mlockall getgrnam setgid \ + getpass syslog openlog mlockall getrlimit getgrnam setgid \ setgroups stat flock readv writev time gettimeofday \ ctime memset vsnprintf strdup \ setsid chdir putenv getpeername unlink \ diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index d5f08839..0a7d3caf 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -237,6 +237,12 @@ which mode OpenVPN is configured as. likely fail. The limit can be increased using ulimit or systemd directives depending on how OpenVPN is started. + If the platform has the getrlimit(2) system call, OpenVPN will check + for the amount of mlock-able memory before calling mlockall(2), and + abort if less than 20 Mb are available. 20 Mb is somewhat arbitrary - + it is enough for a moderately-sized OpenVPN deployment, but the memory + usage will go beyond that if the number of concurrent clients is high. + --nice n Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index ef688c23..67a69748 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -193,6 +193,24 @@ void platform_mlockall(bool print_msg) { #ifdef HAVE_MLOCKALL + +#ifdef HAVE_GETRLIMIT + struct rlimit rl; + if (getrlimit(RLIMIT_MEMLOCK,&rl)<0) + { + msg(M_WARN | M_ERRNO, "WARNING: getrlimit(RLIMIT_MEMLOCK) failed"); + } + else + { + msg(M_INFO, "mlock: MEMLOCK limit: soft=%ldkb, hard=%dkb", + ((long int) rl.rlim_cur)/1024, ((long int) rl.rlim_max)/1024); + if (rl.rlim_cur < 20*1024*1024) + { + msg(M_FATAL, "mlock: RLIMIT_MEMLOCK < 20 MByte, increase limit"); + } + } +#endif + if (mlockall(MCL_CURRENT | MCL_FUTURE)) { msg(M_WARN | M_ERRNO, "WARNING: mlockall call failed"); diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h index 01f3200c..02c23e38 100644 --- a/src/openvpn/platform.h +++ b/src/openvpn/platform.h @@ -48,6 +48,10 @@ #include #endif +#ifdef HAVE_GETRLIMIT +#include +#endif + #include "basic.h" #include "buffer.h"