From: Emeric Brun Date: Wed, 6 Dec 2017 12:51:49 +0000 (+0100) Subject: BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit... X-Git-Tag: v1.9-dev1~606 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ece0c334bd16da66d56bece297b4495124a9d7c8;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit automatically. The number of async fd is computed considering the maxconn, the number of sides using ssl and the number of engines using async mode. This patch should be backported on haproxy 1.8 --- diff --git a/include/types/global.h b/include/types/global.h index a3d1e96202..1f332074bd 100644 --- a/include/types/global.h +++ b/include/types/global.h @@ -97,6 +97,7 @@ struct global { int ssl_handshake_max_cost; /* how many bytes an SSL handshake may use */ int ssl_used_frontend; /* non-zero if SSL is used in a frontend */ int ssl_used_backend; /* non-zero if SSL is used in a backend */ + int ssl_used_async_engines; /* number of used async engines */ unsigned int ssl_server_verify; /* default verify mode on servers side */ struct freq_ctr conn_per_sec; struct freq_ctr sess_per_sec; diff --git a/src/haproxy.c b/src/haproxy.c index bd8608f74a..eb5e65b40e 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -1780,6 +1780,11 @@ static void init(int argc, char **argv) global.hardmaxconn = global.maxconn; /* keep this max value */ global.maxsock += global.maxconn * 2; /* each connection needs two sockets */ global.maxsock += global.maxpipes * 2; /* each pipe needs two FDs */ + /* compute fd used by async engines */ + if (global.ssl_used_async_engines) { + int sides = !!global.ssl_used_frontend + !!global.ssl_used_backend; + global.maxsock += global.maxconn * sides * global.ssl_used_async_engines; + } if (global.stats_fe) global.maxsock += global.stats_fe->maxconn; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 4741be11c5..f9d5f25675 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -161,6 +161,7 @@ enum { int sslconns = 0; int totalsslconns = 0; static struct xprt_ops ssl_sock; +int nb_engines = 0; static struct { char *crt_base; /* base directory path for certificates */ @@ -411,6 +412,9 @@ static int ssl_init_single_engine(const char *engine_id, const char *def_algorit el = calloc(1, sizeof(*el)); el->e = engine; LIST_ADD(&openssl_engines, &el->list); + nb_engines++; + if (global_ssl.async) + global.ssl_used_async_engines = nb_engines; return 0; fail_set_method: @@ -7978,6 +7982,7 @@ static int ssl_parse_global_ssl_async(char **args, int section_type, struct prox { #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) global_ssl.async = 1; + global.ssl_used_async_engines = nb_engines; return 0; #else memprintf(err, "'%s': openssl library does not support async mode", args[0]);