From d3497f6bd1939f187f083a385aaa80477905e099 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 24 Feb 2021 14:14:33 +0100 Subject: [PATCH] - On startup of unbound it checks if rlimits on memory size look sufficient for the configured cache size, and logs warning if not. --- daemon/unbound.c | 27 +++++++++++++++++++++++++++ doc/Changelog | 4 ++++ services/listen_dnsport.c | 13 +++++++++++++ services/listen_dnsport.h | 6 ++++++ 4 files changed, 50 insertions(+) diff --git a/daemon/unbound.c b/daemon/unbound.c index bc6d2bc9e..b2bb526c0 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -197,6 +197,33 @@ checkrlimits(struct config_file* cfg) size_t total = numthread * perthread + misc; size_t avail; struct rlimit rlim; + size_t memsize_expect = cfg->msg_cache_size + cfg->rrset_cache_size + + (cfg->do_tcp?cfg->stream_wait_size:0) + + (cfg->ip_ratelimit?cfg->ip_ratelimit_size:0) + + (cfg->ratelimit?cfg->ratelimit_size:0) + + (cfg->dnscrypt?cfg->dnscrypt_shared_secret_cache_size + cfg->dnscrypt_nonce_cache_size:0) + + cfg->infra_cache_numhosts * (sizeof(struct infra_key)+sizeof(struct infra_data)); + if(strstr(cfg->module_conf, "validator") && (cfg->trust_anchor_file_list || cfg->trust_anchor_list || cfg->auto_trust_anchor_file_list || cfg->trusted_keys_file_list)) { + memsize_expect += cfg->key_cache_size + cfg->neg_cache_size; + } +#ifdef HAVE_NGHTTP2_NGHTTP2_H + if(cfg_has_https(cfg)) { + memsize_expect += cfg->http_query_buffer_size + cfg->http_response_buffer_size; + } +#endif + + if(getrlimit(RLIMIT_AS, &rlim) == 0) { + if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY && + rlim.rlim_cur < (rlim_t)memsize_expect) { + log_warn("the ulimit(max memory size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect); + } + } + if(getrlimit(RLIMIT_DATA, &rlim) == 0) { + if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY && + rlim.rlim_cur < memsize_expect) { + log_warn("the ulimit(data seg size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect); + } + } if(total > 1024 && strncmp(ub_event_get_version(), "mini-event", 10) == 0) { diff --git a/doc/Changelog b/doc/Changelog index f8b0c9b0f..52205b593 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -4,6 +4,10 @@ - ipsecmod: Better logging for detecting a cycle when attaching the A/AAAA subquery. +24 February 2021: Wouter + - On startup of unbound it checks if rlimits on memory size look + sufficient for the configured cache size, and logs warning if not. + 23 February 2021: Wouter - Fix for zonemd, that domain-insecure zones work without dnssec. - Fix for zonemd, do not reject insecure result from trust anchor diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index b790660f2..7a90677a4 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -1105,6 +1105,19 @@ if_is_https(const char* ifname, const char* port, int https_port) return 0; } +/** see if config contains https turned on */ +int cfg_has_https(struct config_file* cfg) +{ + int i; + char portbuf[32]; + snprintf(portbuf, sizeof(portbuf), "%d", cfg->port); + for(i = 0; inum_ifs; i++) { + if(if_is_https(cfg->ifs[i], portbuf, cfg->https_port)) + return 1; + } + return 0; +} + /** * Helper for ports_open. Creates one interface (or NULL for default). * @param ifname: The interface ip address. diff --git a/services/listen_dnsport.h b/services/listen_dnsport.h index f438ff458..215242b30 100644 --- a/services/listen_dnsport.h +++ b/services/listen_dnsport.h @@ -147,6 +147,12 @@ void listening_ports_free(struct listen_port* list); int resolve_interface_names(struct config_file* cfg, char*** resif, int* num_resif); +/** + * Return true if the config contains settinsg that enable https. + * @return true if https ports are used for server. + */ +int cfg_has_https(struct config_file* cfg); + /** * Create commpoints with for this thread for the shared ports. * @param base: the comm_base that provides event functionality. -- 2.47.2