git.ipfire.org Git - thirdparty/haproxy.git/commit

author	William Lallemand <wlallemand@haproxy.com>
	Thu, 13 Nov 2025 13:50:25 +0000 (14:50 +0100)
committer	William Lallemand <wlallemand@haproxy.com>
	Thu, 13 Nov 2025 14:18:12 +0000 (15:18 +0100)
commit	2bdf5a7937ea76761cfe8c896951428d00e6b757
tree	340389f31d4ff0d04a371ab0aaa25d707655ee2c	tree \| snapshot
parent	c76e072e437e745092aae696933ff7bc3ccb4d52	commit \| diff

BUG/MEDIUM: acme: move from mt_list to a rwlock + ebmbtree

The current ACME scheduler suffers from problems due to the way the
tasks are stored:

- MT_LIST are not scalables when having a lot of ACME tasks and having
  to look for a specific one.
- the acme_task pointer was stored in the ckch_store in order to not
  passing through the whole list. But a ckch_store can be updated and
  the pointer lost in the previous one.
- when a task fails, the ptr in the ckch_store was not removed because
  we only work with a copy of the original ckch_store, it would need to
  lock the ckchs_tree and remove this pointer.

This patch fixes the issues by removing the MT_LIST-based architecture,
and replacing it by a simple ebmbtree + rwlock design.

The pointer to the task is not stored anymore in the ckch_store, but
instead it is stored in the acme_tasks tree. Finding a task is done by
doing a lookup on this tree with a RDLOCK.
Instead of checking if store->acme_task is not NULL, a lookup is also
done.

This allow to remove the stuck "acme_task" pointer in the store, which
was preventing to restart an acme task when the previous failed for this
specific certificate.

Must be backported in 3.2.

include/haproxy/acme-t.h		diff \| blob \| blame \| history
include/haproxy/ssl_ckch-t.h		diff \| blob \| blame \| history
src/acme.c		diff \| blob \| blame \| history