On 5/7/19 1:24 PM, Marcin Deranek wrote:
> Hi Emeric,
>
> On 5/7/19 11:44 AM, Emeric Brun wrote:
>> Hi Marcin,>>>>>> As I use HAProxy 1.8 I had to adjust the patch (see
>> attachment for end result). Unfortunately after applying the patch there is
>> no change in behavior: we still leak /dev/usdm_drv descriptors and have
>> "stuck" HAProxy instances after reload..
>>>>> Regards,
>>>>
>>>>
>>
>> Could you perform a test recompiling the usdm_drv and the engine with this
>> patch, it applies on QAT 1.7 but I've no hardware to test this version here.
>>
>> It should fix the fd leak.
>
> It did fix fd leak:
>
> # ls -al /proc/2565/fd|fgrep dev
> lr-x------ 1 root root 64 May 7 13:15 0 -> /dev/null
> lrwx------ 1 root root 64 May 7 13:15 7 -> /dev/usdm_drv
>
> # systemctl reload haproxy.service
> # ls -al /proc/2565/fd|fgrep dev
> lr-x------ 1 root root 64 May 7 13:15 0 -> /dev/null
> lrwx------ 1 root root 64 May 7 13:15 8 -> /dev/usdm_drv
>
> # systemctl reload haproxy.service
> # ls -al /proc/2565/fd|fgrep dev
> lr-x------ 1 root root 64 May 7 13:15 0 -> /dev/null
> lrwx------ 1 root root 64 May 7 13:15 9 -> /dev/usdm_drv
>
> But there are still stuck processes :-( This is with both patches included:
> for QAT and HAProxy.
> Regards,
>
> Marcin Deranek
Thank you Marcin! Anyway it's was also a bug.
Could you process a 'show fds' command on a stucked process adding the patch in
attachement.
R,
Emeric
>From d0e095c2aa54f020de8fc50db867eff1ef73350e Mon Sep 17 00:00:00 2001
From: Emeric Brun <eb...@haproxy.com>
Date: Fri, 19 Apr 2019 17:15:28 +0200
Subject: [PATCH] MINOR: ssl/cli: async fd io-handlers printable on show fd
This patch exports the async fd iohandlers and make them printable
doing a 'show fd' on cli.
---
include/proto/ssl_sock.h | 4 ++++
src/cli.c | 9 +++++++++
src/ssl_sock.c | 4 ++--
3 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 62ebcb87..ce52fb74 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -85,6 +85,10 @@ SSL_CTX *ssl_sock_get_generated_cert(unsigned int key, struct bind_conf *bind_co
int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int key, struct bind_conf *bind_conf);
unsigned int ssl_sock_generated_cert_key(const void *data, size_t len);
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
+void ssl_async_fd_handler(int fd);
+void ssl_async_fd_free(int fd);
+#endif
/* ssl shctx macro */
diff --git a/src/cli.c b/src/cli.c
index 568ceba2..843c3d04 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -69,6 +69,9 @@
#include <proto/stream_interface.h>
#include <proto/task.h>
#include <proto/proto_udp.h>
+#ifdef USE_OPENSSL
+#include <proto/ssl_sock.h>
+#endif
#define PAYLOAD_PATTERN "<<"
@@ -998,6 +1001,12 @@ static int cli_io_handler_show_fd(struct appctx *appctx)
(fdt.iocb == listener_accept) ? "listener_accept" :
(fdt.iocb == poller_pipe_io_handler) ? "poller_pipe_io_handler" :
(fdt.iocb == mworker_accept_wrapper) ? "mworker_accept_wrapper" :
+#ifdef USE_OPENSSL
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
+ (fdt.iocb == ssl_async_fd_free) ? "ssl_async_fd_free" :
+ (fdt.iocb == ssl_async_fd_handler) ? "ssl_async_fd_handler" :
+#endif
+#endif
"unknown");
if (fdt.iocb == conn_fd_handler) {
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 112520c8..58ae8a26 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -573,7 +573,7 @@ fail_get:
/*
* openssl async fd handler
*/
-static void ssl_async_fd_handler(int fd)
+void ssl_async_fd_handler(int fd)
{
struct connection *conn = fdtab[fd].owner;
@@ -594,7 +594,7 @@ static void ssl_async_fd_handler(int fd)
/*
* openssl async delayed SSL_free handler
*/
-static void ssl_async_fd_free(int fd)
+void ssl_async_fd_free(int fd)
{
SSL *ssl = fdtab[fd].owner;
OSSL_ASYNC_FD all_fd[32];
--
2.17.1
