Re: [Openvpn-devel] [PATCH] Require at least 20MB of mlock()-able memory if --mlock is used.

Sun, 07 Mar 2021 10:10:52 -0800 

Hi,

thanks for the review. 

On Sun, Mar 07, 2021 at 12:22:32PM -0500, Selva Nair wrote:
> On Sun, Mar 7, 2021 at 11:31 AM Gert Doering <g...@greenie.muc.de> wrote:
> 
> > If --mlock is used, the amount of memory OpenVPN can use is guarded
> > by the RLIMIT_MEMLOCK value (see mlockall(2)).  The OS default for this
> > is usually 64 Kbyte, which is enough for OpenVPN to initialize, but
> > as soon as the first TLS handshake comes it, OpenVPN will crash due
> > to "ouf of memory", and might even end up in a crash loop.
> >
> > Steady-state OpenVPN requires between 8 MB and 30-50 MB (servers with
> > many concurrent clients) of memory.
> >
> > So: with this patch, we check if getrlimit() is available, and if yes,
> > log the amount of mlock'able memory.  If the amount is below 20 MB,
> > which is an arbitrary value "large enough for most smaller deployments",
> > we abort.
> >
> 
> This is required only if privileges are dropped, isn't it? Could be made
> conditional
> on o->username is set.

"I'm not sure", TBH.  rlimit handling in unix is a bit of an unknown
territory for me.

What I understand is that root can *increment* the rlimit at will, but
I'd assume that the rlimit value "in existance right now" (specifically,
the soft limit) applies to root processes as well.  Sort of a voluntary
protection against processes running away.

But I can test this.  Just malloc() until it does...

[..]
> > @@ -237,6 +237,12 @@ which mode OpenVPN is configured as.
> >    likely fail. The limit can be increased using ulimit or systemd
> >    directives depending on how OpenVPN is started.
> >
> > +  If the platform has the getrlimit(2) system call, OpenVPN will check
> > +  for the amount of mlock-able memory before calling mlockall(2), and
> 
> white space at end of line

Yeah, the whitespace-and-typing force wasn't strong with me today :-)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to