Hi, thanks for the review.
On Sun, Mar 07, 2021 at 12:22:32PM -0500, Selva Nair wrote: > On Sun, Mar 7, 2021 at 11:31 AM Gert Doering <g...@greenie.muc.de> wrote: > > > If --mlock is used, the amount of memory OpenVPN can use is guarded > > by the RLIMIT_MEMLOCK value (see mlockall(2)). The OS default for this > > is usually 64 Kbyte, which is enough for OpenVPN to initialize, but > > as soon as the first TLS handshake comes it, OpenVPN will crash due > > to "ouf of memory", and might even end up in a crash loop. > > > > Steady-state OpenVPN requires between 8 MB and 30-50 MB (servers with > > many concurrent clients) of memory. > > > > So: with this patch, we check if getrlimit() is available, and if yes, > > log the amount of mlock'able memory. If the amount is below 20 MB, > > which is an arbitrary value "large enough for most smaller deployments", > > we abort. > > > > This is required only if privileges are dropped, isn't it? Could be made > conditional > on o->username is set. "I'm not sure", TBH. rlimit handling in unix is a bit of an unknown territory for me. What I understand is that root can *increment* the rlimit at will, but I'd assume that the rlimit value "in existance right now" (specifically, the soft limit) applies to root processes as well. Sort of a voluntary protection against processes running away. But I can test this. Just malloc() until it does... [..] > > @@ -237,6 +237,12 @@ which mode OpenVPN is configured as. > > likely fail. The limit can be increased using ulimit or systemd > > directives depending on how OpenVPN is started. > > > > + If the platform has the getrlimit(2) system call, OpenVPN will check > > + for the amount of mlock-able memory before calling mlockall(2), and > > white space at end of line Yeah, the whitespace-and-typing force wasn't strong with me today :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel