On Sun, Mar 7, 2021 at 1:10 PM Gert Doering <g...@greenie.muc.de> wrote:
> Hi, > > thanks for the review. > > On Sun, Mar 07, 2021 at 12:22:32PM -0500, Selva Nair wrote: > > On Sun, Mar 7, 2021 at 11:31 AM Gert Doering <g...@greenie.muc.de> > wrote: > > > > > If --mlock is used, the amount of memory OpenVPN can use is guarded > > > by the RLIMIT_MEMLOCK value (see mlockall(2)). The OS default for this > > > is usually 64 Kbyte, which is enough for OpenVPN to initialize, but > > > as soon as the first TLS handshake comes it, OpenVPN will crash due > > > to "ouf of memory", and might even end up in a crash loop. > > > > > > Steady-state OpenVPN requires between 8 MB and 30-50 MB (servers with > > > many concurrent clients) of memory. > > > > > > So: with this patch, we check if getrlimit() is available, and if yes, > > > log the amount of mlock'able memory. If the amount is below 20 MB, > > > which is an arbitrary value "large enough for most smaller > deployments", > > > we abort. > > > > > > > This is required only if privileges are dropped, isn't it? Could be made > > conditional > > on o->username is set. > > "I'm not sure", TBH. rlimit handling in unix is a bit of an unknown > territory for me. > > What I understand is that root can *increment* the rlimit at will, but > I'd assume that the rlimit value "in existance right now" (specifically, > the soft limit) applies to root processes as well. Sort of a voluntary > protection against processes running away. > On modern linux kernels (since some 2.6.x..) RLIMIT_MEMLOCK applies only to unprivileged processes -- privileged processes allowed to lock "unlimited" amount of memory as documented in man mlock. We updated the man page based on that sometime ago. We could also consider using setrlimit to increase the limit before dropping privileges. But I haven't checked how other "unix"-like OSes behave. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
