From 7d58cd3eca91b8e6c5e25f0df1a49bca3fa4e441 Mon Sep 17 00:00:00 2001 From: Ciprian Dorin Craciun Date: Sun, 11 Sep 2022 20:42:39 +0300 Subject: [PATCH] [server] Add support for increasing (or decreasing) descriptors count. --- sources/cmd/server/seccomp.go | 2 + sources/cmd/server/server.go | 56 ++++++++++++++++++--------- sources/lib/common/os-freebsd.go | 19 ++++++++- sources/lib/common/os-linux-darwin.go | 18 ++++++++- sources/lib/common/os-openbsd.go | 18 ++++++++- 5 files changed, 91 insertions(+), 22 deletions(-) diff --git a/sources/cmd/server/seccomp.go b/sources/cmd/server/seccomp.go index 84d9a26..de4a4f8 100644 --- a/sources/cmd/server/seccomp.go +++ b/sources/cmd/server/seccomp.go @@ -96,6 +96,8 @@ var _seccompPhase1Syscalls = append ([]string { "mmap", + "setrlimit", + "seccomp", "prctl", diff --git a/sources/cmd/server/server.go b/sources/cmd/server/server.go index 62a6005..6d5e924 100644 --- a/sources/cmd/server/server.go +++ b/sources/cmd/server/server.go @@ -825,6 +825,7 @@ func main_0 () (error) { var _dummyDelay time.Duration var _profileCpu string var _profileMem string + var _limitDescriptors uint var _limitMemory uint var _seccompEnabled bool @@ -876,6 +877,7 @@ func main_0 () (error) { _dummyDelay_0 := _flags.Duration ("dummy-delay", 0, "") _profileCpu_0 := _flags.String ("profile-cpu", "", "") _profileMem_0 := _flags.String ("profile-mem", "", "") + _limitDescriptors_0 := _flags.Uint ("limit-descriptors", 0, "") _limitMemory_0 := _flags.Uint ("limit-memory", 0, "") _seccompEnabled_0 := _flags.Bool ("seccomp-enable", false, "") @@ -913,6 +915,7 @@ func main_0 () (error) { _dummyDelay = *_dummyDelay_0 _profileCpu = *_profileCpu_0 _profileMem = *_profileMem_0 + _limitDescriptors = *_limitDescriptors_0 _limitMemory = *_limitMemory_0 _seccompEnabled = *_seccompEnabled_0 @@ -1025,6 +1028,9 @@ func main_0 () (error) { AbortError (nil, "[b0177488] maximum number of allowed threads in total is 1024!") } + if (_limitDescriptors != 0) && ((_limitDescriptors > (128 * 1024)) || (_limitDescriptors < 128)) { + AbortError (nil, "[10a440d7] maximum descriptors limit is between 128 and 131072!") + } if (_limitMemory != 0) && ((_limitMemory > (16 * 1024)) || (_limitMemory < 128)) { AbortError (nil, "[2781f54c] maximum memory limit is between 128 and 16384 MiB!") } @@ -1056,23 +1062,8 @@ func main_0 () (error) { - runtime.GOMAXPROCS (int (_threads)) - - debug.SetGCPercent (50) - debug.SetMaxThreads (int (128 * (_threads / 64 + 1))) - debug.SetMaxStack (32 * 1024) - - - _httpReduceMemory := false - - - if _limitMemory > 0 { - if !_quiet && _isMaster { - log.Printf ("[ii] [2c130d70] limiting memory to %d MiB;\n", _limitMemory) - } - if _error := SysSetrlimit (_limitMemory); _error != nil { - AbortError (_error, "[4da96378] failed to configure memory limit!") - } + if _seccompEnabled { + seccompApplyPhase1 () } @@ -1084,8 +1075,32 @@ func main_0 () (error) { - if _seccompEnabled { - seccompApplyPhase1 () + runtime.GOMAXPROCS (int (_threads)) + + debug.SetGCPercent (50) + debug.SetMaxThreads (int (128 * (_threads / 64 + 1))) + debug.SetMaxStack (32 * 1024) + + + _httpReduceMemory := false + + + if _limitDescriptors > 0 { + if !_quiet && _isMaster { + log.Printf ("[ii] [33a2c5e9] [limits..] limiting descriptors to %d;\n", _limitDescriptors) + } + if _error := SysSetrlimitDescriptors (_limitDescriptors); _error != nil { + AbortError (_error, "[3dc44251] failed to configure descriptors limit!") + } + } + + if _limitMemory > 0 { + if !_quiet && _isMaster { + log.Printf ("[ii] [2c130d70] [limits..] limiting memory to %d MiB;\n", _limitMemory) + } + if _error := SysSetrlimitMemory (_limitMemory); _error != nil { + AbortError (_error, "[4da96378] failed to configure memory limit!") + } } @@ -1176,6 +1191,9 @@ func main_0 () (error) { if _timeoutDisabled { _processArguments = append (_processArguments, "--timeout-disable") } + if _limitDescriptors != 0 { + _processArguments = append (_processArguments, "--limit-descriptors", fmt.Sprintf ("%d", _limitDescriptors)) + } if _limitMemory != 0 { _processArguments = append (_processArguments, "--limit-memory", fmt.Sprintf ("%d", _limitMemory)) } diff --git a/sources/lib/common/os-freebsd.go b/sources/lib/common/os-freebsd.go index ef2a2d7..ecfdaa3 100644 --- a/sources/lib/common/os-freebsd.go +++ b/sources/lib/common/os-freebsd.go @@ -9,7 +9,8 @@ import "syscall" -func SysSetrlimit (_limitMemory uint) (error) { + +func SysSetrlimitMemory (_limitMemory uint) (error) { { _limitMb := (2 * _limitMemory) + (1 * 1024) _limit := syscall.Rlimit { @@ -33,3 +34,19 @@ func SysSetrlimit (_limitMemory uint) (error) { return nil } + + + +func SysSetrlimitDescriptors (_limitDescriptors uint) (error) { + { + _limit := syscall.Rlimit { + Cur : int64 (_limitDescriptors), + Max : int64 (_limitDescriptors), + } + if _error := syscall.Setrlimit (syscall.RLIMIT_NOFILE, &_limit); _error != nil { + return _error + } + } + return nil +} + diff --git a/sources/lib/common/os-linux-darwin.go b/sources/lib/common/os-linux-darwin.go index 6c5ddad..e451853 100644 --- a/sources/lib/common/os-linux-darwin.go +++ b/sources/lib/common/os-linux-darwin.go @@ -10,7 +10,7 @@ import "syscall" -func SysSetrlimit (_limitMemory uint) (error) { +func SysSetrlimitMemory (_limitMemory uint) (error) { { _limitMb := (2 * _limitMemory) + (1 * 1024) _limit := syscall.Rlimit { @@ -34,3 +34,19 @@ func SysSetrlimit (_limitMemory uint) (error) { return nil } + + + +func SysSetrlimitDescriptors (_limitDescriptors uint) (error) { + { + _limit := syscall.Rlimit { + Cur : uint64 (_limitDescriptors), + Max : uint64 (_limitDescriptors), + } + if _error := syscall.Setrlimit (syscall.RLIMIT_NOFILE, &_limit); _error != nil { + return _error + } + } + return nil +} + diff --git a/sources/lib/common/os-openbsd.go b/sources/lib/common/os-openbsd.go index ed7a090..beae766 100644 --- a/sources/lib/common/os-openbsd.go +++ b/sources/lib/common/os-openbsd.go @@ -10,7 +10,7 @@ import "syscall" -func SysSetrlimit (_limitMemory uint) (error) { +func SysSetrlimitMemory (_limitMemory uint) (error) { { _limitMb := _limitMemory _limit := syscall.Rlimit { @@ -24,3 +24,19 @@ func SysSetrlimit (_limitMemory uint) (error) { return nil } + + + +func SysSetrlimitDescriptors (_limitDescriptors uint) (error) { + { + _limit := syscall.Rlimit { + Cur : uint64 (_limitDescriptors), + Max : uint64 (_limitDescriptors), + } + if _error := syscall.Setrlimit (syscall.RLIMIT_NOFILE, &_limit); _error != nil { + return _error + } + } + return nil +} +