Hello Richard,
thanks for working on this topic and providing a way to control this new
protection mechanism depending on the requirements and age of systems etc..
Cheers,
Henning
From: Richard Chan via sr-dev <sr-dev@lists.kamailio.org>
Sent: Dienstag, 6. Februar 2024 12:20
To: mico...@gmail.com
Cc: Kamailio (SER) - Development Mailing List <sr-dev@lists.kamailio.org>;
Richard Chan <shihping.c...@gmail.com>
Subject: [sr-dev] Re: git:master:ba921b21: core/rthread.h: add prototype for db
queries
Hi Daniel / Henning,
I would like to propose a global config to restore the non-threaded default:
enable_tls = no|yes #(EXISTING) boolean
enable_tls_threads = 0 | 1 | 2 #(NEW) int
0: disable thread-wrappers (restores kamailio behaviour)
- default when enable_tls = no
1: thread-wrapper only for process_no = 0 (main process)
- default when enable_tls = yes
2: thread-wrapper on for all processes
Now the behaviour for the thread wrappers can be
/* pseudo-code
* fn is the wrapped function */
run_threadXXXX (fn, ...)
{
int flag = cfg_get_tls_threads();
if (likely(flag == 0 || (flag == 1 && process_no != 0))) {
return fn(...) ; // execute wrapped function directly - no thread
} else { /* flag == 2 ||( flag == 1 && process_no == 0) */
/*
** run fn in thread
*/
}
I am not familiar with the bison grammar or parsing of the global config file —
I would need your help (or another developer familiar with the core parsing) to
set this up. When this cfg flag is available I can change all the
thread-runners to check the global config.
With respect to 5.7 - stable branch - unfortunately due to the changes to
OpenSSL 3 it is broken - #3635 - with more load there will be double-free
errors; #3727 - cannot load tls and db module (even if the db module does not
use TLS it may initialize OpenSSL).
The changes while more intrusive than usual are the minimal viable set of
changes. With the commits on 5.7 you can have a TLS-enabled /etc/kamailio.cfg
using OpenSSL 3 and load a db module (with or without TLS). To reiterate - even
a pure in-memory TLS proxy without database is subject to double free
corruption.
To make the changes less intrusive: backport the global enable_tls_threads
config to 5.7.5+ or make the thread wrappers check for process_no = 0. The
latter (and more minimal) change would mean that all Kamailio workers will have
the existing behaviour and only process_no = 0 tries to run thread wrappers.
Options:
A 5.8-pre:. add a global config enable_tls_threads to 5.8-pre (need help on
this part - the thread wrappers I would be able to fix)
B. 5.7.5+: backport A to 5.7 OR check for process_no = 0 in thread
wrappers(only change in parent process, no change to worker processes)
Let me know what you think - thanks for the comments.
Cheers
Richard
_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
