My bad (was a looong day). I've tried again with the change here: https://github.com/cloudant/haproxy-1.9/commit/abc3427130671e49defcd0ad6316ee16509ef9a1
Same leak. A new open fd each time I reload. -- Robert Samuel Newson [email protected] On Thu, 25 Apr 2019, at 08:05, Willy Tarreau wrote: > Hi Robert, > > On Wed, Apr 24, 2019 at 03:13:00PM -0400, Robert Newson wrote: > > Hi, > > > > Thanks for the suggestion and, yes, we're using the master-worker mode (-Ws > > specifically). I made a custom build as directed > > (https://github.com/cloudant/haproxy-1.9/tree/urandom-leak) and tried it > > out. > > Same leak, unfortunately. An extra /dev/urandom fd each reload. > > Ah, that's not what I was suggesting :-) I was suggesting to put the > return statement at the *beginning* of the function so that it does > not initialize the random number generator. Or if you prefer, just > pretend that it's already initialized (which will achieve the same) : > > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > index 015943ee6..bd12d876d 100644 > --- a/src/ssl_sock.c > +++ b/src/ssl_sock.c > @@ -3736,7 +3736,7 @@ ignore_entry: > static int ssl_initialize_random() > { > unsigned char random; > - static int random_initialized = 0; > + static int random_initialized = 1; > > if (!random_initialized && RAND_bytes(&random, 1) != 0) > random_initialized = 1; > > Willy > >
