Re: external-check stdout ends up in load-balanced traffic, destroying tcp sessions

Tue, 07 Jun 2016 03:02:45 -0700 

You can always open /dev/null before chrooting and dup() it into FD 0 and 1 
after chroot() has been called.

Le 7 juin 2016 06:23:04 GMT+02:00, Simon Horman <ho...@verge.net.au> a écrit :
>Hi Cyril, Hi Lukas,
>
>On Mon, Jun 06, 2016 at 08:21:46PM +0200, Cyril Bonté wrote:
>> Hi Lukas,
>> 
>> I add Malcolm and Simon to the thread.
>> 
>> Le 06/06/2016 à 08:36, Lukas Erlacher a écrit :
>> >Additional info: The output only ends up in the *first* client
>connection.
>> >
>> >Talking about this with some colleagues we're now theorizing that
>stdout goes to fd 1 and fd 1 is also the first client connection
>socket. Might be helpful for tracking this down.
>> 
>> After doing a quick test, I can confirm I can reproduce the issue
>(once
>> working in daemon mode).
>> 
>> Simon, do you have time to work on a fix ? or should someone else do
>? (I
>> think I'll be available to work on this, but only by the end of the
>week)
>> 
>> Also Malcolm, as I remember you are using this feature, be aware that
>you
>> may hit the issue too.
>
>looking over the code a little the theory regarding fd 1 seems entirely
>plausible as stdout, along with stdin and stdin, may be be closed 
>in haproxy.c:main()
>
>It seems to me that if the case where they were closed, and thus fd 1
>and 2
>may be used for other purposes, it would be prudent to redirect fd 1
>and 2
>to "/dev/null".
>
>One problem I see with this is that if haproxy is running in a chroot
>and /dev/null is not present then open() will fail.
>
>Lukas, would it be possible for you to test the following
>(I have only compile tested it) ?
>
>
>diff --git a/src/checks.c b/src/checks.c
>index c4ac947b6051..eca7df62522f 100644
>--- a/src/checks.c
>+++ b/src/checks.c
>@@ -1836,6 +1836,16 @@ static int connect_proc_chk(struct task *t)
>       if (pid == 0) {
>               /* Child */
>               extern char **environ;
>+
>+              if ((global.mode & MODE_QUIET) && !(global.mode & 
>MODE_VERBOSE)) {
>+                      close(0);
>+                      close(1);
>+
>+                      if (open("/dev/null", 0, O_WRONLY) || open("/dev/null", 
>0,
>O_WRONLY)) {
>+                              exit (-1);
>+                      }
>+              }
>+
>               environ = check->envp;
>               extchk_setenv(check, EXTCHK_HAPROXY_SERVER_CURCONN,
>ultoa_r(s->cur_sess, buf, sizeof(buf)));
>               execvp(px->check_command, check->argv);

-- 
Envoyé de mon téléphone Android avec K-9 Mail. Excusez la brièveté.

Reply via email to