subject:"2.0.14 PCRE2 JIT compilation failed"

Re: 2.0.14 PCRE2 JIT compilation failed

2020-05-11 Thread Willy Tarreau

Hi Veiko,

On Fri, Apr 24, 2020 at 01:08:40PM +, Veiko Kukk wrote:
> It has happened to many of us that after asking for help, a good idea to
> test/debug comes.

Oh yes, it's quite common that putting down a problem helps seeing it
better. This is also why when you can explain a problem to someone in
person, you often don't need to finish your sentence and immediately
find the solution :-)

> It turned out to be selinx issue.
>
> #= haproxy_t ==
> 
> # This avc can be allowed using the boolean 'cluster_use_execmem'
> allow haproxy_t self:process execmem;

That's very interesting, thanks for sharing!

> I wonder if somewhere in HAproxy documentation about pcre jit, it is
> mentioned that in case of selinux, selinux rules must be changed for the jit
> to work. If not, would be nice to add it.

I'm sure it's not mentioned and that probably that nobody thought
about this before. Could you please propose a patch against INSTALL
to mention this ? There's also section 11 of management.txt which
could get a few lines about it I guess, reusing your discoveries.

Thanks,
Willy

Re: 2.0.14 PCRE2 JIT compilation failed

2020-04-24 Thread Veiko Kukk


On 2020-04-24 12:47, Veiko Kukk wrote:

HAproxy 2.0.14 on CentOS 7.7.1908 with PCRE2 JIT enabled (USE_PCRE2=1
USE_PCRE2_JIT=1).

When starting it with configuration that has following ACL regex line, 
it fails:


acl path_is_foo path_reg 
^\/video\/[a-zA-Z0-9_-]{43}\/[a-z0-9]{8}\/videos\/


Error message:
error detected while parsing ACL 'path_is_foo' : regex
'^\/video\/[a-zA-Z0-9_-]{43}\/[a-z0-9]{8}\/videos\/' jit compilation
failed.


Hi again,

It has happened to many of us that after asking for help, a good idea to 
test/debug comes.


It turned out to be selinx issue.

#= haproxy_t ==

# This avc can be allowed using the boolean 'cluster_use_execmem'
allow haproxy_t self:process execmem;


I wonder if somewhere in HAproxy documentation about pcre jit, it is 
mentioned that in case of selinux, selinux rules must be changed for the 
jit to work. If not, would be nice to add it.


--
Best regards,
Veiko

2.0.14 PCRE2 JIT compilation failed

2020-04-24 Thread Veiko Kukk


Hi

Since 1.9 support ends soon, I'm trying to start using 2.0 series.

HAproxy 2.0.14 on CentOS 7.7.1908 with PCRE2 JIT enabled (USE_PCRE2=1 
USE_PCRE2_JIT=1).


When starting it with configuration that has following ACL regex line, 
it fails:


acl path_is_foo path_reg 
^\/video\/[a-zA-Z0-9_-]{43}\/[a-z0-9]{8}\/videos\/


Error message:
error detected while parsing ACL 'path_is_foo' : regex 
'^\/video\/[a-zA-Z0-9_-]{43}\/[a-z0-9]{8}\/videos\/' jit compilation 
failed.


Appearantly this regex has been working with PCRE (not PCRE2) and 
without jit for quite long time using 1.9 releases of HAproxy (I have 
not personally created nor tested this regex). When compiling HAproxy 
with PCRE2 but without JIT support, haproxy does not complain about this 
regular expression, no errors at all.


I did not find much information of HAproxy path_reg regular expression 
syntax. Is it necessary to escape forward slashes? How to debug this 
issue, what is wrong with this expression?


$ haproxy -vv
HA-Proxy version 2.0.14 2020/04/02 - https://haproxy.org/
Build options :
  TARGET  = linux-glibc
  CPU = generic
  CC  = gcc
  CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing 
-Wdeclaration-after-statement -fwrapv -Wno-unused-label 
-Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration 
-Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers 
-Wtype-limits
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_THREAD=1 USE_REGPARM=1 
USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1


Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE 
-PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD 
-PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY 
+LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO 
+OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO 
+NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER 
+PRCTL +THREAD_DUMP -EVPORTS


Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.5
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND

Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")

Built with PCRE2 version : 10.23 2017-02-14
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as  cannot be specified using 'proto' 
keyword)

  h2 : mode=HTXside=FE|BE mux=H2
  h2 : mode=HTTP   side=FEmux=H2
: mode=HTXside=FE|BE mux=H1
: mode=TCP|HTTP   side=FE|BE mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

$ ldd /sbin/haproxy
linux-vdso.so.1 =>  (0x7ffebcde1000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x7f7ac1989000)
libz.so.1 => /lib64/libz.so.1 (0x7f7ac1773000)
libdl.so.2 => /lib64/libdl.so.2 (0x7f7ac156f000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x7f7ac1353000)
librt.so.1 => /lib64/librt.so.1 (0x7f7ac114b000)
libssl.so.10 => /lib64/libssl.so.10 (0x7f7ac0ed9000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x7f7ac0a76000)
libm.so.6 => /lib64/libm.so.6 (0x7f7ac0774000)
libsystemd.so.0 => /lib64/libsystemd.so.0 (0x7f7ac0543000)
libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x7f7ac02cc000)
libpcre2-posix.so.1 => /lib64/libpcre2-posix.so.1 (0x7f7ac00c9000)
libc.so.6 => /lib64/libc.so.6 (0x7f7abfcfb000)
libfreebl3.so => /lib64/libfreebl3.so (0x7f7abfaf8000)
/lib64/ld-linux-x86-64.so.2 (0x7f7ac1bc)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x7f7abf8ab000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x7f7abf5c2000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x7f7abf3be000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x7f7abf18b000)
libcap.so.2 => /lib64/libcap.so.2 (0x7f7abef86000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x7f7abed5f000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x7f7abeb39000)
liblz4.so.1 => /lib64/liblz4.so.1 (0x7f7abe9

Re: 2.0.14 PCRE2 JIT compilation failed

Re: 2.0.14 PCRE2 JIT compilation failed

2.0.14 PCRE2 JIT compilation failed

3 matches

Site Navigation

Mail list logo

Footer information