1. 06 Apr, 2019 1 commit
    • Evan Hunt's avatar
      restore allowance for tcp-clients < interfaces · 0b4e2cd4
      Evan Hunt authored
      in the "refactor tcpquota and pipeline refs" commit, the counting
      of active interfaces was tightened in such a way that named could
      fail to listen on an interface if there were more interfaces than
      tcp-clients. when checking the quota to start accepting on an
      interface, if the number of active clients was above zero, then
      it was presumed that some other client was able to handle accepting
      new connections. this, however, ignored the fact that the current client
      could be included in that count, so if the quota was already exceeded
      before all the interfaces were listening, some interfaces would never
      we now check whether the current client has been marked active; if so,
      then the number of active clients on the interface must be greater
      than 1, not 0.
  2. 05 Apr, 2019 5 commits
    • Evan Hunt's avatar
      refactor tcpquota and pipeline refs; allow special-case overrun in isc_quota · 49394512
      Evan Hunt authored
      - if the TCP quota has been exceeded but there are no clients listening
        for new connections on the interface, we can now force attachment to the
        quota using isc_quota_force(), instead of carrying on with the quota not
      - the TCP client quota is now referenced via a reference-counted
        'ns_tcpconn' object, one of which is created whenever a client begins
        listening for new connections, and attached to by members of that
        client's pipeline group. when the last reference to the tcpconn
        object is detached, it is freed and the TCP quota slot is released.
      - reduce code duplication by adding mark_tcp_active() function.
      - convert counters to atomic.
      (cherry picked from commit 7e822237)
    • Evan Hunt's avatar
      better tcpquota accounting and client mortality checks · e965d5f1
      Evan Hunt authored
      - ensure that tcpactive is cleaned up correctly when accept() fails.
      - set 'client->tcpattached' when the client is attached to the tcpquota.
        carry this value on to new clients sharing the same pipeline group.
        don't call isc_quota_detach() on the tcpquota unless tcpattached is
        set.  this way clients that were allowed to accept TCP connections
        despite being over quota (and therefore, were never attached to the
        quota) will not inadvertently detach from it and mess up the
      - simplify the code for tcpquota disconnection by using a new function
      - before deciding whether to reject a new connection due to quota
        exhaustion, check to see whether there are at least two active
        clients. previously, this was "at least one", but that could be
        insufficient if there was one other client in READING state (waiting
        for messages on an open connection) but none in READY (listening
        for new connections).
      - before deciding whether a TCP client object can to go inactive, we
        must ensure there are enough other clients to maintain service
        afterward -- both accepting new connections and reading/processing new
        queries.  A TCP client can't shut down unless at least one
        client is accepting new connections and (in the case of pipelined
        clients) at least one additional client is waiting to read.
      (cherry picked from commit c7394738)
    • Michał Kępień's avatar
      use reference counter for pipeline groups (v3) · 513afd33
      Michał Kępień authored
      Track pipeline groups using a shared reference counter
      instead of a linked list.
    • Witold Krecicki's avatar
      tcp-clients could still be exceeded (v2) · 924651f1
      Witold Krecicki authored
      the TCP client quota could still be ineffective under some
      circumstances.  this change:
      - improves quota accounting to ensure that TCP clients are
        properly limited, while still guaranteeing that at least one client
        is always available to serve TCP connections on each interface.
      - uses more descriptive names and removes one (ntcptarget) that
        was no longer needed
      - adds comments
    • Witold Krecicki's avatar
      fix enforcement of tcp-clients (v1) · f97131d2
      Witold Krecicki authored
      tcp-clients settings could be exceeded in some cases by
      creating more and more active TCP clients that are over
      the set quota limit, which in the end could lead to a
      DoS attack by e.g. exhaustion of file descriptors.
      If TCP client we're closing went over the quota (so it's
      not attached to a quota) mark it as mortal - so that it
      will be destroyed and not set up to listen for new
      connections - unless it's the last client for a specific
  3. 03 Apr, 2019 2 commits
  4. 02 Apr, 2019 2 commits
  5. 26 Mar, 2019 7 commits
  6. 22 Mar, 2019 2 commits
  7. 21 Mar, 2019 8 commits
  8. 20 Mar, 2019 6 commits
  9. 19 Mar, 2019 5 commits
    • Michał Kępień's avatar
      Merge branch '944-make-stop.pl-wait-for-lock-file-cleanup-v9_11' into 'v9_11' · 20483dc1
      Michał Kępień authored
      [v9_11] Make stop.pl wait for lock file cleanup
      See merge request !1711
    • Michał Kępień's avatar
      Make stop.pl wait for lock file cleanup · 537765df
      Michał Kępień authored
      bin/tests/system/stop.pl only waits for the PID file to be cleaned up
      while named cleans up the lock file after the PID file.  Thus, the
      aforementioned script may consider a named instance to be fully shut
      down when in fact it is not.
      Fix by also checking whether the lock file exists when determining a
      given instance's shutdown status.  This change assumes that if a named
      instance uses a lock file, it is called "named.lock", and that if an
      lwresd instance uses a lock file, it is called "lwresd.lock".
      Also rename clean_pid_file() to pid_file_exists(), so that it is called
      more appropriately (it does not clean up the PID file itself, it only
      returns the server's identifier if its PID file is not yet cleaned up).
      (cherry picked from commit c787a539)
    • Michał Kępień's avatar
      Correctly invoke stop.pl when start.pl fails · ebedeffa
      Michał Kępień authored
      MR !1141 broke the way stop.pl is invoked when start.pl fails:
        - start.pl changes the working directory to $testdir/$server before
          attempting to start $server,
        - commit 27ee629e causes the $testdir
          variable in stop.pl to be determined using the $SYSTEMTESTTOP
          environment variable, which is set to ".." by all tests.sh scripts,
        - commit e227815a makes start.pl pass
          $test (the test's name) rather than $testdir (the path to the test's
          directory) to stop.pl when a given server fails to start.
      Thus, when a server is restarted from within a tests.sh script and such
      a restart fails, stop.pl attempts to look for the server directory in a
      nonexistent location ($testdir/$server/../$test, i.e. $testdir/$test,
      instead of $testdir/../$test).  Fix the issue by changing the working
      directory before stop.pl is invoked in the scenario described above.
      (cherry picked from commit 4afad2a0)
    • Evan Hunt's avatar
      Merge branch '945-remove-revoked-root-key-from-bind-keys-v9_14-v9_11' into 'v9_11' · 707b2349
      Evan Hunt authored
      Resolve "Remove revoked root key from bind.keys."
      See merge request !1709
    • Mark Andrews's avatar
      Remove revoked root DNSKEY from bind.keys. · d5c57db1
      Mark Andrews authored
      (cherry picked from commit 0e805b58)
      (cherry picked from commit 3954d4ec)
  10. 15 Mar, 2019 2 commits