From: Oleg Pykhalov <go.wigust@gmail.com>
To: 43933@debbugs.gnu.org
Cc: Oleg Pykhalov <go.wigust@gmail.com>
Subject: [bug#43933] [PATCH 6/8] gnu: Add nginx-socket-cloexec.
Date: Sun, 11 Oct 2020 21:30:10 +0300 [thread overview]
Message-ID: <20201011183012.15932-6-go.wigust@gmail.com> (raw)
In-Reply-To: <20201011183012.15932-1-go.wigust@gmail.com>
* gnu/packages/patches/nginx-socket-cloexec.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add this.
* gnu/packages/web.scm (nginx-socket-cloexec): New variable.
---
gnu/local.mk | 1 +
.../patches/nginx-socket-cloexec.patch | 185 ++++++++++++++++++
gnu/packages/web.scm | 10 +
3 files changed, 196 insertions(+)
create mode 100644 gnu/packages/patches/nginx-socket-cloexec.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index b59b122e86..947b3ef17f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1362,6 +1362,7 @@ dist_patch_DATA = \
%D%/packages/patches/nfs4-acl-tools-0.3.7-fixpaths.patch \
%D%/packages/patches/ngircd-handle-zombies.patch \
%D%/packages/patches/network-manager-plugin-path.patch \
+ %D%/packages/patches/nginx-socket-cloexec.patch \
%D%/packages/patches/nsis-env-passthru.patch \
%D%/packages/patches/nss-increase-test-timeout.patch \
%D%/packages/patches/nss-pkgconfig.patch \
diff --git a/gnu/packages/patches/nginx-socket-cloexec.patch b/gnu/packages/patches/nginx-socket-cloexec.patch
new file mode 100644
index 0000000000..985ce573b5
--- /dev/null
+++ b/gnu/packages/patches/nginx-socket-cloexec.patch
@@ -0,0 +1,185 @@
+diff --git a/auto/unix b/auto/unix
+index 10835f6c..b5b33bb3 100644
+--- a/auto/unix
++++ b/auto/unix
+@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res;
+ if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1;
+ freeaddrinfo(res)'
+ . auto/feature
++
++ngx_feature="SOCK_CLOEXEC support"
++ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC"
++ngx_feature_run=no
++ngx_feature_incs="#include <sys/types.h>
++ #include <sys/socket.h>"
++ngx_feature_path=
++ngx_feature_libs=
++ngx_feature_test="int fd;
++ fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);"
++. auto/feature
++
++ngx_feature="FD_CLOEXEC support"
++ngx_feature_name="NGX_HAVE_FD_CLOEXEC"
++ngx_feature_run=no
++ngx_feature_incs="#include <sys/types.h>
++ #include <sys/socket.h>
++ #include <fcntl.h>"
++ngx_feature_path=
++ngx_feature_libs=
++ngx_feature_test="int fd;
++ fd = socket(AF_INET, SOCK_STREAM, 0);
++ fcntl(fd, F_SETFD, FD_CLOEXEC);"
++. auto/feature
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index cd55520c..438e0806 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -4466,8 +4466,14 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec)
+ ngx_event_t *rev, *wev;
+ ngx_connection_t *c;
+
++#if (NGX_HAVE_SOCKET_CLOEXEC)
++ s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, 0);
++
++#else
+ s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM, 0);
+
++#endif
++
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, &rec->log, 0, "TCP socket %d", s);
+
+ if (s == (ngx_socket_t) -1) {
+@@ -4494,6 +4500,15 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec)
+ goto failed;
+ }
+
++#if (NGX_HAVE_FD_CLOEXEC)
++ if (ngx_cloexec(s) == -1) {
++ ngx_log_error(NGX_LOG_ALERT, &rec->log, ngx_socket_errno,
++ ngx_cloexec_n " failed");
++
++ goto failed;
++ }
++#endif
++
+ rev = c->read;
+ wev = c->write;
+
+diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h
+index 19fec68..8c2f01a 100644
+--- a/src/event/ngx_event.h
++++ b/src/event/ngx_event.h
+@@ -73,6 +73,9 @@ struct ngx_event_s {
+ /* to test on worker exit */
+ unsigned channel:1;
+ unsigned resolver:1;
++#if (HAVE_SOCKET_CLOEXEC_PATCH)
++ unsigned skip_socket_leak_check:1;
++#endif
+
+ unsigned cancelable:1;
+
+diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
+index 77563709..5827b9d0 100644
+--- a/src/event/ngx_event_accept.c
++++ b/src/event/ngx_event_accept.c
+@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev)
+
+ #if (NGX_HAVE_ACCEPT4)
+ if (use_accept4) {
+- s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK);
++ s = accept4(lc->fd, &sa.sockaddr, &socklen,
++ SOCK_NONBLOCK | SOCK_CLOEXEC);
++
+ } else {
+ s = accept(lc->fd, &sa.sockaddr, &socklen);
+ }
+@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev)
+ ngx_close_accepted_connection(c);
+ return;
+ }
++
++#if (NGX_HAVE_FD_CLOEXEC)
++ if (ngx_cloexec(s) == -1) {
++ ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno,
++ ngx_cloexec_n " failed");
++ ngx_close_accepted_connection(c);
++ return;
++ }
++#endif
++
+ }
+ }
+
+diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c
+index c5bb8068..cf33b1d2 100644
+--- a/src/event/ngx_event_connect.c
++++ b/src/event/ngx_event_connect.c
+@@ -38,8 +38,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
+
+ type = (pc->type ? pc->type : SOCK_STREAM);
+
++#if (NGX_HAVE_SOCKET_CLOEXEC)
++ s = ngx_socket(pc->sockaddr->sa_family, type | SOCK_CLOEXEC, 0);
++
++#else
+ s = ngx_socket(pc->sockaddr->sa_family, type, 0);
+
++#endif
++
++
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d",
+ (type == SOCK_STREAM) ? "stream" : "dgram", s);
+
+@@ -80,6 +87,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
+ goto failed;
+ }
+
++#if (NGX_HAVE_FD_CLOEXEC)
++ if (ngx_cloexec(s) == -1) {
++ ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno,
++ ngx_cloexec_n " failed");
++
++ goto failed;
++ }
++#endif
++
+ if (pc->local) {
+
+ #if (NGX_HAVE_TRANSPARENT_PROXY)
+diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
+index c4376a5..48e8fa8 100644
+--- a/src/os/unix/ngx_process_cycle.c
++++ b/src/os/unix/ngx_process_cycle.c
+@@ -1032,6 +1032,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle)
+ for (i = 0; i < cycle->connection_n; i++) {
+ if (c[i].fd != -1
+ && c[i].read
++#if (HAVE_SOCKET_CLOEXEC_PATCH)
++ && !c[i].read->skip_socket_leak_check
++#endif
+ && !c[i].read->accept
+ && !c[i].read->channel
+ && !c[i].read->resolver)
+diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h
+index fcc51533..d1eebf47 100644
+--- a/src/os/unix/ngx_socket.h
++++ b/src/os/unix/ngx_socket.h
+@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s);
+
+ #endif
+
++#if (NGX_HAVE_FD_CLOEXEC)
++
++#define ngx_cloexec(s) fcntl(s, F_SETFD, FD_CLOEXEC)
++#define ngx_cloexec_n "fcntl(FD_CLOEXEC)"
++
++/* at least FD_CLOEXEC is required to ensure connection fd is closed
++ * after execve */
++#define HAVE_SOCKET_CLOEXEC_PATCH 1
++
++#endif
++
+ int ngx_tcp_nopush(ngx_socket_t s);
+ int ngx_tcp_push(ngx_socket_t s);
+
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 1699c92366..f7330aa749 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -550,6 +550,16 @@ This is modified version, specifically intended for use with the NGinx
documentation.")
(license license:bsd-2))))
+(define nginx-socket-cloexec
+ (package
+ (inherit nginx)
+ (name "nginx-socket-cloexec") ;required for lua-resty-shell
+ (source
+ (origin
+ (inherit (package-source nginx))
+ (patches (append (search-patches "nginx-socket-cloexec.patch")
+ (origin-patches (package-source nginx))))))))
+
(define-public lighttpd
(package
(name "lighttpd")
--
2.28.0
next prev parent reply other threads:[~2020-10-11 18:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-11 18:19 [bug#43933] [PATCH 0/8] services: nginx: Add lua module Oleg Pykhalov
2020-10-11 18:30 ` [bug#43933] [PATCH 1/8] gnu: Add lua-resty-core Oleg Pykhalov
2020-10-11 18:30 ` [bug#43933] [PATCH 2/8] gnu: Add lua-resty-lrucache Oleg Pykhalov
2020-10-11 18:30 ` [bug#43933] [PATCH 3/8] gnu: Add lua-resty-signal Oleg Pykhalov
2020-10-11 18:30 ` [bug#43933] [PATCH 4/8] gnu: Add lua-tablepool Oleg Pykhalov
2020-10-11 18:30 ` [bug#43933] [PATCH 5/8] gnu: Add lua-resty-shell Oleg Pykhalov
2020-10-11 18:30 ` Oleg Pykhalov [this message]
2020-10-11 18:30 ` [bug#43933] [PATCH 7/8] gnu: Add nginx-lua-module Oleg Pykhalov
2020-10-11 18:30 ` [bug#43933] [PATCH 8/8] services: nginx: Add lua module Oleg Pykhalov
2020-10-14 20:43 ` bug#43933: [PATCH 1/8] gnu: Add lua-resty-core Oleg Pykhalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201011183012.15932-6-go.wigust@gmail.com \
--to=go.wigust@gmail.com \
--cc=43933@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).