From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eB+yFe9Pg1+cEwAA0tVLHw (envelope-from ) for ; Sun, 11 Oct 2020 18:33:19 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id +Mx5Ee9Pg194RwAAB5/wlQ (envelope-from ) for ; Sun, 11 Oct 2020 18:33:19 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 00E289403EE for ; Sun, 11 Oct 2020 18:33:19 +0000 (UTC) Received: from localhost ([::1]:33748 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kRg9l-0007XH-SA for larch@yhetil.org; Sun, 11 Oct 2020 14:33:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37466) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kRg7d-00062W-49 for guix-patches@gnu.org; Sun, 11 Oct 2020 14:31:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57727) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kRg7c-0008MY-Oo for guix-patches@gnu.org; Sun, 11 Oct 2020 14:31:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kRg7c-0007Ta-M7 for guix-patches@gnu.org; Sun, 11 Oct 2020 14:31:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#43933] [PATCH 6/8] gnu: Add nginx-socket-cloexec. Resent-From: Oleg Pykhalov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 11 Oct 2020 18:31:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43933 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 43933@debbugs.gnu.org Cc: Oleg Pykhalov Received: via spool by 43933-submit@debbugs.gnu.org id=B43933.160244106028679 (code B ref 43933); Sun, 11 Oct 2020 18:31:04 +0000 Received: (at 43933) by debbugs.gnu.org; 11 Oct 2020 18:31:00 +0000 Received: from localhost ([127.0.0.1]:41033 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRg7W-0007SO-0C for submit@debbugs.gnu.org; Sun, 11 Oct 2020 14:31:00 -0400 Received: from mail-lf1-f68.google.com ([209.85.167.68]:40542) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRg7N-0007Qk-2F for 43933@debbugs.gnu.org; Sun, 11 Oct 2020 14:30:53 -0400 Received: by mail-lf1-f68.google.com with SMTP id a9so16059921lfc.7 for <43933@debbugs.gnu.org>; Sun, 11 Oct 2020 11:30:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=4TYAMrieN8xFTdlUKdlUltg7TmWuf9RDrZ3pQOL9isU=; b=c1F9MqUuwUU37r2ogr1c8bzRF0TX1YoodlynzvN/DZ4nKuDDfSw4qExkAEwSAhcBVq FSk8TgGbNwW6jtooY/doaK6mc82ziZHwf+2z9V0lZI0PH/2Dknn+Bbokk9dGIc2fJz/P 1QX/gP9Ohd1YnmKvvRR4J98+FxKu1wst+gU9JY4RVgNPblXJM2RMXjoratbSFCin0vWY 7H+Atts91mp5QbBYnwnQHHvc8AXJiGhmQqpOotpGC/lds/Yh9Jj/K4ZGu01VBwno97QS zQiuMrFSqtj+ZwIK/ax5rM5sVLQhhxePKro9m6zt0gnT0nZsudC9l+GeeltlBK4UDLCc 6GAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4TYAMrieN8xFTdlUKdlUltg7TmWuf9RDrZ3pQOL9isU=; b=p9ojmHNJGrFU/kqwISsEEB9wqaSZYslqPa2/3lWJ68ho19Yx/QvhH3YfCrebe+xrVG NdUIaNQdmc03PrCC4GK8GMYY1BrMAc3mn3hl8aFJSw4B+4YswQ13rS/IpqhU7Ug+ezmK ww87EW+6vSSIwiZwEtlMoAg0HWvt7tXvH2oTELQqIOaAv3W2y+gWvlHkWUWJ3hjkom4Q 90B80AuTNxLtMFAQVXw+bzvBlovh458HDC0Drq/E/0xqOtGnd8XxUVtEw2EqC/Phy0ak 9ZnGlSzLdiOYSemKa68QHcJqjS8B6QbLJQOLcnFVyhmuxn0b6ZtJHOlHyRU3ChjFp2Vj H0zg== X-Gm-Message-State: AOAM531iqEjThoEHDADNj/YKGxeh+WJjPKrai6LgFmkokEwH+S1TGwOY b43mXz+fFD1VYusbNB72k6SExp//SIs= X-Google-Smtp-Source: ABdhPJzqbcFVd0Lq3Rb8mrI5JyQ2P2viqRYY2pA2YK0avOATk61A6gl+Qs9LOS/tU8QDDlNEvlp0+A== X-Received: by 2002:ac2:5c49:: with SMTP id s9mr6588351lfp.14.1602441042842; Sun, 11 Oct 2020 11:30:42 -0700 (PDT) Received: from localhost.localdomain (95-55-4-176.dynamic.avangarddsl.ru. [95.55.4.176]) by smtp.gmail.com with ESMTPSA id l188sm2669151lfd.127.2020.10.11.11.30.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Oct 2020 11:30:42 -0700 (PDT) From: Oleg Pykhalov Date: Sun, 11 Oct 2020 21:30:10 +0300 Message-Id: <20201011183012.15932-6-go.wigust@gmail.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201011183012.15932-1-go.wigust@gmail.com> References: <20201011183012.15932-1-go.wigust@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=c1F9MqUu; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: 5.59 X-TUID: h/GXlcDNGK5D * gnu/packages/patches/nginx-socket-cloexec.patch: New file. * gnu/local.mk (dist_patch_DATA): Add this. * gnu/packages/web.scm (nginx-socket-cloexec): New variable. --- gnu/local.mk | 1 + .../patches/nginx-socket-cloexec.patch | 185 ++++++++++++++++++ gnu/packages/web.scm | 10 + 3 files changed, 196 insertions(+) create mode 100644 gnu/packages/patches/nginx-socket-cloexec.patch diff --git a/gnu/local.mk b/gnu/local.mk index b59b122e86..947b3ef17f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1362,6 +1362,7 @@ dist_patch_DATA = \ %D%/packages/patches/nfs4-acl-tools-0.3.7-fixpaths.patch \ %D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/network-manager-plugin-path.patch \ + %D%/packages/patches/nginx-socket-cloexec.patch \ %D%/packages/patches/nsis-env-passthru.patch \ %D%/packages/patches/nss-increase-test-timeout.patch \ %D%/packages/patches/nss-pkgconfig.patch \ diff --git a/gnu/packages/patches/nginx-socket-cloexec.patch b/gnu/packages/patches/nginx-socket-cloexec.patch new file mode 100644 index 0000000000..985ce573b5 --- /dev/null +++ b/gnu/packages/patches/nginx-socket-cloexec.patch @@ -0,0 +1,185 @@ +diff --git a/auto/unix b/auto/unix +index 10835f6c..b5b33bb3 100644 +--- a/auto/unix ++++ b/auto/unix +@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res; + if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1; + freeaddrinfo(res)' + . auto/feature ++ ++ngx_feature="SOCK_CLOEXEC support" ++ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC" ++ngx_feature_run=no ++ngx_feature_incs="#include ++ #include " ++ngx_feature_path= ++ngx_feature_libs= ++ngx_feature_test="int fd; ++ fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);" ++. auto/feature ++ ++ngx_feature="FD_CLOEXEC support" ++ngx_feature_name="NGX_HAVE_FD_CLOEXEC" ++ngx_feature_run=no ++ngx_feature_incs="#include ++ #include ++ #include " ++ngx_feature_path= ++ngx_feature_libs= ++ngx_feature_test="int fd; ++ fd = socket(AF_INET, SOCK_STREAM, 0); ++ fcntl(fd, F_SETFD, FD_CLOEXEC);" ++. auto/feature +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index cd55520c..438e0806 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4466,8 +4466,14 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) + ngx_event_t *rev, *wev; + ngx_connection_t *c; + ++#if (NGX_HAVE_SOCKET_CLOEXEC) ++ s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, 0); ++ ++#else + s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM, 0); + ++#endif ++ + ngx_log_debug1(NGX_LOG_DEBUG_EVENT, &rec->log, 0, "TCP socket %d", s); + + if (s == (ngx_socket_t) -1) { +@@ -4494,6 +4500,15 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) + goto failed; + } + ++#if (NGX_HAVE_FD_CLOEXEC) ++ if (ngx_cloexec(s) == -1) { ++ ngx_log_error(NGX_LOG_ALERT, &rec->log, ngx_socket_errno, ++ ngx_cloexec_n " failed"); ++ ++ goto failed; ++ } ++#endif ++ + rev = c->read; + wev = c->write; + +diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h +index 19fec68..8c2f01a 100644 +--- a/src/event/ngx_event.h ++++ b/src/event/ngx_event.h +@@ -73,6 +73,9 @@ struct ngx_event_s { + /* to test on worker exit */ + unsigned channel:1; + unsigned resolver:1; ++#if (HAVE_SOCKET_CLOEXEC_PATCH) ++ unsigned skip_socket_leak_check:1; ++#endif + + unsigned cancelable:1; + +diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c +index 77563709..5827b9d0 100644 +--- a/src/event/ngx_event_accept.c ++++ b/src/event/ngx_event_accept.c +@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev) + + #if (NGX_HAVE_ACCEPT4) + if (use_accept4) { +- s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK); ++ s = accept4(lc->fd, &sa.sockaddr, &socklen, ++ SOCK_NONBLOCK | SOCK_CLOEXEC); ++ + } else { + s = accept(lc->fd, &sa.sockaddr, &socklen); + } +@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev) + ngx_close_accepted_connection(c); + return; + } ++ ++#if (NGX_HAVE_FD_CLOEXEC) ++ if (ngx_cloexec(s) == -1) { ++ ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno, ++ ngx_cloexec_n " failed"); ++ ngx_close_accepted_connection(c); ++ return; ++ } ++#endif ++ + } + } + +diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c +index c5bb8068..cf33b1d2 100644 +--- a/src/event/ngx_event_connect.c ++++ b/src/event/ngx_event_connect.c +@@ -38,8 +38,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) + + type = (pc->type ? pc->type : SOCK_STREAM); + ++#if (NGX_HAVE_SOCKET_CLOEXEC) ++ s = ngx_socket(pc->sockaddr->sa_family, type | SOCK_CLOEXEC, 0); ++ ++#else + s = ngx_socket(pc->sockaddr->sa_family, type, 0); + ++#endif ++ ++ + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d", + (type == SOCK_STREAM) ? "stream" : "dgram", s); + +@@ -80,6 +87,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) + goto failed; + } + ++#if (NGX_HAVE_FD_CLOEXEC) ++ if (ngx_cloexec(s) == -1) { ++ ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, ++ ngx_cloexec_n " failed"); ++ ++ goto failed; ++ } ++#endif ++ + if (pc->local) { + + #if (NGX_HAVE_TRANSPARENT_PROXY) +diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c +index c4376a5..48e8fa8 100644 +--- a/src/os/unix/ngx_process_cycle.c ++++ b/src/os/unix/ngx_process_cycle.c +@@ -1032,6 +1032,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle) + for (i = 0; i < cycle->connection_n; i++) { + if (c[i].fd != -1 + && c[i].read ++#if (HAVE_SOCKET_CLOEXEC_PATCH) ++ && !c[i].read->skip_socket_leak_check ++#endif + && !c[i].read->accept + && !c[i].read->channel + && !c[i].read->resolver) +diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h +index fcc51533..d1eebf47 100644 +--- a/src/os/unix/ngx_socket.h ++++ b/src/os/unix/ngx_socket.h +@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s); + + #endif + ++#if (NGX_HAVE_FD_CLOEXEC) ++ ++#define ngx_cloexec(s) fcntl(s, F_SETFD, FD_CLOEXEC) ++#define ngx_cloexec_n "fcntl(FD_CLOEXEC)" ++ ++/* at least FD_CLOEXEC is required to ensure connection fd is closed ++ * after execve */ ++#define HAVE_SOCKET_CLOEXEC_PATCH 1 ++ ++#endif ++ + int ngx_tcp_nopush(ngx_socket_t s); + int ngx_tcp_push(ngx_socket_t s); + diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 1699c92366..f7330aa749 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -550,6 +550,16 @@ This is modified version, specifically intended for use with the NGinx documentation.") (license license:bsd-2)))) +(define nginx-socket-cloexec + (package + (inherit nginx) + (name "nginx-socket-cloexec") ;required for lua-resty-shell + (source + (origin + (inherit (package-source nginx)) + (patches (append (search-patches "nginx-socket-cloexec.patch") + (origin-patches (package-source nginx)))))))) + (define-public lighttpd (package (name "lighttpd") -- 2.28.0