6 Feb
2024
6 Feb
'24
4:29 p.m.
Hello Richard,
I added the global parameter tls_threads_mode, I consider to reflect
better the purpose than the proposed enable_tls_threads. In the code it
is the global variable ksr_tls_threads_mode which is exposed via
core/globals.h -- you can see commit:
-
https://github.com/kamailio/kamailio/commit/4d6e37fa048a1aaa2d2fc6655985b4b…
Cheers,
Daniel
On 06.02.24 12:20, Richard Chan wrote:
Hi Daniel / Henning,
I would like to propose a global config to restore the non-threaded
default:
enable_tls = no|yes #(EXISTING) boolean
enable_tls_threads = 0 | 1 | 2 #(NEW) int
0: disable thread-wrappers (restores kamailio behaviour)
- default when enable_tls = no
1: thread-wrapper only for process_no = 0 (main process)
- default when enable_tls = yes
2: thread-wrapper on for all processes
Now the behaviour for the thread wrappers can be
/* pseudo-code
* fn is the wrapped function */
run_threadXXXX (fn, ...)
{
int flag = cfg_get_tls_threads();
if (likely(flag == 0 || (flag == 1 && process_no != 0))) {
return fn(...) ; // execute wrapped function directly - no thread
} else { /* flag == 2 ||( flag == 1 && process_no == 0) */
/*
** run fn in thread
*/
}
I am not familiar with the bison grammar or parsing of the global
config file — I would need your help (or another developer familiar
with the core parsing) to set this up. When this cfg flag is available
I can change all the thread-runners to check the global config.
With respect to 5.7 - stable branch - unfortunately due to the changes
to OpenSSL 3 it is broken - #3635 - with more load there will be
double-free errors; #3727 - cannot load tls and db module (even if the
db module does not use TLS it may initialize OpenSSL).
The changes while more intrusive than usual are the minimal viable set
of changes. With the commits on 5.7 you can have a TLS-enabled
/etc/kamailio.cfg using OpenSSL 3 and load a db module (with or
without TLS). To reiterate - even a pure in-memory TLS proxy without
database is subject to double free corruption.
To make the changes less intrusive: backport the global
enable_tls_threads config to 5.7.5+ or make the thread wrappers check
for process_no = 0. The latter (and more minimal) change would mean
that all Kamailio workers will have the existing behaviour and only
process_no = 0 tries to run thread wrappers.
Options:
A 5.8-pre:. add a global config enable_tls_threads to 5.8-pre (need
help on this part - the thread wrappers I would be able to fix)
B. 5.7.5+: backport A to 5.7 OR check for process_no = 0 in thread
wrappers(only change in parent process, no change to worker processes)
Let me know what you think - thanks for the comments.
Cheers
Richard
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
Kamailio Advanced Training, February 20-22, 2024 -- asipto.com
Kamailio World Conference, April 18-19, 2024, Berlin -- kamailioworld.com