- On startup of unbound it checks if rlimits on memory size look

sufficient for the configured cache size, and logs warning if not.
2024-09-21 14:47:09 +00:00 · 2021-02-24 14:14:33 +01:00 · 2021-02-24 14:14:33 +01:00 · d3497f6bd1
commit d3497f6bd1
parent 7f25bb4730
4 changed files with 50 additions and 0 deletions
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@ -197,6 +197,33 @@ checkrlimits(struct config_file* cfg)
 	size_t total = numthread * perthread + misc;
 	size_t avail;
 	struct rlimit rlim;
+	size_t memsize_expect = cfg->msg_cache_size + cfg->rrset_cache_size
+		+ (cfg->do_tcp?cfg->stream_wait_size:0)
+		+ (cfg->ip_ratelimit?cfg->ip_ratelimit_size:0)
+		+ (cfg->ratelimit?cfg->ratelimit_size:0)
+		+ (cfg->dnscrypt?cfg->dnscrypt_shared_secret_cache_size + cfg->dnscrypt_nonce_cache_size:0)
+		+ cfg->infra_cache_numhosts * (sizeof(struct infra_key)+sizeof(struct infra_data));
+	if(strstr(cfg->module_conf, "validator") && (cfg->trust_anchor_file_list || cfg->trust_anchor_list || cfg->auto_trust_anchor_file_list || cfg->trusted_keys_file_list)) {
+		memsize_expect += cfg->key_cache_size + cfg->neg_cache_size;
+	}
+#ifdef HAVE_NGHTTP2_NGHTTP2_H
+	if(cfg_has_https(cfg)) {
+		memsize_expect += cfg->http_query_buffer_size + cfg->http_response_buffer_size;
+	}
+#endif
+
+	if(getrlimit(RLIMIT_AS, &rlim) == 0) {
+		if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
+			rlim.rlim_cur < (rlim_t)memsize_expect) {
+			log_warn("the ulimit(max memory size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect);
+		}
+	}
+	if(getrlimit(RLIMIT_DATA, &rlim) == 0) {
+		if(rlim.rlim_cur != (rlim_t)RLIM_INFINITY &&
+			rlim.rlim_cur < memsize_expect) {
+			log_warn("the ulimit(data seg size) is smaller than the expected memory usage (added size of caches). %u < %u bytes", (unsigned)rlim.rlim_cur, (unsigned)memsize_expect);
+		}
+	}

 	if(total > 1024 && 
 		strncmp(ub_event_get_version(), "mini-event", 10) == 0) {
--- a/doc/Changelog
+++ b/doc/Changelog
@ -4,6 +4,10 @@
 	- ipsecmod: Better logging for detecting a cycle when attaching the
 	  A/AAAA subquery.

+24 February 2021: Wouter
+	- On startup of unbound it checks if rlimits on memory size look
+	  sufficient for the configured cache size, and logs warning if not.
+
 23 February 2021: Wouter
 	- Fix for zonemd, that domain-insecure zones work without dnssec.
 	- Fix for zonemd, do not reject insecure result from trust anchor
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@ -1105,6 +1105,19 @@ if_is_https(const char* ifname, const char* port, int https_port)
 	return 0;
 }

+/** see if config contains https turned on */
+int cfg_has_https(struct config_file* cfg)
+{
+	int i;
+	char portbuf[32];
+	snprintf(portbuf, sizeof(portbuf), "%d", cfg->port);
+	for(i = 0; i<cfg->num_ifs; i++) {
+		if(if_is_https(cfg->ifs[i], portbuf, cfg->https_port))
+			return 1;
+	}
+	return 0;
+}
+
 /**
 * Helper for ports_open. Creates one interface (or NULL for default).
 * @param ifname: The interface ip address.
--- a/services/listen_dnsport.h
+++ b/services/listen_dnsport.h
@ -147,6 +147,12 @@ void listening_ports_free(struct listen_port* list);
 int resolve_interface_names(struct config_file* cfg, char*** resif,
 	int* num_resif);

+/**
+ * Return true if the config contains settinsg that enable https.
+ * @return true if https ports are used for server.
+ */
+int cfg_has_https(struct config_file* cfg);
+
 /**
 * Create commpoints with for this thread for the shared ports.
 * @param base: the comm_base that provides event functionality.