MINOR: global: generate random cluster.secret if not defined
If no cluster-secret is defined by the user, a random one is silently
generated.
This ensures that at least QUIC Retry tokens are generated if abnormal
conditions are detected. However, it is advisable to specify it in the
configuration for tokens to be valid even after a reload or across LBs
instances in the same cluster.
This should be backported up to 2.6.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 46f49bf..c3d4ea5 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1239,8 +1239,11 @@
same cluster. It could be used for different usages. It is at least used to
derive stateless reset tokens for all the QUIC connections instantiated by
this process. This is also the case to derive secrets used to encrypt Retry
- tokens. If you do not set this parameter, the stateless reset and Retry QUIC
- features will be both silently disabled.
+ tokens.
+
+ If this parameter is not set, a random value will be selected on process
+ startup. This allows to use features which rely on it, albeit with some
+ limitations.
cpu-map [auto:]<thread-group>[/<thread-set>] <cpu-set>...
On some operating systems, it is possible to bind a thread group or a thread
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 5a5744c..2410cee 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4375,9 +4375,11 @@
goto init_proxies_list_stage2;
}
- if (diag_no_cluster_secret)
- ha_diag_warning("No cluster secret was set. The stateless reset and Retry"
- " features are disabled for all QUIC bindings.\n");
+ if (diag_no_cluster_secret) {
+ ha_diag_warning("Generating a random cluster secret. "
+ "You should define your own one in the configuration to ensure consistency "
+ "after reload/restart or across your whole cluster.\n");
+ }
/*
* Recount currently required checks.
diff --git a/src/haproxy.c b/src/haproxy.c
index a4916cf..50850e9 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1895,6 +1895,26 @@
}
}
+/* Generate a random cluster-secret in case the setting is not provided in the
+ * configuration. This allows to use features which rely on it albeit with some
+ * limitations.
+ */
+static void generate_random_cluster_secret()
+{
+ /* used as a default random cluster-secret if none defined. */
+ uint64_t rand = ha_random64();
+
+ /* The caller must not overwrite an already defined secret. */
+ BUG_ON(global.cluster_secret);
+
+ global.cluster_secret = malloc(8);
+ if (!global.cluster_secret)
+ return;
+
+ memcpy(global.cluster_secret, &rand, sizeof(rand));
+ global.cluster_secret[7] = '\0';
+}
+
/*
* This function initializes all the necessary variables. It only returns
* if everything is OK. If something fails, it exits.
@@ -2562,6 +2582,9 @@
exit(1);
}
+ if (!global.cluster_secret)
+ generate_random_cluster_secret();
+
/*
* Note: we could register external pollers here.
* Built-in pollers have been registered before main().