BUG/MINOR: mworker/ssl: close OpenSSL FDs on reload
From OpenSSL 1.1.1, the default behaviour is to maintain open FDs to any
random devices that get used by the random number library. As a result,
those FDs leak when the master re-execs on reload; since those FDs are
not marked FD_CLOEXEC or O_CLOEXEC, they also get inherited by children.
Eventually both master and children run out of FDs.
OpenSSL 1.1.1 introduces a new function to control whether the random
devices are kept open. When clearing the keep-open flag, it also closes
any currently open FDs, so it can be used to clean-up open FDs too.
Therefore, a call to this function is made in mworker_reload prior to
re-exec.
The call is guarded by whether SSL is in use, because it will cause
initialisation of the OpenSSL random number library if that has not
already been done.
This should be backported to 1.9 and 1.8.
diff --git a/src/haproxy.c b/src/haproxy.c
index 318ebf2..33f2e9d 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -127,6 +127,7 @@
#include <proto/vars.h>
#ifdef USE_OPENSSL
#include <proto/ssl_sock.h>
+#include <openssl/rand.h>
#endif
/* array of init calls for older platforms */
@@ -589,6 +590,11 @@
ptdf->fct();
if (fdtab)
deinit_pollers();
+#if defined(USE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ if (global.ssl_used_frontend || global.ssl_used_backend)
+ /* close random device FDs */
+ RAND_keep_random_devices_open(0);
+#endif
/* restore the initial FD limits */
limit.rlim_cur = rlim_fd_cur_at_boot;