gatekeeper
gatekeeper copied to clipboard
AltraMayor
Does gkctl shell command support concurrent execution?
Does gkctl shell command support concurrent execution? We developed a web console that transmits data to Gatekeeper by executing the gkctl shell command, but it is stated in the dynamic module that sockets do not support concurrency.
“”“The dynamic configuration opens a UNIX socket and accepts only one active connection at a time to avoid dealing with concurrency. It receives Lua configuration files from a client, and then calls the corresponding functions to perform various operations, including listing, adding, or deleting entries in other functional blocks (e.g., GK, GT, LLS).
The client program that sends requests to the Dynamic Configuration is maintained under the gkctl folder. The available functions that can be called are available in the Dynamic Configuration library (see below).”“”
The Dynamic Configuration (DYC) block does not support concurrent connections. This was a design choice. Most of what the DYC block does affects other blocks, which involves acquiring locks to avoid the corruption of data structures. Thus, had we implemented concurrent connections in the DYC block, we would've put a lot of effort into a feature that would end up sequentializing the connections because of the locks. Even worse, it would be hard to guarantee that the multiple connections could not produce a deadlock. Put another way, the interface of the DYC block is a batch interface.
The solution is to have software that channels the requests to the DYC block. An example is Drib. Not only does Drib maintain all prefix lists, but it also dynamically keep the policy running on Grantor servers up to date via the DYC block.
A short-term solution for your problem may be to rewrite the part of your code that sends the requests to the DYC block, so all requests are sent in batches. For example, you could have a script at cron running every minute to look for requests from your web console.
A longer-term solution would be to have a daemon receive connections from your web consoles, and the daemon batches these requests to the DYC block. To avoid writing the daemon from scratch, employ a pub/sub server and write a script to subscribe to the messages for Gatekeeper. Your web console would concurrently write to the pub/sub server.
