sniproxy icon indicating copy to clipboard operation
sniproxy copied to clipboard
verified publisher icon dlundquist

Segfault on reload

Open john-d13 opened this issue 7 years ago • 4 comments

Hello,

I have one minor issue, id like to reload the Tables without interrupting active connections to the proxy, my understanding is the "reload" command will accomplish this by invoking SIGHUP. Sure enouph, the reload works only on the first attempt after the daemon is loaded/reloaded. Any subsequent reload attempts exisbit the following error below:

Mar 30 23:18:35 proxy1-resi-us1 systemd: Started Transparent TLS proxy. Mar 30 23:18:35 proxy1-resi-us1 systemd: Starting Transparent TLS proxy... Mar 30 23:18:41 proxy1-resi-us1 systemd: PID file /var/tmp/sniproxy.pid not readable (yet?) after reload. Mar 30 23:18:41 proxy1-resi-us1 systemd: Reloaded Transparent TLS proxy. Mar 30 23:18:42 proxy1-resi-us1 kernel: sniproxy[9971]: segfault at 0 ip 00007f28305f0332 sp 00007ffec4ac61e0 error 4 in libc-2.17.so[7f283057d000+1b8000] Mar 30 23:18:42 proxy1-resi-us1 systemd: sniproxy.service: main process exited, code=killed, status=11/SEGV Mar 30 23:18:42 proxy1-resi-us1 systemd: PID file /var/tmp/sniproxy.pid not readable (yet?) after reload. Mar 30 23:18:42 proxy1-resi-us1 systemd: Reload failed for Transparent TLS proxy. Mar 30 23:18:42 proxy1-resi-us1 systemd: Unit sniproxy.service entered failed state. Mar 30 23:18:42 proxy1-resi-us1 systemd: sniproxy.service failed. Mar 30 23:19:53 proxy1-resi-us1 systemd: Unit sniproxy.service cannot be reloaded because it is inactive. Mar 30 23:19:57 proxy1-resi-us1 systemd: Started Transparent TLS proxy. Mar 30 23:19:57 proxy1-resi-us1 systemd: Starting Transparent TLS proxy...

OS = Centos7

sniproxy -V

sniproxy 0.5.0+git.51.g7c86c12

Systemd startup parameters:

[Unit] Description=Transparent TLS proxy Documentation= After=syslog.target After=network-online.target

[Service] User=root Group=root PrivateTmp=true Type=simple PIDFile=/var/tmp/sniproxy.pid ExecStart=/usr/sbin/sniproxy -f -c /etc/sniproxy/sniproxy.conf ExecReload=/bin/kill -HUP $MAINPID

[Install] WantedBy=multi-user.target

john-d13 avatar Mar 31 '18 03:03 john-d13

Yikes! It should load the config and patch the current state with the new config. Could I trouble you to rebuild with debugging symbols (CFLAGS=-g ./configure && make), enable core dumps (ulimit -c unlimited), run sniproxy as root (username root in config) and obtain a backtrace with GDB? If not, could you send me your configurations before and after so I can try to reproduce this -- if you don't want to post them publicly you can email them to me (my email is on my public GitHub profile).

dlundquist avatar Apr 01 '18 02:04 dlundquist

Well you inadvertently resolved my issue haha. I was running with "user daemon" in the config which resulted in starting MainPID under daemon user and sub process under the root user. reload works persistently now.

Thanks and great work!!

john-d13 avatar Apr 01 '18 03:04 john-d13

Hmm, sounds like a permissions issue. Could you either try to obtain backtrace running as user daemon by tweaking /proc/sys/kernel/core_pattern to a location writable by daemon e.g. /tmp or provide before and after configs so I can see if I can reproduce this? I think it's about time to cut a 0.6.0 release and would like to squash any remaining bugs.

dlundquist avatar Apr 01 '18 03:04 dlundquist

I did what you asked and reverted my changes to replicate the issue but no core dump was produced.

cat /proc/sys/kernel/core_pattern /tmp/cores/core.%e.%p.%h.%t

ll /tmp/cores total 0

user root
pidfile /var/tmp/sniproxy.pid

# The DNS resolver is required for tables configured using wildcard or hostname
# targets. If no resolver is specified, the nameserver and search domain are
# loaded from /etc/resolv.conf.
resolver {
    # Specify name server
    #
    # NOTE: it is strongly recommended to use a local caching DNS server, since
    # uDNS and thus SNIProxy only uses single socket to each name server so
    # each DNS query is only protected by the 16 bit query ID and lacks
    # additional source port randomization. Additionally no caching is
    # preformed within SNIProxy, so a local resolver can improve performance.
    nameserver 8.8.8.8

    # DNS search domain
    search example.com

    # Specify which type of address to lookup in DNS:
    #
    # * ipv4_only   query for IPv4 addresses (default)
    # * ipv6_only   query for IPv6 addresses
    # * ipv4_first  query for both IPv4 and IPv6, use IPv4 is present
    # * ipv6_first  query for both IPv4 and IPv6, use IPv6 is present
    mode ipv4_only
}

error_log {
    filename /var/log/sniproxy/error.log
    priority notice
}

access_log {
    filename /var/log/sniproxy/access.log
}

listen 80 {
    proto http
    bad_requests log
}

listen 443 {
    proto tls
    bad_requests log
}

table {

#Start_Table
ifconfig\.co *
speedtest\.net *

}


#Start_Domain
#ifconfig.co
#speedtest.net

john-d13 avatar Apr 01 '18 03:04 john-d13