mirror of
				https://github.com/openresty/openresty.git
				synced 2024-10-13 00:29:41 +00:00 
			
		
		
		
	feature: applied a small patch to the nginx core to add support for the "privileged agent" process which is run by the same system account as the master.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
This commit is contained in:
		
				
					committed by
					
						 Yichun Zhang (agentzh)
						Yichun Zhang (agentzh)
					
				
			
			
				
	
			
			
			
						parent
						
							391709ce4d
						
					
				
				
					commit
					79dc3c56aa
				
			
							
								
								
									
										208
									
								
								patches/nginx-1.11.2-privileged_agent_process.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										208
									
								
								patches/nginx-1.11.2-privileged_agent_process.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,208 @@ | ||||
| diff --git a/src/core/nginx.c b/src/core/nginx.c | ||||
| index 60f8fe7..4bd244b 100644 | ||||
| --- a/src/core/nginx.c | ||||
| +++ b/src/core/nginx.c | ||||
| @@ -981,6 +981,7 @@ ngx_core_module_create_conf(ngx_cycle_t *cycle) | ||||
|   | ||||
|      ccf->daemon = NGX_CONF_UNSET; | ||||
|      ccf->master = NGX_CONF_UNSET; | ||||
| +    ccf->privileged_agent = NGX_CONF_UNSET; | ||||
|      ccf->timer_resolution = NGX_CONF_UNSET_MSEC; | ||||
|   | ||||
|      ccf->worker_processes = NGX_CONF_UNSET; | ||||
| @@ -1009,6 +1010,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf) | ||||
|   | ||||
|      ngx_conf_init_value(ccf->daemon, 1); | ||||
|      ngx_conf_init_value(ccf->master, 1); | ||||
| +    ngx_conf_init_value(ccf->privileged_agent, 0); | ||||
|      ngx_conf_init_msec_value(ccf->timer_resolution, 0); | ||||
|   | ||||
|      ngx_conf_init_value(ccf->worker_processes, 1); | ||||
| diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h | ||||
| index c51b7ff..3261f90 100644 | ||||
| --- a/src/core/ngx_cycle.h | ||||
| +++ b/src/core/ngx_cycle.h | ||||
| @@ -22,6 +22,9 @@ | ||||
|  #define NGX_DEBUG_POINTS_ABORT  2 | ||||
|   | ||||
|   | ||||
| +#define HAVE_PRIVILEGED_PROCESS_PATCH   1 | ||||
| + | ||||
| + | ||||
|  typedef struct ngx_shm_zone_s  ngx_shm_zone_t; | ||||
|   | ||||
|  typedef ngx_int_t (*ngx_shm_zone_init_pt) (ngx_shm_zone_t *zone, void *data); | ||||
| @@ -81,6 +84,7 @@ struct ngx_cycle_s { | ||||
|  typedef struct { | ||||
|      ngx_flag_t                daemon; | ||||
|      ngx_flag_t                master; | ||||
| +    ngx_flag_t                privileged_agent; | ||||
|   | ||||
|      ngx_msec_t                timer_resolution; | ||||
|   | ||||
| diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c | ||||
| index 3ead164..2b3f8df 100644 | ||||
| --- a/src/os/unix/ngx_process_cycle.c | ||||
| +++ b/src/os/unix/ngx_process_cycle.c | ||||
| @@ -15,6 +15,8 @@ static void ngx_start_worker_processes(ngx_cycle_t *cycle, ngx_int_t n, | ||||
|      ngx_int_t type); | ||||
|  static void ngx_start_cache_manager_processes(ngx_cycle_t *cycle, | ||||
|      ngx_uint_t respawn); | ||||
| +static void ngx_start_privileged_agent_processes(ngx_cycle_t *cycle, | ||||
| +    ngx_uint_t respawn); | ||||
|  static void ngx_pass_open_channel(ngx_cycle_t *cycle, ngx_channel_t *ch); | ||||
|  static void ngx_signal_worker_processes(ngx_cycle_t *cycle, int signo); | ||||
|  static ngx_uint_t ngx_reap_children(ngx_cycle_t *cycle); | ||||
| @@ -24,6 +26,7 @@ static void ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker); | ||||
|  static void ngx_worker_process_exit(ngx_cycle_t *cycle); | ||||
|  static void ngx_channel_handler(ngx_event_t *ev); | ||||
|  static void ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data); | ||||
| +static void ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data); | ||||
|  static void ngx_cache_manager_process_handler(ngx_event_t *ev); | ||||
|  static void ngx_cache_loader_process_handler(ngx_event_t *ev); | ||||
|   | ||||
| @@ -51,6 +54,8 @@ sig_atomic_t  ngx_noaccept; | ||||
|  ngx_uint_t    ngx_noaccepting; | ||||
|  ngx_uint_t    ngx_restart; | ||||
|   | ||||
| +ngx_uint_t    ngx_is_privileged_agent; | ||||
| + | ||||
|   | ||||
|  static u_char  master_process[] = "master process"; | ||||
|   | ||||
| @@ -130,6 +135,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) | ||||
|      ngx_start_worker_processes(cycle, ccf->worker_processes, | ||||
|                                 NGX_PROCESS_RESPAWN); | ||||
|      ngx_start_cache_manager_processes(cycle, 0); | ||||
| +    ngx_start_privileged_agent_processes(cycle, 0); | ||||
|   | ||||
|      ngx_new_binary = 0; | ||||
|      delay = 0; | ||||
| @@ -224,6 +230,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) | ||||
|                  ngx_start_worker_processes(cycle, ccf->worker_processes, | ||||
|                                             NGX_PROCESS_RESPAWN); | ||||
|                  ngx_start_cache_manager_processes(cycle, 0); | ||||
| +                ngx_start_privileged_agent_processes(cycle, 0); | ||||
|                  ngx_noaccepting = 0; | ||||
|   | ||||
|                  continue; | ||||
| @@ -243,6 +250,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) | ||||
|              ngx_start_worker_processes(cycle, ccf->worker_processes, | ||||
|                                         NGX_PROCESS_JUST_RESPAWN); | ||||
|              ngx_start_cache_manager_processes(cycle, 1); | ||||
| +            ngx_start_privileged_agent_processes(cycle, 1); | ||||
|   | ||||
|              /* allow new processes to start */ | ||||
|              ngx_msleep(100); | ||||
| @@ -257,6 +265,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) | ||||
|              ngx_start_worker_processes(cycle, ccf->worker_processes, | ||||
|                                         NGX_PROCESS_RESPAWN); | ||||
|              ngx_start_cache_manager_processes(cycle, 0); | ||||
| +            ngx_start_privileged_agent_processes(cycle, 0); | ||||
|              live = 1; | ||||
|          } | ||||
|   | ||||
| @@ -424,6 +433,34 @@ ngx_start_cache_manager_processes(ngx_cycle_t *cycle, ngx_uint_t respawn) | ||||
|   | ||||
|   | ||||
|  static void | ||||
| +ngx_start_privileged_agent_processes(ngx_cycle_t *cycle, ngx_uint_t respawn) | ||||
| +{ | ||||
| +    ngx_channel_t          ch; | ||||
| +    ngx_core_conf_t       *ccf; | ||||
| + | ||||
| +    ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, | ||||
| +                                           ngx_core_module); | ||||
| + | ||||
| +    if (!ccf->privileged_agent) { | ||||
| +        return; | ||||
| +    } | ||||
| + | ||||
| +    ngx_spawn_process(cycle, ngx_privileged_agent_process_cycle, | ||||
| +                      "privileged agent process", "privileged agent process", | ||||
| +                      respawn ? NGX_PROCESS_JUST_RESPAWN : NGX_PROCESS_RESPAWN); | ||||
| + | ||||
| +    ngx_memzero(&ch, sizeof(ngx_channel_t)); | ||||
| + | ||||
| +    ch.command = NGX_CMD_OPEN_CHANNEL; | ||||
| +    ch.pid = ngx_processes[ngx_process_slot].pid; | ||||
| +    ch.slot = ngx_process_slot; | ||||
| +    ch.fd = ngx_processes[ngx_process_slot].channel[0]; | ||||
| + | ||||
| +    ngx_pass_open_channel(cycle, &ch); | ||||
| +} | ||||
| + | ||||
| + | ||||
| +static void | ||||
|  ngx_pass_open_channel(ngx_cycle_t *cycle, ngx_channel_t *ch) | ||||
|  { | ||||
|      ngx_int_t  i; | ||||
| @@ -827,7 +864,10 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker) | ||||
|          } | ||||
|      } | ||||
|   | ||||
| -    if (geteuid() == 0) { | ||||
| +    /* | ||||
| +     * privileged agent process has the same permission as master process | ||||
| +     */ | ||||
| +    if (!ngx_is_privileged_agent && geteuid() == 0) { | ||||
|          if (setgid(ccf->group) == -1) { | ||||
|              ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, | ||||
|                            "setgid(%d) failed", ccf->group); | ||||
| @@ -1144,6 +1184,44 @@ ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data) | ||||
|   | ||||
|   | ||||
|  static void | ||||
| +ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data) | ||||
| +{ | ||||
| +    char   *name = data; | ||||
| + | ||||
| +    /* | ||||
| +     * Set correct process type since closing listening Unix domain socket | ||||
| +     * in a master process also removes the Unix domain socket file. | ||||
| +     */ | ||||
| +    ngx_process = NGX_PROCESS_HELPER; | ||||
| +    ngx_is_privileged_agent = 1; | ||||
| + | ||||
| +    ngx_close_listening_sockets(cycle); | ||||
| + | ||||
| +    ngx_worker_process_init(cycle, -1); | ||||
| + | ||||
| +    ngx_use_accept_mutex = 0; | ||||
| + | ||||
| +    ngx_setproctitle(name); | ||||
| + | ||||
| +    for ( ;; ) { | ||||
| + | ||||
| +        if (ngx_terminate || ngx_quit) { | ||||
| +            ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); | ||||
| +            ngx_worker_process_exit(cycle); | ||||
| +        } | ||||
| + | ||||
| +        if (ngx_reopen) { | ||||
| +            ngx_reopen = 0; | ||||
| +            ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs"); | ||||
| +            ngx_reopen_files(cycle, -1); | ||||
| +        } | ||||
| + | ||||
| +        ngx_process_events_and_timers(cycle); | ||||
| +    } | ||||
| +} | ||||
| + | ||||
| + | ||||
| +static void | ||||
|  ngx_cache_manager_process_handler(ngx_event_t *ev) | ||||
|  { | ||||
|      time_t        next, n; | ||||
| diff --git a/src/os/unix/ngx_process_cycle.h b/src/os/unix/ngx_process_cycle.h | ||||
| index 69495d5..5149396 100644 | ||||
| --- a/src/os/unix/ngx_process_cycle.h | ||||
| +++ b/src/os/unix/ngx_process_cycle.h | ||||
| @@ -45,6 +45,7 @@ extern ngx_pid_t       ngx_new_binary; | ||||
|  extern ngx_uint_t      ngx_inherited; | ||||
|  extern ngx_uint_t      ngx_daemonized; | ||||
|  extern ngx_uint_t      ngx_exiting; | ||||
| +extern ngx_uint_t      ngx_is_privileged_agent; | ||||
|   | ||||
|  extern sig_atomic_t    ngx_reap; | ||||
|  extern sig_atomic_t    ngx_sigio; | ||||
| @ -55,6 +55,10 @@ else | ||||
|     fi | ||||
| fi | ||||
|  | ||||
| echo "$info_txt applying the privileged-agent-process patch" | ||||
| patch -p1 < $root/patches/nginx-$main_ver-privileged_agent_process.patch || exit 1 | ||||
| echo | ||||
|  | ||||
| echo "$info_txt applying the upstream-pipelining patch for nginx" | ||||
| patch -p1 < $root/patches/nginx-$main_ver-upstream_pipelining.patch || exit 1 | ||||
| echo | ||||
|  | ||||
		Reference in New Issue
	
	Block a user