Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Add a lot more of build-time options to select features #10950

Merged
merged 31 commits into from
Dec 22, 2021

Conversation

rgacogne
Copy link
Member

@rgacogne rgacogne commented Nov 5, 2021

Short description

This PR adds a lot of build-time options to select which features are built into dnsdist, to reduce the attack surface, memory usage and disk usage.

These features can now be disabled via a configure option, thus not linking against the corresponding libraries:

  • cdb
  • ipcipher
  • libedit

For that last one, the console will still work if not disabled (see below) but no completion, history or line editing will be available.

These features can now be disabled by defining a value in CXXFLAGS:

  • carbon (DISABLE_CARBON)
  • completion (DISABLE_COMPLETION)
  • protobuf (DISABLE_PROTOBUF)
  • legacy dynamic blocks not using the new DynBlockRulesGroup interface (DISABLE_DEPRECATED_DYNBLOCK)
  • recvmmsg (DISABLE_RECVMMSG)
  • security polling (DISABLE_SECPOLL)
  • prometheus (DISABLE_PROMETHEUS)
  • accessing the configuration via the web interface (DISABLE_WEB_CONFIG)
  • built-in web page (DISABLE_BUILTIN_HTML)
  • custom Lua web handlers (DISABLE_LUA_WEB_HANDLERS)

Additionally several Lua bindings can be removed when they are not needed:

  • DISABLE_NON_FFI_DQ_BINDINGS
  • DISABLE_POLICIES_BINDINGS
  • DISABLE_DOWNSTREAM_BINDINGS
  • DISABLE_DNSHEADER_BINDINGS
  • DISABLE_COMBO_ADDR_BINDINGS
  • DISABLE_DNSNAME_BINDINGS
  • DISABLE_SUFFIX_MATCH_BINDINGS
  • DISABLE_NETMASK_BINDINGS
  • DISABLE_QPS_LIMITER_BINDINGS
  • DISABLE_PACKETCACHE_BINDINGS

It also cleans up the usage of various integer types in our Lua bindings, to prevent silent overflow from happening. Cleaning the integer types used reduces the number of template instantiations and thus the final binary size.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@rgacogne rgacogne added this to the dnsdist-1.8.0 milestone Nov 5, 2021
@rgacogne rgacogne force-pushed the ddist-console-disable-completion branch 4 times, most recently from 81e2538 to 9af6b80 Compare November 15, 2021 15:29
@rgacogne rgacogne marked this pull request as ready for review November 15, 2021 15:29
@rgacogne rgacogne force-pushed the ddist-console-disable-completion branch from 9af6b80 to 73122f1 Compare November 16, 2021 08:03
@rgacogne rgacogne changed the title dnsdist: Do not build the completion and help when DISABLE_COMPLETION is defined dnsdist: Add a lot more of build-time options to select features Nov 16, 2021
@rgacogne rgacogne force-pushed the ddist-console-disable-completion branch from 73122f1 to eb5ffc6 Compare November 25, 2021 10:22
@rgacogne
Copy link
Member Author

Rebased.

@pieterlexis
Copy link
Contributor

I thing we prefer positive names (so ENABLE_XYZ) compared to negative ones

@rgacogne
Copy link
Member Author

I thing we prefer positive names (so ENABLE_XYZ) compared to negative ones

Let's put aside the fact that I would have to redo quite some work to change that now, it would also mean these names need to be defined by default and undefined when we want to disable a feature, which seems very cumbersome?

@pieterlexis
Copy link
Contributor

It might not be worth it indeed

@rgacogne rgacogne requested a review from chbruyand December 15, 2021 14:19
Copy link
Member

@chbruyand chbruyand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice to document the DISABLE_ feature and binding options ; maybe in a simple txt file ?
Or maybe/also have a CI minimum build target with everything disabled ?

pdns/dnsdistdist/test-dnsdistrules_cc.cc Outdated Show resolved Hide resolved
@rgacogne
Copy link
Member Author

Would be nice to document the DISABLE_ feature and binding options ; maybe in a simple txt file ?

Indeed, I'll add a few lines to the documentation.

Or maybe/also have a CI minimum build target with everything disabled ?

That's a good idea but we would also need to disable the corresponding tests in the regression tests which is a bit of work, so I'll do that later.

@chbruyand
Copy link
Member

chbruyand commented Dec 15, 2021

Or maybe/also have a CI minimum build target with everything disabled ?

That's a good idea but we would also need to disable the corresponding tests in the regression tests which is a bit of work, so I'll do that later.

Just having a simple build in the first place would be nice IMO. But of course, having the remaining tests running after that would be better. I can have a quick look for the simple version if you want.

@github-actions
Copy link

github-actions bot commented Dec 15, 2021

@check-spelling-bot Report

Unrecognized words, please review:

  • DDISABLE
  • DNSHEADER
To accept these unrecognized words as correct, run the following commands

... in a clone of the git@github.com:rgacogne/pdns.git repository
on the ddist-console-disable-completion branch:

update_files() {
perl -e '
my $new_expect_file=".github/actions/spell-check/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/PowerDNS/pdns/issues/comments/994984229" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u
If the flagged items do not appear to be text

If items relate to a ...

  • well-formed pattern.

    If you can write a pattern that would match it,
    try adding it to the patterns.txt file.

    Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

    Note that patterns can't match multiline strings.

  • binary file.

    Please add a file path to the excludes.txt file matching the containing file.

    File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

    ^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

@github-actions
Copy link

github-actions bot commented Dec 16, 2021

@check-spelling-bot Report

Unrecognized words, please review:

  • DNSHEADER
To accept these unrecognized words as correct, run the following commands

... in a clone of the git@github.com:rgacogne/pdns.git repository
on the ddist-console-disable-completion branch:

update_files() {
perl -e '
my $new_expect_file=".github/actions/spell-check/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/PowerDNS/pdns/issues/comments/995561069" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u
If the flagged items do not appear to be text

If items relate to a ...

  • well-formed pattern.

    If you can write a pattern that would match it,
    try adding it to the patterns.txt file.

    Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

    Note that patterns can't match multiline strings.

  • binary file.

    Please add a file path to the excludes.txt file matching the containing file.

    File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

    ^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

@rgacogne
Copy link
Member Author

The build with the least amount of features is failing because of #11105:

2021-12-16T09:08:29.6307081Z /usr/bin/ld: dnsdist.o: in function `healthChecksThread()':
2021-12-16T09:08:29.6310966Z /home/runner/work/pdns/pdns/pdns/dnsdistdist/dnsdist.cc:1899: undefined reference to `handleDOHTimeout(std::unique_ptr<DOHUnit, void (*)(DOHUnit*)>&&)'
2021-12-16T09:08:29.6321519Z /usr/bin/ld: dnsdist.o: in function `processUDPQuery(ClientState&, LocalHolders&, msghdr const*, ComboAddress const&, ComboAddress&, std::vector<unsigned char, noinit_adaptor<std::allocator<unsigned char> > >&, mmsghdr*, unsigned int*, iovec*, cmsgbuf_aligned*)':
2021-12-16T09:08:29.6324552Z /home/runner/work/pdns/pdns/pdns/dnsdistdist/dnsdist.cc:1554: undefined reference to `handleDOHTimeout(std::unique_ptr<DOHUnit, void (*)(DOHUnit*)>&&)'

rgacogne and others added 23 commits December 22, 2021 09:30
Co-authored-by: Pieter Lexis <pieter@plexis.eu>
@rgacogne rgacogne force-pushed the ddist-console-disable-completion branch from aaa07aa to 26c0632 Compare December 22, 2021 08:31
@rgacogne
Copy link
Member Author

Rebased.

@rgacogne
Copy link
Member Author

rgacogne commented Dec 22, 2021

2021-12-22T09:13:30.1223831Z configure: Protobuf: yes
2021-12-22T09:13:30.1250359Z configure: nghttp2: yes

Something is not right.

@rgacogne rgacogne merged commit 89d0929 into PowerDNS:master Dec 22, 2021
@rgacogne rgacogne deleted the ddist-console-disable-completion branch December 22, 2021 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants