merge issue-22 patch for munged "--mlockall" opt

Merge the issue-22 patch from Michael Fenn <fennm@deshawresearch.com>
for adding the "-M/--mlockall" command-line option to munged.

When enabled, this option calls mlockall() to lock all current and
future pages in the virtual memory address space.  Since access to
locked pages will never be delayed by a page fault, this can improve
performance and help the daemon remain responsive when the system is
under heavy memory pressure.

Fixes issue 22.

config/config.h.in

@@ -111,6 +111,9 @@
 /* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
 
+/* Define to 1 if you have the `mlockall' function. */
+#undef HAVE_MLOCKALL
+
 /* Define to 1 if you want to use the OpenSSL cryptographic library. */
 #undef HAVE_OPENSSL
 

configure

@@ -13059,6 +13059,7 @@ fi
 ##
 for ac_func in \
   localtime_r \
+  mlockall \
   sysconf \
 
 do :

configure.ac

@@ -115,6 +115,7 @@ AC_CHECK_TYPES(socklen_t, [], [], [#include <sys/types.h>
 ##
 AC_CHECK_FUNCS( \
   localtime_r \
+  mlockall \
   sysconf \
 )
 AC_REPLACE_FUNCS( \

src/munged/conf.c

@@ -59,7 +59,7 @@
  *  Command-Line Options
  *****************************************************************************/
 
-const char * const short_opts = ":hLVfFS:";
+const char * const short_opts = ":hLVfFMS:";
 
 #include <getopt.h>
 struct option long_opts[] = {
@@ -68,6 +68,7 @@ struct option long_opts[] = {
     { "version",           no_argument,       NULL, 'V' },
     { "force",             no_argument,       NULL, 'f' },
     { "foreground",        no_argument,       NULL, 'F' },
+    { "mlockall",          no_argument,       NULL, 'M' },
     { "socket",            required_argument, NULL, 'S' },
     { "advice",            no_argument,       NULL, 'A' },
     { "key-file",          required_argument, NULL, '0' },
@@ -114,6 +115,7 @@ create_conf (void)
     conf->got_force = 0;
     conf->got_foreground = 0;
     conf->got_group_stat = !! MUNGE_GROUP_STAT_FLAG;
+    conf->got_mlockall = 0;
     conf->got_root_auth = !! MUNGE_AUTH_ROOT_ALLOW_FLAG;
     conf->got_socket_retry = !! MUNGE_SOCKET_RETRY_FLAG;
     conf->got_syslog = 0;
@@ -274,6 +276,9 @@ parse_cmdline (conf_t conf, int argc, char **argv)
             case 'F':
                 conf->got_foreground = 1;
                 break;
+            case 'M':
+                conf->got_mlockall = 1;
+                break;
             case 'S':
                 if (conf->socket_name)
                     free (conf->socket_name);
@@ -424,6 +429,9 @@ display_help (char *prog)
     printf ("  %*s %s\n", w, "-F, --foreground",
             "Run process in the foreground (do not fork)");
 
+    printf ("  %*s %s\n", w, "-M, --mlockall",
+            "Lock all pages in memory");
+
     printf ("  %*s %s [%s]\n", w, "-S, --socket=PATH",
             "Specify local socket", MUNGE_SOCKET_NAME);
 

src/munged/conf.h

@@ -46,6 +46,7 @@ struct conf {
     unsigned        got_force:1;        /* flag for FORCE option             */
     unsigned        got_foreground:1;   /* flag for FOREGROUND option        */
     unsigned        got_group_stat:1;   /* flag for gids stat'ing /etc/group */
+    unsigned        got_mlockall:1;     /* flag for locking all memory pages */
     unsigned        got_root_auth:1;    /* flag if root can decode any cred  */
     unsigned        got_socket_retry:1; /* flag for allowing decode retries  */
     unsigned        got_syslog:1;       /* flag if logging to syslog instead */

src/munged/munged.8.in

@@ -76,6 +76,13 @@ file/directory permissions.
 .BI "-F, --foreground"
 Run the daemon in the foreground.
 .TP
+.BI "-M, --mlockall"
+Lock all current and future pages in the virtual memory address space.
+Access to locked pages will never be delayed by a page fault.  This can
+improve performance and help the daemon remain responsive when the system
+is under heavy memory pressure.  This typically requires root privileges
+or the CAP_IPC_LOCK capability.
+.TP
 .BI "-S, --socket " path
 Specify the local domain socket for communicating with clients.
 .TP

src/munged/munged.c

@@ -37,6 +37,9 @@
 #include <signal.h>
 #include <stdlib.h>
 #include <string.h>
+#if HAVE_MLOCKALL
+#include <sys/mman.h>
+#endif /* HAVE_MLOCKALL */
 #include <sys/time.h>                   /* include before resource.h for bsd */
 #include <sys/resource.h>
 #include <sys/socket.h>
@@ -74,6 +77,7 @@ static void hup_handler (int signum);
 static void exit_handler (int signum);
 static void segv_handler (int signum);
 static void write_pidfile (const char *pidfile, int got_force);
+static void lock_memory (void);
 static void sock_create (conf_t conf);
 static void sock_lock (conf_t conf);
 static int set_file_lock (int fd);
@@ -125,7 +129,9 @@ main (int argc, char *argv[])
     handle_signals ();
     lookup_ip_addr (conf);
     write_pidfile (conf->pidfile_name, conf->got_force);
-
+    if (conf->got_mlockall) {
+        lock_memory ();
+    }
     crypto_init ();
     if (random_init (conf->seed_name) < 0) {
         if (conf->seed_name) {
@@ -544,6 +550,39 @@ write_pidfile (const char *pidfile, int got_force)
 }
 
 
+static void
+lock_memory (void)
+{
+/*  Lock all current and future pages in the virtual memory address space.
+ *    Access to locked pages will never be delayed by a page fault.
+ *  EAGAIN is tested for up to max_tries in case this is a transient error.
+ *    Should there be a nanosleep() between attempts?
+ */
+#if ! HAVE_MLOCKALL
+    errno = ENOSYS;
+    log_errno (EMUNGE_SNAFU, LOG_ERR, "Failed to lock pages in memory");
+#else
+    int       rv;
+    int       i = 0;
+    const int max_tries = 10;
+
+    while (1) {
+        i++;
+        rv = mlockall (MCL_CURRENT | MCL_FUTURE);
+        if (rv == 0) {
+            break;
+        }
+        if ((errno == EAGAIN) && (i < max_tries)) {
+            continue;
+        }
+        log_errno (EMUNGE_SNAFU, LOG_ERR, "Failed to lock pages in memory");
+    }
+    log_msg (LOG_INFO, "Locked all pages in memory");
+#endif /* ! HAVE_MLOCKALL */
+    return;
+}
+
+
 static void
 sock_create (conf_t conf)
 {