-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net: acquireThread might block for a long time #63978
Comments
Change https://go.dev/cl/539360 mentions this issue: |
Change https://go.dev/cl/540555 mentions this issue: |
Change https://go.dev/cl/539361 mentions this issue: |
@bcmills Can you provide more context on why you added the compiler/runtime label? In triage I'm not sure we're seeing how this should be addressed in the compiler and/or runtime. Thanks. |
Huh — I don't remember. 😅 I think I misinterpreted |
Updates #63978 Change-Id: I39a5c812b4f604baf4ca5ffcff52b8dc17d4990d GitHub-Last-Rev: 4ab6e26 GitHub-Pull-Request: #63990 Reviewed-on: https://go-review.googlesource.com/c/go/+/539361 Reviewed-by: Ian Lance Taylor <iant@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
acquireThread is already waiting on a channel, so it can be easily wired up to support context cancellation. This change will make sure that contexts that are cancelled at the acquireThread stage (when the limit of threads is reached) do not queue unnecessarily and cause an unnecessary cgo call that will be soon aborted by the doBlockingWithCtx function. Updates #63978 Change-Id: I8ae4debd51995637567d8f51c6f1ed60f23d6c0c GitHub-Last-Rev: 4189b9f GitHub-Pull-Request: #63985 Reviewed-on: https://go-review.googlesource.com/c/go/+/539360 Auto-Submit: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Bryan Mills <bcmills@google.com> Commit-Queue: Ian Lance Taylor <iant@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The cgo resolver sends DNS queries for .local subdomain lookups, just as we do in the go resolver. We don't need to fallback to the cgo resolver for this domains when nsswitch.conf uses only file and dns modules. This has a benefit that we select a consistent resolver, that is only based on the system configuration, regardless of the queried domain. Updates #63978 Change-Id: I9166103adb94d7ab52992925f413f361130e7c52 GitHub-Last-Rev: e2bc587 GitHub-Pull-Request: #63986 Reviewed-on: https://go-review.googlesource.com/c/go/+/540555 Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Pratt <mpratt@google.com>
@mateusz834 was there anything left to do here? I think all of the proposed changes ended up landing. |
@rolandshoemaker right, closing the issue |
This was previously reported to the go security team.
When the cgo resolver is being used, we call the acquireThread function to limit the amount of concurrent cgo calls running and also to limit the amount of threads that will be ever created (by the net package) by the runtime for cgo calls. The limit is currently capped to 500.
go/src/net/cgo_unix.go
Lines 148 to 151 in 9d836d4
go/src/net/net.go
Lines 674 to 689 in 9d836d4
go/src/net/rlimit_unix.go
Lines 11 to 33 in 9d836d4
This might be problematic for services that connect to a user-provided hostnames.
The user-provided domain might be running on an "evil" nameserver that might trip timeouts (respond with SERVFAIL after ~5s). I have not tested this deeply, but I assume it would be possible to make the getaddrinfo block for 5-30s (assuming mostly default configuration in resolv.conf).
1-3 (Resolvers Count) * 2 (default attempts count) * 5s (default timeout).
Obviously with MITM it is simpler to trip timeouts.
We don't use the cgo resolver much these days on unix systems (except desktop linux, because of systemd nsswitch modules we don't support in the go resolver). On windows and darwin the cgo resolver is the default.
I think this should be at least made clear by the docs, currently we only note that:
go/src/net/net.go
Lines 49 to 50 in 9d836d4
This should probably mention that we have an internal cgo threads limit.
Also we probably should not force the use of cgo resolver for ".local" subdomains, so that use of the cgo resolver cannot be forced by an external user (consider a service that connects to a user-provided hostname). The go resolver should be able to resolve ".local" domains when there are no other nss modules in use than files and dns.
go/src/net/conf.go
Lines 341 to 347 in 9d836d4
Support context cancellation in acquireThread, so that when the thread limit is reached we don't call cgo stuff when the context is already cancelled (don't queue bunch of cgo calls when context is done).
I will send CLs for this.
CC @ianlancetaylor @golang/security @rolandshoemaker
The text was updated successfully, but these errors were encountered: