feat: allow privileged agent to listen port (#71)

tzssangglass · web-flow · commit 2b04d549aac4 · 2022-11-24T15:03:28.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   build:
-    runs-on: "ubuntu-18.04"
+    runs-on: "ubuntu-20.04"
     env:
       OPENRESTY_PREFIX: "/usr/local/openresty"
 
@@ -20,7 +20,9 @@ jobs:
         uses: egor-tensin/setup-clang@v1
 
       - name: Get dependencies
-        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl
+        run: |
+          sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl luarocks
+          sudo luarocks install lua-resty-http > build.log 2>&1 || (cat build.log && exit 1)
 
       - name: Before install
         run: |
diff --git a/patch/1.21.4/nginx-listen-in-privileged-agent.patch b/patch/1.21.4/nginx-listen-in-privileged-agent.patch
@@ -0,0 +1,141 @@
+diff --git src/core/ngx_connection.c src/core/ngx_connection.c
+index 568ae3d..e22c990 100644
+--- src/core/ngx_connection.c
++++ src/core/ngx_connection.c
+@@ -434,6 +434,10 @@ ngx_open_listening_sockets(ngx_cycle_t *cycle)
+                 continue;
+             }
+
++            if (ngx_is_privileged_agent != ls[i].privileged_agent) {
++                continue;
++            }
++
+ #if (NGX_HAVE_REUSEPORT)
+
+             if (ls[i].add_reuseport) {
+diff --git src/core/ngx_connection.h src/core/ngx_connection.h
+index be75d82..12c8694 100644
+--- src/core/ngx_connection.h
++++ src/core/ngx_connection.h
+@@ -66,6 +66,7 @@ struct ngx_listening_s {
+     unsigned            shared:1;    /* shared between threads or processes */
+     unsigned            addr_ntop:1;
+     unsigned            wildcard:1;
++    unsigned            privileged_agent:1;
+
+ #if (NGX_HAVE_INET6)
+     unsigned            ipv6only:1;
+diff --git src/event/ngx_event.c src/event/ngx_event.c
+index d800af0..f73e57c 100644
+--- src/event/ngx_event.c
++++ src/event/ngx_event.c
+@@ -818,7 +818,9 @@ ngx_event_process_init(ngx_cycle_t *cycle)
+     for (i = 0; i < cycle->listening.nelts; i++) {
+
+ #if (NGX_HAVE_REUSEPORT)
+-        if (ls[i].reuseport && ls[i].worker != ngx_worker) {
++        if ((ngx_is_privileged_agent && !ls[i].privileged_agent)
++            || (ls[i].reuseport && ls[i].worker != ngx_worker))
++        {
+             ngx_log_debug2(NGX_LOG_DEBUG_CORE, cycle->log, 0,
+                            "closing unused fd:%d listening on %V",
+                            ls[i].fd, &ls[i].addr_text);
+@@ -833,6 +835,10 @@ ngx_event_process_init(ngx_cycle_t *cycle)
+
+             continue;
+         }
++
++        if (!ngx_is_privileged_agent && ls[i].privileged_agent) {
++            continue;
++        }
+ #endif
+
+         c = ngx_get_connection(ls[i].fd, cycle->log);
+diff --git src/http/ngx_http.c src/http/ngx_http.c
+index e1d3d00..7ad72e3 100644
+--- src/http/ngx_http.c
++++ src/http/ngx_http.c
+@@ -1217,6 +1217,13 @@ ngx_http_add_addresses(ngx_conf_t *cf, ngx_http_core_srv_conf_t *cscf,
+             continue;
+         }
+
++        if (lsopt->privileged_agent != addr[i].opt.privileged_agent) {
++            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
++                               "%V is already occupied by privileged agent",
++                               &addr[i].opt.addr_text);
++            return NGX_ERROR;
++        }
++
+         /* the address is already in the address list */
+
+         if (ngx_http_add_server(cf, cscf, &addr[i]) != NGX_OK) {
+@@ -1769,6 +1776,8 @@ ngx_http_add_listening(ngx_conf_t *cf, ngx_http_conf_addr_t *addr)
+     ls->reuseport = addr->opt.reuseport;
+ #endif
+
++    ls->privileged_agent = addr->opt.privileged_agent;
++
+     return ls;
+ }
+
+diff --git src/http/ngx_http_core_module.c src/http/ngx_http_core_module.c
+index 6287d6e..a84dd80 100644
+--- src/http/ngx_http_core_module.c
++++ src/http/ngx_http_core_module.c
+@@ -4202,6 +4202,20 @@ ngx_http_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+             continue;
+         }
+
++        if (ngx_strncmp(value[n].data, "enable_process=", 15) == 0) {
++            if (ngx_strcmp(&value[n].data[15], "privileged_agent") == 0) {
++                lsopt.privileged_agent = 1;
++
++            } else {
++                ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
++                                   "invalid enable_process value: \"%s\"",
++                                   &value[n].data[15]);
++                return NGX_CONF_ERROR;
++            }
++
++            continue;
++        }
++
+         ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                            "invalid parameter \"%V\"", &value[n]);
+         return NGX_CONF_ERROR;
+diff --git src/http/ngx_http_core_module.h src/http/ngx_http_core_module.h
+index 2aadae7..6ba3a90 100644
+--- src/http/ngx_http_core_module.h
++++ src/http/ngx_http_core_module.h
+@@ -82,6 +82,7 @@ typedef struct {
+     unsigned                   reuseport:1;
+     unsigned                   so_keepalive:2;
+     unsigned                   proxy_protocol:1;
++    unsigned                   privileged_agent:1;
+
+     int                        backlog;
+     int                        rcvbuf;
+diff --git src/os/unix/ngx_process_cycle.c src/os/unix/ngx_process_cycle.c
+index e8ebf3d..8227ecf 100644
+--- src/os/unix/ngx_process_cycle.c
++++ src/os/unix/ngx_process_cycle.c
+@@ -1250,7 +1250,11 @@ ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data)
+     ngx_process = NGX_PROCESS_HELPER;
+     ngx_is_privileged_agent = 1;
+
+-    ngx_close_listening_sockets(cycle);
++    if (ngx_open_listening_sockets(cycle) != NGX_OK) {
++        ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno,
++                      "failed to init privileged agent listeners");
++        exit(2);
++    }
+
+     /* Set a moderate number of connections for a helper process. */
+     cycle->connection_n = 512;
+@@ -1265,6 +1269,7 @@ ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data)
+
+         if (ngx_terminate || ngx_quit) {
+             ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting");
++            ngx_close_listening_sockets(cycle);
+             ngx_worker_process_exit(cycle);
+         }
diff --git a/t/privileged_agent.t b/t/privileged_agent.t
@@ -0,0 +1,126 @@
+use t::APISIX_NGINX 'no_plan';
+
+master_on();
+run_tests();
+
+__DATA__
+
+=== TEST 1: sanity
+--- http_config
+init_by_lua_block {
+    local process = require("ngx.process")
+    assert(process.enable_privileged_agent())
+}
+server {
+    listen 9090;
+    location / {
+        content_by_lua_block {
+            local process = require("ngx.process")
+            ngx.say(process.type())
+        }
+    }
+}
+server {
+    listen 127.0.0.1:9091 enable_process=privileged_agent;
+    location / {
+        content_by_lua_block {
+            local process = require("ngx.process")
+            ngx.say(process.type())
+        }
+    }
+}
+--- config
+    location /t {
+        content_by_lua_block {
+            local http = require "resty.http"
+
+            for i = 1, 12 do
+                local httpc = http.new()
+                local uri
+                if i % 2 == 1 then
+                    uri = "http://127.0.0.1:9090"
+                else
+                    uri = "http://127.0.0.1:9091"
+                end
+                local res, err = httpc:request_uri(uri, {method = "GET"})
+                if not res then
+                    ngx.say(err)
+                    return
+                end
+
+                local exp
+                if i % 2 == 1 then
+                    exp = "worker\n"
+                else
+                    exp = "privileged agent\n"
+                end
+
+                assert(exp == res.body)
+            end
+        }
+    }
+
+
+
+=== TEST 2: address conflict detection
+--- http_config
+init_by_lua_block {
+    local process = require("ngx.process")
+    assert(process.enable_privileged_agent())
+}
+server {
+    listen 127.0.0.1:9091;
+    location / {
+        content_by_lua_block {
+            local process = require("ngx.process")
+            ngx.say(process.type())
+        }
+    }
+}
+server {
+    listen 127.0.0.1:9091 enable_process=privileged_agent;
+    location / {
+        content_by_lua_block {
+            local process = require("ngx.process")
+            ngx.say(process.type())
+        }
+    }
+}
+--- config
+    location /t {
+        return 200;
+    }
+--- must_die
+--- error_log
+127.0.0.1:9091 is already occupied by privileged agent
+
+
+
+=== TEST 3: same port, different IP
+--- http_config
+init_by_lua_block {
+    local process = require("ngx.process")
+    assert(process.enable_privileged_agent())
+}
+server {
+    listen 9091;
+    location / {
+        content_by_lua_block {
+            local process = require("ngx.process")
+            ngx.say(process.type())
+        }
+    }
+}
+server {
+    listen 127.0.0.1:9091 enable_process=privileged_agent;
+    location / {
+        content_by_lua_block {
+            local process = require("ngx.process")
+            ngx.say(process.type())
+        }
+    }
+}
+--- config
+    location /t {
+        return 200;
+    }
