Re: [Ocamlnet-devel] Two issues with Netplex

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Am Donnerstag, den 07.11.2013, 19:34 +0100 schrieb Thomas Calderon:
> Hi there,
> 
> 
> I am having two issues with netplex at the moment.
> 
> 
> The first one is related to rpc-ssl support. The netplex service is
> configured with SSL enabled (TLSv1) and if you are connecting with a
> client that forces newer TLS versions (openssl s_client -connect
> host:port -tls1_1), an Ssl exception is raised.

Well, the ocaml-ssl bindings only offer TLS-1.0, even if openssl
supports more. That's basically a problem of the bindings. (Fyi, I'm
currently implementing complete bindings for GnuTLS to overcome all
limitations with ocaml-ssl.)

> However, the container process still continues to run but is not able
> to process any data, netplex then spawn a new child process to handle
> subsequent connections. 
> From the client side, the socket is closed and we end up not knowing
> in which state the "zombie" container is.
> We looked for a proper way to fix this in our code, but the exception
> is caught from within rpc_netplex.ml (line 183), is there a proper way
> to handle this case from our code or is it only a fix you can
> provide ?

You could close fd, and then call when_done() from the is_error
callback. This is how it is indicated that the task is done.

Probably this is really the best thing you can do here. When I
programmed this I could probably not imagine what kind of things can go
wrong at this spot, and hence opted to do nothing.

> The second issue is related the function
> "Netplex_cenv.system_shutdown()". This function can be used to
> completely shutdown the service, I would like to know if it is
> possible to restrict this function to be only callable from within the
> controller instance ? This way a container process could not call this
> function and stop the service and all the other containers from
> running.

Without modifying the sources, there is probably no way to get this
effect.

What's actually happening is that the controller accepts requests on the
admin socket (which is a Unix domain socket visible in the filesystem),
and if the container wants to do a system shutdown, is just connects to
this socket, and invokes the right RPC. I don't see how you could
prevent the container from doing so even if the connect code were
removed from the netplex sources. Maybe the only way is to set a
password on this service, and not telling the container the password.

Out of curiosity, what's your concern with system shutdowns? 

Gerd

> 
> Thanks.
> 
> 
> Thomas C.
> 
> 
> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models. Explore
> techniques for threading, error checking, porting, and tuning. Get the most 
> from the latest Intel processors and coprocessors. See abstracts and register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________ Ocamlnet-devel mailing list Oca...@li... https://lists.sourceforge.net/lists/listinfo/ocamlnet-devel

-- 
------------------------------------------------------------
Gerd Stolpmann, Darmstadt, Germany    ge...@ge...
My OCaml site:          http://www.camlcity.org
Contact details:        http://www.camlcity.org/contact.html
Company homepage:       http://www.gerd-stolpmann.de
------------------------------------------------------------