question about nginx start & stop

Zhangfei Gao zhangfei.gao at gmail.com
Thu Apr 21 03:55:00 UTC 2022 

On Tue, Apr 19, 2022 at 10:01 PM Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> Hello!
>
> On Tue, Apr 19, 2022 at 12:13:45PM +0800, Zhangfei Gao wrote:
>
> > Hi, Maxim
> >
> > Thanks for the reply.
> >
> > On Sun, Apr 17, 2022 at 10:14 AM Maxim Dounin <mdounin at mdounin.ru> wrote:
> > >
> > > Hello!
> > >
> > > On Fri, Apr 15, 2022 at 03:58:52PM +0800, Zhangfei Gao wrote:
> > >
> > > > Hi,
> > > >
> > > > I have questions about nginx start and stop
> > > > I am using
> > > > // start
> > > > sudo sbin/nginx
> > > > //stop
> > > > sudo sbin/nginx -s quit
> > > >
> > > > 1. openssl engine is init (ngx_ssl_init) twice, but openssl engine
> > > > destroy function is not called.
> > > > So start nginx and nginx -s quit, engine init twice but not called
> > > > engine destroy.
> > > > If we start and stop nginx many times, resource leakage will happen.
> > >
> > > OPENSSL_init_ssl manpage says:
> > >
> > >        As of version 1.1.0 OpenSSL will automatically allocate all resources
> > >        that it needs so no explicit initialisation is required.  Similarly it
> > >        will also automatically deinitialise as required.
> > >
> > > If there is a resource leak, this is a bug in the OpenSSL engine
> > > you are testing with.  It's probably up to the OpenSSL development
> > > docs how to fix this properly.
> >
> > The openssl engine is registered with
> > IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
> > bind_fn()
> > {
> >      ENGINE_set_destroy_function(e, destroy)
> >      ENGINE_set_finish_function(e, finish)
> > }
> >
> > What I found is.
> > /sbin/nginx
> > -> bind_fn
> > /sbin/nginx -s quit
> > -> bind_fn
> > So bind_fn is called twice, but destroy and finish are not called at all.
> >
> > src/core/nginx.c
> > main
> > ngx_ssl_init(log)  -> call engine: bind_fn
> > if (ngx_signal)
> >     return ngx_signal_process(cycle, ngx_signal);
> >     -> gx_os_signal_process(cycle, sig, pid)    // send signal to kill
> > worker process
> >
> > For openssl engine, what should I do to match the nginx stop.
> >
> > By the way, bind_fn and destroy are matched if testing with openssl
> > application itself, no leakage.
> >
> > Any suggestions?
>
> The bind function is called when loading a dynamic engine and
> is not expected to be matched by neither destroy nor finish.
>
> The finish function is called when releasing a functional
> reference obtained with init (ENGINE_init() + ENGINE_finish()).
> The destroy function is called when releasing a structural
> reference (ENGINE_new() + ENGINE_free()).
>
> You shouldn't allocate resources in the bind function, but rather
> only set appropriate init function to do so when needed.

Thanks Maxim

You are right, it is our openssl-engine issue.
I found that if we registered rsa: ENGINE_set_RSA in bind_fn, destroy
will not be called when nginx -s quit.
Still in check.

We alloc some hardware resources in bind_fn for better performance.
Since the init function will be called every time.

Thanks

More information about the nginx-devel mailing list