search

edgd1er / nordvpn-proxy

NordVPN openVPN socks
26 stars 8 forks source link

sockd closes all fds on startup and that pegs the process at 100% CPU for several minutes #38

Closed catwith1hat closed 9 months ago

catwith1hat commented 9 months ago

In this code block, Dante naively closes all file descriptors when it forks. For some reason, this loop iterates over an excessively large number of descriptors with recent kernels or docker versions. When starting dante inside Docker, the process pegs at 100% and when strace-ing I get: 

close(39136061)                         = -1 EBADF (Bad file descriptor)
close(39136062)                         = -1 EBADF (Bad file descriptor)
close(39136063)                         = -1 EBADF (Bad file descriptor)
close(39136064)                         = -1 EBADF (Bad file descriptor)
close(39136065)                         = -1 EBADF (Bad file descriptor)
close(39136066)                         = -1 EBADF (Bad file descriptor)

After about 10 minutes and wasting CPU cycles, it somehow manages to iterate the whole file descriptor domain.

A workaround is to set a reasonable nofile ulimit for the service. I think that Dante should close to the new close_range syscall.

I will submit a PR to fix this, but I want a bug to link to.