CA-403620: Drop the usage of fuser in stunnel client proxy

The drawback of fuser is that it gets too many things involved. E.g. it is observed that it got stuck on cifs kernel module. This change uses a cleaner way to remember the stunnel client proxy. Even when the xapi restarted unexpectedly, it can stop the remnant stunnel proxy and start a new one. Signed-off-by: Ming Lu <[email protected]>
xapi-project · Dec 26, 2024 · 75d19cf · 75d19cf
1 parent 9eeb1f3
commit 75d19cf
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 3 deletions.
diff --git a/ocaml/libs/stunnel/stunnel.ml b/ocaml/libs/stunnel/stunnel.ml
@@ -487,6 +487,31 @@ let with_client_proxy ~verify_cert ~remote_host ~remote_port ~local_host
     )
     5
 
+let with_client_proxy_systemd_service ~verify_cert ~remote_host ~remote_port
+    ~local_host ~local_port ~service f =
+  let cmd_path = stunnel_path () in
+  let config =
+    config_file
+      ~accept:(Some (local_host, local_port))
+      verify_cert remote_host remote_port
+  in
+  let stop () = ignore (Fe_systemctl.stop ~service) in
+  (* Try stopping anyway before starting it. *)
+  ignore_exn stop () ;
+  let conf_path, out = Filename.open_temp_file service ".conf" in
+  let finally = Xapi_stdext_pervasives.Pervasiveext.finally in
+  finally
+    (fun () ->
+      finally (fun () -> output_string out config) (fun () -> close_out out) ;
+      finally
+        (fun () ->
+          Fe_systemctl.start_transient ~service cmd_path [conf_path] ;
+          f ()
+        )
+        (fun () -> ignore_exn stop ())
+    )
+    (fun () -> Unixext.unlink_safe conf_path)
+
 let check_verify_error line =
   let sub_after i s =
     let len = String.length s in

diff --git a/ocaml/libs/stunnel/stunnel.mli b/ocaml/libs/stunnel/stunnel.mli
@@ -96,3 +96,13 @@ val with_client_proxy :
   -> local_port:int
   -> (unit -> 'a)
   -> 'a
+
+val with_client_proxy_systemd_service :
+     verify_cert:verification_config option
+  -> remote_host:string
+  -> remote_port:int
+  -> local_host:string
+  -> local_port:int
+  -> service:string
+  -> (unit -> 'a)
+  -> 'a
diff --git a/ocaml/xapi/repository_helpers.ml b/ocaml/xapi/repository_helpers.ml
@@ -398,10 +398,11 @@ let with_local_repositories ~__context f =
     with Pool_role.This_host_is_a_master ->
       Option.get (Helpers.get_management_ip_addr ~__context)
   in
-  Stunnel.with_client_proxy ~verify_cert:(Stunnel_client.pool ())
-    ~remote_host:master_addr ~remote_port:Constants.default_ssl_port
-    ~local_host:"127.0.0.1"
+  Stunnel.with_client_proxy_systemd_service
+    ~verify_cert:(Stunnel_client.pool ()) ~remote_host:master_addr
+    ~remote_port:Constants.default_ssl_port ~local_host:"127.0.0.1"
     ~local_port:!Xapi_globs.local_yum_repo_port
+    ~service:"stunnel_proxy_for_update_client"
   @@ fun () ->
   let enabled = get_enabled_repositories ~__context in
   Xapi_stdext_pervasives.Pervasiveext.finally