-
Apollon Oikonomopoulos authored
Newer GnuTLS versions (>= 3.3.0) use a library constructor for initialization and open /dev/urandom on library load, way before we fork(). Closing /dev/urandom on fork causes a failure to re-seed GnuTLS's random number generator during the first ganeti.http.client request, which in turn causes the process to silently abort(3). For more background on this behavior, see this thread at the GnuTLS mailing list: http://lists.gnupg.org/pipermail/gnutls-help/2014-April/003429.html Note that calling pycurl.global_init() at the correct place (as we do) is not enough, as it does not cause a re-initialization of the GnuTLS library. As we cannot reliably detect neither the GnuTLS version, nor the socket, we work our way around this by keeping all fds referring to /dev/urandom open after fork. We do so using the /proc/self/fd interface. This fixes issues #961 and #964. Note that this would not affect the Haskell daemons using cURL + GnuTLS, because we don't close all file descriptors on fork there. Signed-off-by: Apollon Oikonomopoulos <apoikos@gmail.com> Reviewed-by: Helga Velroyen <helgav@google.com>
6e06de4e