[Varnish] #738: New functionality: loading a compiled VCL SO library file at boot

Varnish varnish-bugs at varnish-cache.org
Wed Jul 21 17:52:51 CEST 2010

#738: New functionality: loading a compiled VCL SO library file at boot
 Reporter:  jdzst        |       Owner:  phk
     Type:  enhancement  |      Status:  new
 Priority:  low          |   Milestone:     
Component:  varnishd     |     Version:     
 Severity:  normal       |    Keywords:     
 I think it would be interesting to implement a new option for loading a
 compiled VCL SO library file at boot.

 Now, varnishd works receiving -b (backend address) or -f parameter (VCL
 file). If backend address is specified, varnishd internally creates a VCL
 file with the backend information.

 Varnishd at boot makes this job: VCL => C file => [c compiler] => SO
 library. At shutdown it deletes generated SO library.

 With small changes of code we could specify the SO library file, as a
 optional parameter of varnishd and instead procesing and compiling VCL,
 load directly in mgt_run_cc function the compiled VCL library.

 At shutdown varnishd should not delete VCL library if varnishd did not
 compile it at boot.

 The benefits of this new functionality are:

  * Improve security. In case of an security flaw, an attacker could
 execute the compiler and execute custom code in the machine. If varnish
 does not need compiler, it could be removed for varnish user, and make
 more difficult to attacker.

  * Boot speed improvement. The starting time will be smallest if we remove
 the need of compiling.

  * Now in production enviroment, varnish machine must have a C compiler
 installed in it, sometimes this is a bit odd for customers that a program
 needs to be compiled in production without control. An alternative is to
 compile VCL in development or test enviroments and install the compiled
 files in production and boot with compiled VCL.

Ticket URL: <http://varnish-cache.org/ticket/738>
Varnish <http://varnish-cache.org/>
The Varnish HTTP Accelerator

More information about the varnish-bugs mailing list