[Varnish] #738: New functionality: loading a compiled VCL SO library file at boot
Varnish
varnish-bugs at varnish-cache.org
Wed Jul 21 17:52:51 CEST 2010
#738: New functionality: loading a compiled VCL SO library file at boot
-------------------------+--------------------------------------------------
Reporter: jdzst | Owner: phk
Type: enhancement | Status: new
Priority: low | Milestone:
Component: varnishd | Version:
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
I think it would be interesting to implement a new option for loading a
compiled VCL SO library file at boot.
Now, varnishd works receiving -b (backend address) or -f parameter (VCL
file). If backend address is specified, varnishd internally creates a VCL
file with the backend information.
Varnishd at boot makes this job: VCL => C file => [c compiler] => SO
library. At shutdown it deletes generated SO library.
With small changes of code we could specify the SO library file, as a
optional parameter of varnishd and instead procesing and compiling VCL,
load directly in mgt_run_cc function the compiled VCL library.
At shutdown varnishd should not delete VCL library if varnishd did not
compile it at boot.
The benefits of this new functionality are:
* Improve security. In case of an security flaw, an attacker could
execute the compiler and execute custom code in the machine. If varnish
does not need compiler, it could be removed for varnish user, and make
more difficult to attacker.
* Boot speed improvement. The starting time will be smallest if we remove
the need of compiling.
* Now in production enviroment, varnish machine must have a C compiler
installed in it, sometimes this is a bit odd for customers that a program
needs to be compiled in production without control. An alternative is to
compile VCL in development or test enviroments and install the compiled
files in production and boot with compiled VCL.
--
Ticket URL: <http://varnish-cache.org/ticket/738>
Varnish <http://varnish-cache.org/>
The Varnish HTTP Accelerator
More information about the varnish-bugs
mailing list