mirrors/scylladb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f261b4594de8c9be42d578ffdd2c52f401ba8f05
scylladb/utils/http.hh
Calle Wilund 80feb8b676 utils::http::dns_connection_factory: Use a shared certificate_credentials 
Fixes #24447

This factory type, which is really more a data holder/connection producer
per connection instance, creates, if using https, a new certificate_credentials
on every instance. Which when used by S3 client is per client and
scheduling groups.

Which eventually means that we will do a set_system_trust + "cold" handshake
for every tls connection created this way.

This will cause both IO and cold/expensive certificate checking -> possible
stalls/wasted CPU. Since the credentials object in question is literally a
"just trust system", it could very well be shared across the shard.

This PR adds a thread local static cached credentials object and uses this
instead. Could consider moving this to seastar, but maybe this is too much.

Closes scylladb/scylladb#24448
2025-06-10 11:20:21 +03:00

83 lines
2.7 KiB
C++
Raw Blame History

/*
* Copyright (C) 2023-present ScyllaDB
*/
/*
* SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
*/
#pragma once
#include <seastar/core/seastar.hh>
#include <seastar/core/shared_future.hh>
#include <seastar/coroutine/all.hh>
#include <seastar/http/client.hh>
#include <seastar/net/dns.hh>
#include <seastar/net/tls.hh>
#include "seastarx.hh"
#include "utils/log.hh"
namespace utils::http {
class dns_connection_factory : public seastar::http::experimental::connection_factory {
protected:
std::string _host;
int _port;
logging::logger& _logger;
struct state {
bool initialized = false;
socket_address addr;
::shared_ptr<tls::certificate_credentials> creds;
};
lw_shared_ptr<state> _state;
shared_future<> _done;
static future<shared_ptr<tls::certificate_credentials>> system_trust_credentials();
// This method can out-live the factory instance, in case `make()` is never called before the instance is destroyed.
static future<> initialize(lw_shared_ptr<state> state, std::string host, int port, bool use_https, logging::logger& logger) {
co_await coroutine::all(
[state, host, port] () -> future<> {
auto hent = co_await net::dns::get_host_by_name(host, net::inet_address::family::INET);
state->addr = socket_address(hent.addr_list.front(), port);
},
[state, use_https] () -> future<> {
if (use_https) {
state->creds = co_await system_trust_credentials();
}
}
);
state->initialized = true;
logger.debug("Initialized factory, address={} tls={}", state->addr, state->creds == nullptr ? "no" : "yes");
}
public:
dns_connection_factory(std::string host, int port, bool use_https, logging::logger& logger)
: _host(std::move(host))
, _port(port)
, _logger(logger)
, _state(make_lw_shared<state>())
, _done(initialize(_state, _host, _port, use_https, _logger))
{
}
virtual future<connected_socket> make(abort_source*) override {
if (!_state->initialized) {
_logger.debug("Waiting for factory to initialize");
co_await _done.get_future();
}
if (_state->creds) {
_logger.debug("Making new HTTPS connection addr={} host={}", _state->addr, _host);
co_return co_await tls::connect(_state->creds, _state->addr, tls::tls_options{.server_name = _host});
} else {
_logger.debug("Making new HTTP connection");
co_return co_await seastar::connect(_state->addr, {}, transport::TCP);
}
}
};
} // namespace utils::http
Reference in New Issue View Git Blame Copy Permalink