tests: Ensure excessive FD limits are avoided (#2730)

* tests: Ensure excessive FD limits are avoided

Processes that run as daemons (`postsrsd` and `fail2ban-server`) initialize by closing all FDs (File Descriptors).

This behaviour queries that maximum limit and iterates through the entire range even if only a few FDs are open. In some environments (Docker, limit configured by distro) this can be a range exceeding 1 billion (from kernel default of 1024 soft, 4096 hard), causing an 8 minute delay with heavy CPU activity.

`postsrsd` has since been updated to use `close_range()` syscall, and `fail2ban` will now iterate through `/proc/self/fd` (open FDs) which should resolve the performance hit. Until those updates reach our Docker image, we need to workaround it with `--ulimit` option.

NOTE: If `docker.service` on a distro sets `LimitNOFILE=` to approx 1 million or lower, it should not be an issue. On distros such as Fedora 36, it is `LimitNOFILE=infinity` (approx 1 billion) that causes excessive delays.

* chore: Use Docker host limits instead

Typically on modern distros with systemd, this should equate to 1024 (soft) and 512K (hard) limits. A distro may override the built-in global defaults systemd sets via setting `DefaultLimitNOFILE=` in `/etc/systemd/user.conf` and `/etc/systemd/system.conf`.

* tests(fix): Better prevent non-deterministic failures

- `no_containers.bats` tests the external script `setup.sh` (without `-c`). It's expected that no existing DMS container is running  - otherwise it may attempt to use that container and fail. Detect this and fail early via `setup_file()` step.

- `mail_hostname.bats` had a odd timing failure with teardown due to the last tests bringing the containers down earlier (`docker stop` paired with the `docker run --rm`). Adding a moment of delay via `sleep` helps avoid that false positive scenario.
This commit is contained in:
Brennan Kinney 2022-08-23 11:24:23 +12:00 committed by GitHub
parent 75a75bfae6
commit 672e9cf19a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 43 additions and 16 deletions

View file

@ -9,7 +9,10 @@ function setup_file() {
-e ENABLE_FAIL2BAN=1 \ -e ENABLE_FAIL2BAN=1 \
-e POSTSCREEN_ACTION=ignore \ -e POSTSCREEN_ACTION=ignore \
--cap-add=NET_ADMIN \ --cap-add=NET_ADMIN \
-h mail.my-domain.com -t "${NAME}" --hostname mail.my-domain.com \
--tty \
--ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
"${NAME}"
# Create a container which will send wrong authentications and should get banned # Create a container which will send wrong authentications and should get banned
docker run --name fail-auth-mailer \ docker run --name fail-auth-mailer \

View file

@ -11,8 +11,10 @@ function setup_file() {
-e PERMIT_DOCKER=network \ -e PERMIT_DOCKER=network \
-e ENABLE_SRS=1 \ -e ENABLE_SRS=1 \
-e OVERRIDE_HOSTNAME=mail.my-domain.com \ -e OVERRIDE_HOSTNAME=mail.my-domain.com \
-h unknown.domain.tld \ --hostname unknown.domain.tld \
-t "${NAME}" --tty \
--ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
"${NAME}"
PRIVATE_CONFIG_TWO=$(duplicate_config_for_container . mail_non_subdomain_hostname) PRIVATE_CONFIG_TWO=$(duplicate_config_for_container . mail_non_subdomain_hostname)
docker run --rm -d --name mail_non_subdomain_hostname \ docker run --rm -d --name mail_non_subdomain_hostname \
@ -21,7 +23,9 @@ function setup_file() {
-e PERMIT_DOCKER=network \ -e PERMIT_DOCKER=network \
-e ENABLE_SRS=1 \ -e ENABLE_SRS=1 \
--hostname domain.com \ --hostname domain.com \
-t "${NAME}" --tty \
--ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
"${NAME}"
PRIVATE_CONFIG_THREE=$(duplicate_config_for_container . mail_srs_domainname) PRIVATE_CONFIG_THREE=$(duplicate_config_for_container . mail_srs_domainname)
docker run --rm -d --name mail_srs_domainname \ docker run --rm -d --name mail_srs_domainname \
@ -32,7 +36,9 @@ function setup_file() {
-e SRS_DOMAINNAME='srs.my-domain.com' \ -e SRS_DOMAINNAME='srs.my-domain.com' \
--domainname 'my-domain.com' \ --domainname 'my-domain.com' \
--hostname 'mail' \ --hostname 'mail' \
-t "${NAME}" --tty \
--ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
"${NAME}"
PRIVATE_CONFIG_FOUR=$(duplicate_config_for_container . mail_domainname) PRIVATE_CONFIG_FOUR=$(duplicate_config_for_container . mail_domainname)
docker run --rm -d --name mail_domainname \ docker run --rm -d --name mail_domainname \
@ -42,7 +48,9 @@ function setup_file() {
-e ENABLE_SRS=1 \ -e ENABLE_SRS=1 \
--domainname 'my-domain.com' \ --domainname 'my-domain.com' \
--hostname 'mail' \ --hostname 'mail' \
-t "${NAME}" --tty \
--ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
"${NAME}"
wait_for_smtp_port_in_container mail_override_hostname wait_for_smtp_port_in_container mail_override_hostname
wait_for_smtp_port_in_container mail_non_subdomain_hostname wait_for_smtp_port_in_container mail_non_subdomain_hostname
@ -55,6 +63,10 @@ function setup_file() {
} }
function teardown_file() { function teardown_file() {
# Running `docker rm -f` too soon after `docker stop` can result in failure during teardown with:
# "Error response from daemon: removal of container mail_domainname is already in progress"
sleep 1
docker rm -f mail_override_hostname mail_non_subdomain_hostname mail_srs_domainname mail_domainname docker rm -f mail_override_hostname mail_non_subdomain_hostname mail_srs_domainname mail_domainname
} }

View file

@ -9,10 +9,13 @@ function setup() {
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \ -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-e ENABLE_SPAMASSASSIN=1 \ -e ENABLE_SPAMASSASSIN=1 \
-e SA_SPAM_SUBJECT="undef" \ -e SA_SPAM_SUBJECT="undef" \
-h mail.my-domain.com -t "${NAME}" --hostname mail.my-domain.com \
--tty \
"${NAME}"
PRIVATE_CONFIG=$(duplicate_config_for_container . mail_undef_spam_subject_2) CONTAINER='mail_undef_spam_subject_2'
CONTAINER=$(docker run -d \ PRIVATE_CONFIG=$(duplicate_config_for_container . "${CONTAINER}")
docker run -d \
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \ -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \ -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-v "$(pwd)/test/onedir":/var/mail-state \ -v "$(pwd)/test/onedir":/var/mail-state \
@ -30,7 +33,11 @@ function setup() {
-e SASL_PASSWD="external-domain.com username:password" \ -e SASL_PASSWD="external-domain.com username:password" \
-e ENABLE_MANAGESIEVE=1 \ -e ENABLE_MANAGESIEVE=1 \
-e PERMIT_DOCKER=host \ -e PERMIT_DOCKER=host \
-h mail.my-domain.com -t "${NAME}") --name "${CONTAINER}" \
--hostname mail.my-domain.com \
--tty \
--ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
"${NAME}"
wait_for_finished_setup_in_container mail_undef_spam_subject wait_for_finished_setup_in_container mail_undef_spam_subject
wait_for_finished_setup_in_container "${CONTAINER}" wait_for_finished_setup_in_container "${CONTAINER}"

View file

@ -1,7 +1,13 @@
load 'test_helper/bats-support/load'
load 'test_helper/bats-assert/load'
load 'test_helper/common' load 'test_helper/common'
function setup_file() {
# Fail early if the test image is already running:
assert_not_equal "$(docker ps | grep -o "${NAME}")" "${NAME}"
# Test may fail if an existing DMS container is running,
# Which can occur from a prior test failing before reaching `no_container.bats`
# and that failure not properly handling teardown.
}
@test "[No Existing Container] checking setup.sh: setup.sh alias list" { @test "[No Existing Container] checking setup.sh: setup.sh alias list" {
mkdir -p ./test/alias/config && echo "test@example.org test@forward.com" > ./test/alias/config/postfix-virtual.cf mkdir -p ./test/alias/config && echo "test@example.org test@forward.com" > ./test/alias/config/postfix-virtual.cf
run ./setup.sh -p ./test/alias/config alias list run ./setup.sh -p ./test/alias/config alias list

View file

@ -1,5 +1,3 @@
load 'test_helper/bats-support/load'
load 'test_helper/bats-assert/load'
load 'test_helper/common' load 'test_helper/common'
export IMAGE_NAME export IMAGE_NAME
@ -37,8 +35,9 @@ setup_file() {
-e SPOOF_PROTECTION=1 \ -e SPOOF_PROTECTION=1 \
-e SSL_TYPE='snakeoil' \ -e SSL_TYPE='snakeoil' \
-e VIRUSMAILS_DELETE_DELAY=7 \ -e VIRUSMAILS_DELETE_DELAY=7 \
-h mail.my-domain.com \ --hostname mail.my-domain.com \
--tty \ --tty \
--ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
--health-cmd "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1" \ --health-cmd "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1" \
"${NAME}" "${NAME}"