Proposed v26.2.x: 68 RP commits on scylladb/master c302102b7

.github/ai-opt-out

@@ -0,0 +1 @@
+opt-out: true

.github/workflows/tests.yaml

@@ -39,6 +39,32 @@ jobs:
       mode: release
       enables: --enable-dpdk
       options: --cook dpdk --dpdk-machine corei7-avx
+    # disable dpdk build as we don't use it an it is
+    # long and breaks now and then: it still runs
+    # upstream
+    if: false
+
+  build_with_dual_tls:
+    name: "Test with both TLS backends"
+    uses: ./.github/workflows/test.yaml
+    strategy:
+      fail-fast: false
+    with:
+      compiler: clang++
+      standard: 23
+      mode: debug
+      options: --tls-mode=both
+
+  build_with_openssl_tls:
+    name: "Test with OpenSSL TLS backend only"
+    uses: ./.github/workflows/test.yaml
+    strategy:
+      fail-fast: false
+    with:
+      compiler: clang++
+      standard: 23
+      mode: debug
+      options: --tls-mode=openssl
 
   build_with_cxx_modules:
     name: "Test with C++20 modules enabled"
@@ -51,6 +77,9 @@ jobs:
       mode: debug
       enables: --enable-cxx-modules
       enable-ccache: false
+    # disable modules build as we aren't using module and it is quite
+    # broken at the moment
+    if: false
 
   fuzz_test:
     name: "Fuzz Tests"

CMakeLists.txt

@@ -525,11 +525,13 @@ seastar_generate_protobuf (
   IN_FILE ${CMAKE_CURRENT_SOURCE_DIR}/src/proto/metrics2.proto
   OUT_DIR ${Seastar_GEN_BINARY_DIR}/src/proto)
 
-set_option_if_package_is_found (Seastar_GNUTLS GnuTLS)
-set_option_if_package_is_found (Seastar_OPENSSL OpenSSL)
+option (Seastar_GNUTLS "Enable the GnuTLS-based TLS backend" ON)
+option (Seastar_OPENSSL "Enable the OpenSSL-based TLS backend" OFF)
 
 if (NOT Seastar_GNUTLS AND NOT Seastar_OPENSSL)
-  message (FATAL_ERROR "At least one TLS/crypto backend is required. Install GnuTLS or OpenSSL development packages.")
+  message (FATAL_ERROR "At least one TLS backend must be enabled. "
+    "Pass -DSeastar_GNUTLS=ON and/or -DSeastar_OPENSSL=ON, "
+    "or use configure.py --tls-mode=gnutls|openssl|both.")
 endif ()
 
 add_library (seastar
@@ -722,6 +724,7 @@ add_library (seastar
   src/core/reactor_backend.cc
   src/core/thread_pool.cc
   src/core/app-template.cc
+  src/core/cpu_profiler.cc
   src/core/disk_params.cc
   src/core/dpdk_rte.cc
   src/core/exception_hacks.cc
@@ -755,6 +758,7 @@ add_library (seastar
   src/core/semaphore.cc
   src/core/condition-variable.cc
   src/core/crypto.cc
+  src/core/signal_mutex.cc
   src/http/api_docs.cc
   src/http/common.cc
   src/http/file_handler.cc
@@ -1132,6 +1136,15 @@ if (Seastar_OPENSSL)
     PRIVATE OpenSSL::SSL OpenSSL::Crypto)
 endif ()
 
+if (Seastar_GNUTLS AND Seastar_OPENSSL)
+  # Public marker: both TLS backends are compiled in, so the active backend is
+  # selected at reactor startup. Code that needs to handle the no-reactor case
+  # (e.g. static initializers, unit tests without a reactor) can use this to
+  # distinguish from the single-backend builds where the backend is fixed at
+  # compile time and available unconditionally.
+  target_compile_definitions (seastar PUBLIC SEASTAR_TLS_DUAL_BACKEND)
+endif ()
+
 set_option_if_package_is_found (Seastar_IO_URING LibUring)
 if (Seastar_IO_URING)
   list (APPEND Seastar_PRIVATE_COMPILE_DEFINITIONS SEASTAR_HAVE_URING)

apps/memcached/memcache.cc

@@ -893,7 +893,7 @@ class ascii_protocol {
 private:
     static void append(std::vector<temporary_buffer<char>>& bufs, const char* buf, size_t size) {
         if (size) {
-            bufs.emplace_back(const_cast<char*>(buf), size, deleter());
+            bufs.push_back(temporary_buffer<char>::maybe_unsafe_from_deleter(const_cast<char*>(buf), size, deleter()));
         }
     }
 
@@ -917,7 +917,7 @@ class ascii_protocol {
 
         append(bufs, msg_crlf);
         append(bufs, item->value());
-        bufs.emplace_back(const_cast<char*>(msg_crlf), strlen(msg_crlf), make_deleter([item = std::move(item)]{}));
+        bufs.push_back(temporary_buffer<char>::maybe_unsafe_from_deleter(const_cast<char*>(msg_crlf), strlen(msg_crlf), make_deleter([item = std::move(item)]{})));
     }
 
     template <bool WithVersion>

configure.py

@@ -173,6 +173,9 @@ def resolve_compilers_for_compiler_cache(args, compiler_cache):
 arg_parser.add_argument('--verbose', dest='verbose', action='store_true', help='Make configure output more verbose.')
 arg_parser.add_argument('--scheduling-groups-count', action='store', dest='scheduling_groups_count', default='16',
                         help='Number of available scheduling groups in the reactor')
+arg_parser.add_argument('--tls-mode', action='store', dest='tls_mode',
+                        choices=['gnutls', 'openssl', 'both'], default='gnutls',
+                        help='TLS backend(s) to enable: gnutls (default), openssl, or both')
 
 add_tristate(
     arg_parser,
@@ -289,6 +292,8 @@ def configure_mode(mode):
         '-DBUILD_SHARED_LIBS={}'.format('yes' if mode in ('debug', 'dev') else 'no'),
         '-DSeastar_API_LEVEL={}'.format(args.api_level),
         '-DSeastar_SCHEDULING_GROUPS_COUNT={}'.format(args.scheduling_groups_count),
+        '-DSeastar_GNUTLS={}'.format('ON' if args.tls_mode in ('gnutls', 'both') else 'OFF'),
+        '-DSeastar_OPENSSL={}'.format('ON' if args.tls_mode in ('openssl', 'both') else 'OFF'),
         tr(args.exclude_tests, 'EXCLUDE_TESTS_FROM_ALL'),
         tr(args.exclude_apps, 'EXCLUDE_APPS_FROM_ALL'),
         tr(args.exclude_demos, 'EXCLUDE_DEMOS_FROM_ALL'),

demos/tls_echo_server.hh

@@ -46,70 +46,86 @@ class echoserver {
     seastar::gate _gate;
     bool _stopped = false;
     bool _verbose = false;
+
+    future<stop_iteration> run_once() {
+        if (_stopped) {
+            return make_ready_future<stop_iteration>(stop_iteration::yes);
+        }
+        return with_gate(_gate, [this] {
+            return _socket.accept().then([this](accept_result ar) {
+                ::connected_socket s = std::move(ar.connection);
+                    socket_address a = std::move(ar.remote_address);
+                    if (_verbose) {
+                        std::cout << "Got connection from "<< a << std::endl;
+                    }
+                    auto strms = make_lw_shared<streams>(std::move(s));
+                    return repeat([strms, this]() {
+                        return strms->in.read().then([this, strms](temporary_buffer<char> buf) {
+                            if (buf.empty()) {
+                                if (_verbose) {
+                                    std::cout << "EOM" << std::endl;
+                                }
+                                return make_ready_future<stop_iteration>(stop_iteration::yes);
+                            }
+                            sstring tmp(buf.begin(), buf.end());
+                            if (_verbose) {
+                                std::cout << "Read " << tmp.size() << "B" << std::endl;
+                            }
+                            return strms->out.write(tmp).then([strms]() {
+                                return strms->out.flush();
+                            }).then([] {
+                                return make_ready_future<stop_iteration>(stop_iteration::no);
+                            });
+                        });
+                    }).then([strms]{
+                        return strms->out.close();
+                    }).handle_exception([](auto ep) {
+                        std::cout << "Exception: " << ep << std::endl;
+                    }).finally([this, strms]{
+                        if (_verbose) {
+                            std::cout << "Ending session" << std::endl;
+                        }
+                        return strms->in.close();
+                    });
+            }).handle_exception([this](auto ep) {
+                if (!_stopped) {
+                    std::cerr << "Error: " << ep << std::endl;
+                }
+            }).then([this] {
+                return make_ready_future<stop_iteration>(_stopped ? stop_iteration::yes : stop_iteration::no);
+            });
+        });
+    }
 public:
     echoserver(bool verbose = false)
             : _certs(make_shared<tls::server_credentials>(make_shared<tls::dh_params>()))
             , _verbose(verbose)
     {}
 
-    future<> listen(socket_address addr, sstring crtfile, sstring keyfile, tls::client_auth ca = tls::client_auth::NONE) {
-        _certs->set_client_auth(ca);
-        return _certs->set_x509_key_file(crtfile, keyfile, tls::x509_crt_format::PEM).then([this, addr] {
-            ::listen_options opts;
-            opts.reuse_address = true;
+    future<> listen(socket_address addr, sstring crtfile, sstring keyfile, sstring cafile) {
+        _certs->set_dn_verification_callback([](seastar::tls::session_type, sstring subject, sstring issuer){
+            std::cout << "DN Verification callback, subject: " << subject << " issuer: " << issuer << std::endl;
+        });
+        auto f = make_ready_future();
+        auto cauth = tls::client_auth::NONE;
+        if (cafile != "") {
+            cauth = tls::client_auth::REQUIRE;
+            f = _certs->set_x509_trust_file(cafile, tls::x509_crt_format::PEM);
+        }
+        _certs->set_client_auth(cauth);
+        return f.then([this, addr, crtfile, keyfile] {
+            return _certs->set_x509_key_file(crtfile, keyfile, tls::x509_crt_format::PEM).then([this, addr] {
+                ::listen_options opts;
+                    opts.reuse_address = true;
 
-            _socket = tls::listen(_certs, addr, opts);
+                    _socket = tls::listen(_certs, addr, opts);
 
-            // Listen in background.
-            (void)repeat([this] {
-                if (_stopped) {
-                    return make_ready_future<stop_iteration>(stop_iteration::yes);
-                }
-                return with_gate(_gate, [this] {
-                    return _socket.accept().then([this](accept_result ar) {
-                        ::connected_socket s = std::move(ar.connection);
-                        socket_address a = std::move(ar.remote_address);
-                        if (_verbose) {
-                            std::cout << "Got connection from "<< a << std::endl;
-                        }
-                        auto strms = make_lw_shared<streams>(std::move(s));
-                        return repeat([strms, this]() {
-                            return strms->in.read().then([this, strms](temporary_buffer<char> buf) {
-                                if (buf.empty()) {
-                                    if (_verbose) {
-                                        std::cout << "EOM" << std::endl;
-                                    }
-                                    return make_ready_future<stop_iteration>(stop_iteration::yes);
-                                }
-                                sstring tmp(buf.begin(), buf.end());
-                                if (_verbose) {
-                                    std::cout << "Read " << tmp.size() << "B" << std::endl;
-                                }
-                                return strms->out.write(tmp).then([strms]() {
-                                    return strms->out.flush();
-                                }).then([] {
-                                    return make_ready_future<stop_iteration>(stop_iteration::no);
-                                });
-                            });
-                        }).then([strms]{
-                            return strms->out.close();
-                        }).handle_exception([](auto ep) {
-                        }).finally([this, strms]{
-                            if (_verbose) {
-                                std::cout << "Ending session" << std::endl;
-                            }
-                            return strms->in.close();
-                        });
-                    }).handle_exception([this](auto ep) {
-                        if (!_stopped) {
-                            std::cerr << "Error: " << ep << std::endl;
-                        }
-                    }).then([this] {
-                        return make_ready_future<stop_iteration>(_stopped ? stop_iteration::yes : stop_iteration::no);
+                    // Listen in background.
+                    (void)repeat([this] {
+                        return run_once();
                     });
-                });
+                    return make_ready_future();
             });
-            return make_ready_future();
         });
     }
 

demos/tls_echo_server_demo.cc

@@ -37,6 +37,7 @@ int main(int ac, char** av) {
     app.add_options()
                     ("port", bpo::value<uint16_t>()->default_value(10000), "Server port")
                     ("address", bpo::value<std::string>()->default_value("127.0.0.1"), "Server address")
+                    ("ca,a", bpo::value<std::string>()->default_value(""), "Server CA chain file")
                     ("cert,c", bpo::value<std::string>()->required(), "Server certificate file")
                     ("key,k", bpo::value<std::string>()->required(), "Certificate key")
                     ("verbose,v", bpo::value<bool>()->default_value(false)->implicit_value(true), "Verbose")
@@ -46,6 +47,7 @@ int main(int ac, char** av) {
             seastar_apps_lib::stop_signal stop_signal;
             auto&& config = app.configuration();
             uint16_t port = config["port"].as<uint16_t>();
+            auto ca = config["ca"].as<std::string>();
             auto crt = config["cert"].as<std::string>();
             auto key = config["key"].as<std::string>();
             auto addr = config["address"].as<std::string>();
@@ -61,7 +63,7 @@ int main(int ac, char** av) {
             auto stop_server = deferred_stop(server);
 
             try {
-                server.invoke_on_all(&echoserver::listen, socket_address(ia), sstring(crt), sstring(key), tls::client_auth::NONE).get();
+                server.invoke_on_all(&echoserver::listen, socket_address(ia), sstring(crt), sstring(key),sstring(ca)).get();
             } catch (...) {
                 std::cerr << "Error: " << std::current_exception() << std::endl;
                 return 1;

demos/tls_simple_client_demo.cc

@@ -39,6 +39,8 @@ int main(int ac, char** av) {
                     ("port", bpo::value<uint16_t>()->default_value(10000), "Remote port")
                     ("address", bpo::value<std::string>()->default_value("127.0.0.1"), "Remote address")
                     ("trust,t", bpo::value<std::string>(), "Trust store")
+                    ("certificate", bpo::value<std::string>(), "Certficiate")
+                    ("key,k", bpo::value<std::string>(), "Private Keyfile")
                     ("msg,m", bpo::value<std::string>(), "Message to send")
                     ("bytes,b", bpo::value<size_t>()->default_value(512), "Use random bytes of length as message")
                     ("iterations,i", bpo::value<size_t>()->default_value(1), "Repeat X times")
@@ -68,6 +70,15 @@ int main(int ac, char** av) {
             f = certs->set_x509_trust_file(config["trust"].as<std::string>(), tls::x509_crt_format::PEM);
         }
 
+        if (config.count("certificate") && config.count("key")) {
+            f = f.then([certs,
+                        cert = config["certificate"].as<std::string>(),
+                        key = config["key"].as<std::string>()]{
+                return certs->set_x509_key_file(cert, key, tls::x509_crt_format::PEM);
+            });
+        }
+
+
         seastar::shared_ptr<sstring> msg;
 
         if (config.count("msg")) {

demos/udp_zero_copy_demo.cc

@@ -107,7 +107,7 @@ class server {
                     if (_copy) {
                         bufs.emplace_back(temporary_buffer<char>(chunk, _chunk_size));
                     } else {
-                        bufs.emplace_back(temporary_buffer<char>(chunk, _chunk_size, deleter()));
+                        bufs.emplace_back(temporary_buffer<char>::maybe_unsafe_from_deleter(chunk, _chunk_size, deleter()));
                     }
                     chunk += _chunk_size;
                 }