As Python QA tools, BIND system test prerequisites, and documentation
building utilities are now all included in operating system images used
in GitLab CI, do not use pip for installing them in each CI job any
more.
- First merge release branches to maintenance branches, then push
tags. If tags are pushed first and a given set of releases contains
security fixes, the push will be rejected by a server-side Git hook.
- Update ABI check job name.
- Add an item for updating QA tools used in GitLab CI after each
public release.
In process_fd we lock sock->lock and then internal_accept locks mgr->lock,
in isc_sockmgr_render* functions we lock mgr->lock and then lock sock->lock,
that can cause a deadlock when accessing stats. Unlock sock->lock early in
all the internal_{send,recv,connect,accept} functions instead of late
in process_fd.
Add a system test that counts how many address fetches are made
for different numbers of NS records and checks that the number
are successfully limited.
If there are more that 5 NS record for a zone only perform a
maximum of 4 address lookups for all the name servers. This
limits the amount of remote lookup performed for server
addresses at each level for a given query.
as the update triggers by the rndc command to clear the signing records
may not have completed by the time the subsequent rndc command to test
that the records have been removed is commenced. Loop several times to
prevent false negative.
cppcheck 2.0 reports false positives about uninitialized variables in a
lot of places throughout BIND source code, e.g.:
bin/dnssec/dnssec-cds.c:283:6: error: Uninitialized variable: length [uninitvar]
if (isc_buffer_availablelength(&buf) <= len) {
^
Apparently cppcheck 2.0 has issues with processing (&var)->field syntax,
which is what the macros from lib/isc/include/isc/buffer.h are evaluated
to. This issue was reported upstream [1] and will hopefully be
addressed in a future cppcheck release.
In the meantime, to avoid modifying BIND source code in multiple places
just because of a static checker false positive, work around the issue
by adding intermediate variables to buffer macro definitions using a sed
invocation in the cppcheck job script.
[1] https://sourceforge.net/p/cppcheck/discussion/general/thread/122153e3c1/
Add whitespace to the regular expression used for extracting the GCC
version from "gcc --version" output so that it works properly with
multi-digit major version numbers.
Commit ec72d1100d broke the cppcheck job
in GitLab CI: when cppcheck fails, the script is immediately
interrupted, preventing cppcheck-htmlreport from being run. To ensure
the HTML report is generated when cppcheck fails, revert to invoking
cppcheck-htmlreport in the "after_script" part of the job.
the dnstap test was pausing for 20 seconds to search for a string in
named.run, which only appears if named is built with --enable-developer or
--enable-querytrace.
wire_test is not only used by the dnstap system test, but also in
fuzz testing. it doesn't need to be installed, but it's useful to have it
built when BIND is. this commit moves it back from bin/tests/system to
bin/tests, as a noinst_PROGRAM so that it's built by "make all" but
not installed.
Although in util/api-checker.sh we create textual reports, we don't
preserve them in job artifacts, but we should.
We don't want to keep all HTML pages present in the project root, but
just those produced by ABI checker.
Instead of using bind() and passing the listening socket to the children
threads using uv_export/uv_import use one thread that does the accepting,
and then passes the connected socket using uv_export/uv_import to a random
worker. The previous solution had thundering herd problems (all workers
waking up on one connection and trying to accept()), this one avoids this
and is simpler.
The tcp clients quota is simplified with isc_quota_attach_cb - a callback
is issued when the quota is available.
