Verified Commit 9b5a9c1a authored by Vladimír Čunát's avatar Vladimír Čunát Committed by Petr Špaček

cleanups after splitting bindings.c

parent dd9e33dc
Pipeline #45134 canceled with stages
in 4 minutes and 24 seconds
This diff is collapsed.
......@@ -18,9 +18,7 @@
#include <lua.h>
int lib_cache (lua_State *L);
int lib_event (lua_State *L);
int lib_modules (lua_State *L);
int lib_net (lua_State *L);
int lib_worker (lua_State *L);
/** Make all the bindings accessible from the lua state,
* .i.e. define those lua tables. */
void kr_bindings_register(lua_State *L);
......@@ -483,7 +483,7 @@ static int cache_zone_import(lua_State *L)
return 1;
int lib_cache(lua_State *L)
int kr_bindings_cache(lua_State *L)
static const luaL_Reg lib[] = {
{ "backends", cache_backends },
Cache configuration
The default cache in Knot Resolver is persistent with LMDB backend, this means that the daemon doesn't lose
the cached data on restart or crash to avoid cold-starts. The cache may be reused between cache
daemons or manipulated from other processes, making for example synchronized load-balanced recursors possible.
.. function::[, config_uri])
:param number max_size: Maximum cache size in bytes.
:return: ``true`` if cache was opened
Open cache with a size limit. The cache will be reopened if already open.
Note that the max_size cannot be lowered, only increased due to how cache is implemented.
.. tip:: Use ``kB, MB, GB`` constants as a multiplier, e.g. ``100*MB``.
As of now, the built-in backend with URI ``lmdb://`` allows you to change the cache directory.
.. code-block:: lua * MB, 'lmdb:///var/cache/knot-resolver')
.. envvar:: cache.size
Set the cache maximum size in bytes. Note that this is only a hint to the backend,
which may or may not respect it. See :func:``.
.. code-block:: lua
cache.size = 100 * MB -- equivalent to ` * MB)`
.. envvar:: cache.current_size
Get the maximum size in bytes.
.. code-block:: lua
.. envvar::
Set the cache storage backend configuration, see :func:`cache.backends()` for
more information. If the new storage configuration is invalid, it is not set.
.. code-block:: lua = 'lmdb://.'
.. envvar:: cache.current_storage
Get the storage backend configuration.
.. code-block:: lua
.. function:: cache.backends()
:return: map of backends
The cache supports runtime-changeable backends, using the optional :rfc:`3986` URI, where the scheme
represents backend protocol and the rest of the URI backend-specific configuration. By default, it
is a ``lmdb`` backend in working directory, i.e. ``lmdb://``.
Example output:
.. code-block:: lua
[lmdb://] => true
.. function:: cache.count()
:return: Number of entries in the cache. Meaning of the number is an implementation detail and is subject of change.
.. function:: cache.close()
:return: ``true`` if cache was closed
Close the cache.
.. note:: This may or may not clear the cache, depending on the cache backend.
.. function:: cache.stats()
.. warning:: Cache statistics are being reworked. Do not rely on current behavior.
Return table of statistics, note that this tracks all operations over cache, not just which
queries were answered from cache or not.
.. code-block:: lua
print('Insertions:', cache.stats().insert)
.. function:: cache.max_ttl([ttl])
:param number ttl: maximum cache TTL in seconds (default: 6 days)
:return: current maximum TTL
Get or set maximum cache TTL.
.. note:: The `ttl` value must be in range `(min_ttl, 4294967295)`.
.. warning:: This settings applies only to currently open cache, it will not persist if the cache is closed or reopened.
.. code-block:: lua
-- Get maximum TTL
-- Set maximum TTL
.. function:: cache.min_ttl([ttl])
:param number ttl: minimum cache TTL in seconds (default: 5 seconds)
:return: current maximum TTL
Get or set minimum cache TTL. Any entry inserted into cache with TTL lower than minimal will be overridden to minimum TTL. Forcing TTL higher than specified violates DNS standards, use with care.
.. note:: The `ttl` value must be in range `<0, max_ttl)`.
.. warning:: This settings applies only to currently open cache, it will not persist if the cache is closed or reopened.
.. code-block:: lua
-- Get minimum TTL
-- Set minimum TTL
.. function:: cache.ns_tout([timeout])
:param number timeout: NS retry interval in milliseconds (default: :c:macro:`KR_NS_TIMEOUT_RETRY_INTERVAL`)
:return: current timeout
Get or set time interval for which a nameserver address will be ignored after determining that it doesn't return (useful) answers.
The intention is to avoid waiting if there's little hope; instead, kresd can immediately SERVFAIL or immediately use stale records (with :ref:`serve_stale <mod-serve_stale>` module).
.. warning:: This settings applies only to the current kresd process.
.. function:: cache.get([domain])
This function is not implemented at this moment.
We plan to re-introduce it soon, probably with a slightly different API.
.. function:: cache.clear([name], [exact_name], [rr_type], [chunk_size], [callback], [prev_state])
Purge cache records matching specified criteria. There are two specifics:
* To reliably remove **negative** cache entries you need to clear subtree with the whole zone. E.g. to clear negative cache entries for (formerly non-existing) record ` A` you need to flush whole subtree starting at zone apex, e.g. `` [#]_.
* This operation is asynchronous and might not be yet finished when call to ``cache.clear()`` function returns. Return value indicates if clearing continues asynchronously or not.
:param string name: subtree to purge; if the name isn't provided, whole cache is purged
(and any other parameters are disregarded).
:param bool exact_name: if set to ``true``, only records with *the same* name are removed;
default: false.
:param kres.type rr_type: you may additionally specify the type to remove,
but that is only supported with ``exact_name == true``; default: nil.
:param integer chunk_size: the number of records to remove in one round; default: 100.
The purpose is not to block the resolver for long.
The default ``callback`` repeats the command after one millisecond
until all matching data are cleared.
:param function callback: a custom code to handle result of the underlying C call.
Its parameters are copies of those passed to `cache.clear()` with one additional
parameter ``rettable`` containing table with return value from current call.
``count`` field contains a return code from :func:`kr_cache_remove_subtree()`.
:param table prev_state: return value from previous run (can be used by callback)
:rtype: table
:return: ``count`` key is always present. Other keys are optional and their presence indicate special conditions.
* **count** *(integer)* - number of items removed from cache by this call (can be 0 if no entry matched criteria)
* **not_apex** - cleared subtree is not cached as zone apex; proofs of non-existence were probably not removed
* **subtree** *(string)* - hint where zone apex lies (this is estimation from cache content and might not be accurate)
* **chunk_limit** - more than ``chunk_size`` items needs to be cleared, clearing will continue asynchronously
.. code-block:: lua
-- Clear whole cache
> cache.clear()
[count] => 76
-- Clear records at and below 'com.'
> cache.clear('com.')
[chunk_limit] => chunk size limit reached; the default callback will continue asynchronously
[not_apex] => to clear proofs of non-existence call cache.clear('com.')
[count] => 100
[round] => 1
[subtree] => com.
> worker.sleep(0.1)
[cache] asynchonous cache.clear('com', false) finished
-- Clear only ''
> cache.clear('', true)
[round] => 1
[count] => 1
[not_apex] => to clear proofs of non-existence call cache.clear('')
[subtree] =>
.. [#] This is a consequence of DNSSEC negative cache which relies on proofs of non-existence on various owner nodes. It is impossible to efficiently flush part of DNS zones signed with NSEC3.
......@@ -237,7 +237,7 @@ static int event_fdwatch(lua_State *L)
return 1;
int lib_event(lua_State *L)
int kr_bindings_event(lua_State *L)
static const luaL_Reg lib[] = {
{ "after", event_after },
Timers and events
The timer represents exactly the thing described in the examples - it allows you to execute closures
after specified time, or event recurrent events. Time is always described in milliseconds,
but there are convenient variables that you can use - ``sec, minute, hour``.
For example, ``5 * hour`` represents five hours, or 5*60*60*100 milliseconds.
.. function:: event.after(time, function)
:return: event id
Execute function after the specified time has passed.
The first parameter of the callback is the event itself.
.. code-block:: lua
event.after(1 * minute, function() print('Hi!') end)
.. function:: event.recurrent(interval, function)
:return: event id
Similar to :func:`event.after()`, periodically execute function after ``interval`` passes.
.. code-block:: lua
msg_count = 0
event.recurrent(5 * sec, function(e)
msg_count = msg_count + 1
print('Hi #'..msg_count)
.. function:: event.reschedule(event_id, timeout)
Reschedule a running event, it has no effect on canceled events.
New events may reuse the event_id, so the behaviour is undefined if the function
is called after another event is started.
.. code-block:: lua
local interval = 1 * minute
event.after(1 * minute, function (ev)
print('Good morning!')
-- Halven the interval for each iteration
interval = interval / 2
event.reschedule(ev, interval)
.. function:: event.cancel(event_id)
Cancel running event, it has no effect on already canceled events.
New events may reuse the event_id, so the behaviour is undefined if the function
is called after another event is started.
.. code-block:: lua
e = event.after(1 * minute, function() print('Hi!') end)
Watch for file descriptor activity. This allows embedding other event loops or simply
firing events when a pipe endpoint becomes active. In another words, asynchronous
notifications for daemon.
.. function:: event.socket(fd, cb)
:param number fd: file descriptor to watch
:param cb: closure or callback to execute when fd becomes active
:return: event id
Execute function when there is activity on the file descriptor and calls a closure
with event id as the first parameter, status as second and number of events as third.
.. code-block:: lua
e = event.socket(0, function(e, status, nevents)
print('activity detected')
Asynchronous function execution
The `event` package provides a very basic mean for non-blocking execution - it allows running code when activity on a file descriptor is detected, and when a certain amount of time passes. It doesn't however provide an easy to use abstraction for non-blocking I/O. This is instead exposed through the `worker` package (if `cqueues` Lua package is installed in the system).
.. function:: worker.coroutine(function)
Start a new coroutine with given function (closure). The function can do I/O or run timers without blocking the main thread. See cqueues_ for documentation of possible operations and synchronization primitives. The main limitation is that you can't wait for a finish of a coroutine from processing layers, because it's not currently possible to suspend and resume execution of processing layers.
.. code-block:: lua
worker.coroutine(function ()
for i = 0, 10 do
print('executing', i)
.. function:: worker.sleep(seconds)
Pause execution of current function (asynchronously if running inside a worker coroutine).
When daemon is running in forked mode, each process acts independently. This is good because it reduces software complexity and allows for runtime scaling, but not ideal because of additional operational burden.
For example, when you want to add a new policy, you'd need to add it to either put it in the configuration, or execute command on each process independently. The daemon simplifies this by promoting process group leader which is able to execute commands synchronously over forks.
.. code-block:: lua
.. function:: map(expr)
Run expression synchronously over all forks, results are returned as a table ordered as forks. Expression can be any valid expression in Lua.
.. code-block:: lua
-- Current instance only
-- Mapped to forks
map 'hostname()'
[1] => localhost
[2] => localhost
-- Get worker ID from each fork
map ''
[1] => 0
[2] => 1
-- Get cache stats from each fork
map 'cache.stats()'
[1] => {
[hit] => 0
[delete] => 0
[miss] => 0
[insert] => 0
[2] => {
[hit] => 0
[delete] => 0
[miss] => 0
[insert] => 0
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <>.
#include <lua.h>
#include <string.h>
/* Each of these just creates the correspondingly named lua table of functions. */
int kr_bindings_cache (lua_State *L); /* ./cache.c */
int kr_bindings_event (lua_State *L); /* ./event.c */
int kr_bindings_modules (lua_State *L); /* ./modules.c */
int kr_bindings_net (lua_State *L); /* ./net.c */
int kr_bindings_worker (lua_State *L); /* ./worker.c */
static void lualib(lua_State *L, const char *name, lua_CFunction lib_cb)
#if LUA_VERSION_NUM >= 502
luaL_requiref(L, name, lib_cb, 1);
lua_pop(L, 1);
void kr_bindings_register(lua_State *L)
lualib(L, "modules", kr_bindings_modules);
lualib(L, "net", kr_bindings_net);
lualib(L, "cache", kr_bindings_cache);
lualib(L, "event", kr_bindings_event);
lualib(L, "worker", kr_bindings_worker);
int format_error(lua_State* L, const char *err)
lua_Debug d;
lua_getstack(L, 1, &d);
/* error message prefix */
lua_getinfo(L, "Sln", &d);
if (strncmp(d.short_src, "[", 1) != 0) {
lua_pushstring(L, d.short_src);
lua_pushstring(L, ":");
lua_pushnumber(L, d.currentline);
lua_pushstring(L, ": error: ");
lua_concat(L, 4);
} else {
lua_pushstring(L, "error: ");
/* error message */
lua_pushstring(L, err);
lua_concat(L, 2);
return 1;
......@@ -40,7 +40,7 @@
#define STRINGIFY_TOKEN(s) #s
/** @internal Prefix error with file:line
* Implementation lumped into ./worker.c */
* Implementation in ./impl.c */
int KR_COLD format_error(lua_State* L, const char *err);
/** @internal Annotate for static checkers. */
KR_NORETURN int lua_error(lua_State *L);
......@@ -85,7 +85,7 @@ static int mod_unload(lua_State *L)
return 1;
int lib_modules(lua_State *L)
int kr_bindings_modules(lua_State *L)
static const luaL_Reg lib[] = {
{ "list", mod_list },
Modules configuration
The daemon provides an interface for dynamic loading of :ref:`daemon modules <modules-implemented>`.
.. tip:: Use declarative interface for module loading.
.. code-block:: lua
modules = {
hints = {file = '/etc/hosts'}
Equals to:
.. code-block:: lua
hints.config({file = '/etc/hosts'})
.. function:: modules.list()
:return: List of loaded modules.
.. function:: modules.load(name)
:param string name: Module name, e.g. "hints"
:return: boolean
Load a module by name.
.. function:: modules.unload(name)
:param string name: Module name
:return: boolean
Unload a module by name.
......@@ -822,7 +822,7 @@ static int net_bpf_clear(lua_State *L)
return 0;
int lib_net(lua_State *L)
int kr_bindings_net(lua_State *L)
static const luaL_Reg lib[] = {
{ "list", net_list },
.. _network-configuration:
Network configuration
For when listening on ``localhost`` just doesn't cut it.
**Systemd socket configuration**
If you're using our packages with systemd with sockets support (not supported
on CentOS 7), network interfaces are configured using systemd drop-in files for
``kresd.socket`` and ``kresd-tls.socket``.
To configure kresd to listen on public interface, create a drop-in file:
.. code-block:: bash
$ systemctl edit kresd.socket
.. code-block:: none
# /etc/systemd/system/kresd.socket.d/override.conf
.. _kresd-socket-override-port:
The default locahost interface/port can also be removed/overriden by using an
empty ``ListenDatagram=`` or ``ListenStream=`` directive. This can be used when
you want to configure kresd to listen on all IPv4/IPv6 network interfaces (if
you've disabled IPv6 support in kernel, use ```` instead of ``[::]`` ).
.. code-block:: none
# /etc/systemd/system/kresd.socket.d/override.conf
.. note:: Using IPv6 to bind to IPv4 interfaces is currently not compatible
with IPv4 syntax in ``view:addr()`` when using the ``view`` module. For
possible workarounds, see
It can also be useful if you want to use the Knot DNS with the `dnsproxy
module`_ to have both resolver and authoritative server running on the same
.. code-block:: none
# /etc/systemd/system/kresd.socket.d/override.conf
The ``kresd-tls.socket`` can also be configured in the same way to listen for
TLS connections.
.. code-block:: bash
$ systemctl edit kresd-tls.socket
.. code-block:: none
# /etc/systemd/system/kresd-tls.socket.d/override.conf
**Daemon network configuration**
If you don't use systemd with sockets to run kresd, network interfaces are
configured in the config file.
.. tip:: Use declarative interface for network.
.. code-block:: lua
net = { '', net.eth0, net.eth1.addr[1] }
net.ipv4 = false
.. warning:: On machines with multiple IP addresses avoid binding to wildcard ```` or ``::`` (see example below). Knot Resolver could answer from different IP in case the ranges overlap and client will probably refuse such a response.
.. code-block:: lua
net = { '' }
.. envvar:: net.ipv6 = true|false
:return: boolean (default: true)
Enable/disable using IPv6 for contacting upstream nameservers.
.. envvar:: net.ipv4 = true|false
:return: boolean (default: true)
Enable/disable using IPv4 for contacting upstream nameservers.
.. function:: net.listen(addresses, [port = 53, flags = {tls = (port == 853)}])
:return: boolean
Listen on addresses; port and flags are optional.
The addresses can be specified as a string or device,
or a list of addresses (recursively).
The command can be given multiple times, but note that it silently skips
any addresses that have already been bound.
.. code-block:: lua
net.listen(net.lo, 5353)
net.listen({net.eth0, ''}, 53853, {tls = true})
.. function:: net.close(address, [port = 53])
:return: boolean
Close opened address/port pair, noop if not listening.
.. function:: net.list()
:return: Table of bound interfaces.
Example output:
.. code-block:: none
[] => {
[port] => 53
[tcp] => true
[udp] => true
.. function:: net.interfaces()
:return: Table of available interfaces and their addresses.
Example output:
.. code-block:: none
[lo0] => {
[addr] => {
[1] => ::1
[2] =>
[mac] => 00:00:00:00:00:00
[eth0] => {
[addr] => {
[1] =>
[mac] => de:ad:be:ef:aa:bb
.. tip:: You can use ``net.<iface>`` as a shortcut for specific interface, e.g. ``net.eth0``
.. function:: net.bufsize([udp_bufsize])
Get/set maximum EDNS payload available. Default is 4096.
You cannot set less than 512 (512 is DNS packet size without EDNS, 1220 is minimum size for DNSSEC) or more than 65535 octets.
Example output:
.. code-block:: lua
> net.bufsize 4096
> net.bufsize()
.. function:: net.tcp_pipeline([len])
Get/set per-client TCP pipeline limit, i.e. the number of outstanding queries that a single client connection can make in parallel. Default is 100.
.. code-block:: lua
> net.tcp_pipeline()
> net.tcp_pipeline(50)
.. warning:: Please note that too large limit may have negative impact on performance and can lead to increased number of SERVFAIL answers.
.. function:: net.outgoing_v4([string address])
Get/set the IPv4 address used to perform queries. There is also ``net.outgoing_v6`` for IPv6.
The default is ``nil``, which lets the OS choose any address.
.. _tls-server-config:
TLS server configuration
.. note:: Installations using systemd should be configured using systemd-specific procedures
described in manual page ``kresd.systemd(7)``.
DNS-over-TLS server (:rfc:`7858`) can be enabled using ``{tls = true}`` parameter
in :c:func:`net.listen()` function call. For example:
.. code-block:: lua
> net.listen("::", 53) -- plain UDP+TCP on port 53 (standard DNS)
> net.listen("::", 853, {tls = true}) -- DNS-over-TLS on port 853 (standard DoT)
> net.listen("::", 443, {tls = true}) -- DNS-over-TLS on port 443 (non-standard)
By default an self-signed certificate will be generated. For serious deployments
it is strongly recommended to provide TLS certificates signed by a trusted CA