Support forking processes for KeysInUse#146
Merged
mamckee merged 5 commits intoscossl-1.9from Sep 19, 2025
Merged
Conversation
Contributor
samuel-lee-msft
left a comment
samuel-lee-msft
left a comment
There was a problem hiding this comment.
LGTM modulo comments
mamckee
added a commit
that referenced
this pull request
Sep 29, 2025
mamckee
added a commit
that referenced
this pull request
Jan 22, 2026
* Recreate logging thread at fork * Clean pending events in log thread reinit * Only recreate logging thread if it was running in the parent process * Modify keysinuse stack and infos under lock in callback * Move mutex reinitialization
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
KeysInUse relies on the logging thread to periodically log events. The logging thread is created when the SymCrypt provider is initialized, and runs for the lifetime of the provider. If the process forks, only the main thread and all global data are copied. Any additional threads, including the main thread, are not cloned in the child process. This means that only the parent process will emit KeysInUse events, and child processes will not.
This PR adds a new function to keysinuse
p_scossl_keysinuse_atfork_reinit. This function is registered to run in the child process afterforkwithpthread_atfork. The function will recreate the logging thread and reinitialize global state in the child process to enable continued keysinuse logging.This change was verified with a test application that creates a private key, forks child processes, and uses the cloned key object in the child processes to ensure keys loaded in the parent process continue to emit keysinuse telemetry in child processes. I also verified this with nginx and confirmed keysinuse events were correctly written after the change.
p_scossl_keysinuse_atfork_reinitcallback to recreate the logging thread in the child process afterforksk_keysinuse_info_pendingpointer to be global instead of local to the logging threadfork. It needs to be properly cleaned up in the child process to avoid duplicate events and prevent a memory leak.