Disassembling C++ Part 2 -- Objects

What is an object? This article is part two of my Disassembling C++ series.  The first one was here about overloaded functions, and mang...

Sunday, January 21, 2018

Multithreaded SOAP server using QT and C++

In todays world, one of the common things is to be able to serve SOAP requests.  As an enterprise grows, the need for fast response times and optimizations at every possible place becomes more and more important.  I wrote a generalized SOAP server in C++ using QT Creator and gsoap that connects to a database and runs in multiple threads with prepared statements.  Its a little involved of a process, but I hope the ideas here can help others with similar problems.

Environment: QT Creator, Postgres 9.4, gsoap 2.8 on Ubuntu.  Very little if any is OS specific, other than that its made for *nix.  So, FreeBSD and the like should work just fine too.

By the end of this, you will have a SOAP server that connects to a database, that uses multiple threads which are already started and connected to the database, prepared cursors, and an easy path forward to develop new services on it.  We will also add the ability to retrieve the WSDL from the service by accessing it via http://service/?wsdl . Otherwise known as a GET handler.

Step 1: Create the project in QT

In QT Creator, create a new project, QT Console application.  For this example, we will use gsoap to create C++ classes which are generated from a .h file.  It should place the generated files in a subdirectory named soap.  First off lets create the soap definition file.  In this example, soapDef.h, which will be running in the "beer" namespace and named "beersoap".  Yup, its for a brewing website backend.  Make sure you have network, core, and sql included and add LIBS += -lgsoap++

//gsoap beer service name: beersoap
//gsoap beer service port: http://localhost:7575/
//gsoap beer service namespace: urn:beersoap

 * Simple ping operation to verify operation
int beer__ping(void *,char *&pong);

 * Count user records, used mainly for testing DB connection
int beer__usercount(void *_,int &numUsers);

Secondly, to support WSDL retrieval, we can convert the wsdl file generated by gsoap into a C++ file with the text as a variable which we can reference by an extern.  A little shell script magic will do that for us with the following file: wsdl2cpp.sh



echo "const char *wsdlTxt = " > ${cppfile}
cat ${wsdlfile} | sed -e 's:":\\":g' \
                      -e 's:^:":' \
                      -e 's:$:\\n":' >> ${cppfile}
echo ";" >> ${cppfile}

And finally tie it all together inside your .pro file

GSOAPFLAGS=-S -L -c++11 -x -i -d $${_PRO_FILE_PWD_}/soap

gsoap.depends = $${_PRO_FILE_PWD_}/soapDef.h
gsoap.target = $${_PRO_FILE_PWD_}/soap/soapC.cpp
gsoap.commands = \
    soapcpp2 $${GSOAPFLAGS} $${_PRO_FILE_PWD_}/soapDef.h && \
    $${_PRO_FILE_PWD_}/wsdl2cpp.sh \
       $${_PRO_FILE_PWD_}/soap/beersoap.wsdl \
PRE_TARGETDEPS += $${_PRO_FILE_PWD_}/soap/soapC.cpp

Now, when we build, including the file wsdl.cpp will create a const char * named wsdlTxt that has the entire WSDL file in it.  In our case with the GSOAPFLAGS we say server side code only, no library generation, use c++11, no xml files, create a C++ class for our methods, and the output directory is source/soap.

Step 2: Create Database

The next step is to create a database to test this out with.  Create a users table, we are just going to have a method to count the records in there.  And another table called prepstmts.  Two fields, a char(32) or similar and a text fields.  Once it connects, we will use it to create a collection of prepared statements.  By far the longest running database operation is connecting and preparing a statement.  We want to offload that to start up routines instead of during processing.  Next, create a configuration file for the program to use.  We will specify the location using QT's command line option parser framework.

# Beersoap config file

dbhost = localhost
dbuser = beergineer
dbpass = 
dbname = beergineer
tcplisten = 7575
threadpool = 5

Ok.. now we have a config file, our makefile will handle the gsoap stuff for us automatically (remember to include all the .cpp and .h files it creates into your project, including wsdl.cpp), now lets do some coding and show how easy QT makes a lot of the mundane C++ tasks, and how relatively simple something as advanced as a thread pool can be written and managed.

Step 3: main.cpp

This is the application entry point.  As any good programmer will tell you, your main function should do initialization, basic sanity checks, then launch the real application.  QT makes things like parsing command line options in a nice, standard Unix like way really easy, especially with C++11.  Here is my main.cpp file:

#include <QCoreApplication>
#include <iostream>
#include <QCommandLineParser>

#include "Config.h"
#include "Server.h"

int main(int argc, char *argv[])
   QCoreApplication a(argc, argv);

   QCommandLineParser parser;
   parser.setApplicationDescription("Beergineer Soap Server");

      {{"c","configFile"},"Config File Location","configFile"}

   Config *myConfig = new Config(parser.value(configFile));
   if (!myConfig->isValid()) {
      std::cerr << "Config invalid" << std::endl;
      return 1;
   new Server(&a,myConfig);

   return a.exec();

Dont worry about the Config and Server objects yet, we will create those in a minute.  What this does, is calling it with a -h option shows the help, -v shows the version, and the config file we created earlier can be specified with either -c or --configFile.  The output is formatted well and all the nastiness of getopt and the old school way is handled for you.  The reason for a config file instead of a plethora of switches is extensibility, keeping commands reasonable in length, and for security.  If you have everything as an option, any user on the machine can see things like passwords, etc.. if they are specified on the command line.  The Config object is really simple and just reads a file, splits any lines that arent blank or start with # by the equals sign and stores it in a QMap, then provides an accessor method to get the values of it.  Heres the header


#ifndef CONFIG_H
#define CONFIG_H

#include <QString>
#include <QMap>

class Config
      Config(QString confFile);
      QString getSetting(QString name);
      bool isValid() { return myValid; }
      QMap config;
      bool myValid;

#endif // CONFIG_H

And Config.cpp
#include "Config.h"
#include <QFile>
#include <iostream>

Config::Config(QString confFile)
   myValid = false;
   QFile f(confFile);
   if (!f.exists()) {
      std::cerr << "File does not exist: " << confFile.toStdString() << std::endl;
   while (!f.atEnd())
      QString line = f.readLine();
      if (line.trimmed().length() == 0 || line.startsWith("#")) continue;

      int idx = line.indexOf("=");
      QString key = line.left(idx-1).trimmed();
      QString val = line.right(line.length()-idx-1).trimmed();
      config[key] = val;
   QStringList reqattribs;
   reqattribs << "dbhost" << "dbuser" << "dbpass" << "dbname" << "tcplisten" << "threadpool";
   if (!config.size()) return;
   for (int i =0; i < reqattribs.size(); i++)
      if (config.find(reqattribs.at(i)) == config.end()) {
         std::cerr << "Missing required value: " << reqattribs.at(i).toStdString() << std::endl;
   myValid = true;

QString Config::getSetting(QString name)
   if (config.find(name) == config.end()) return "";
   return config[name];

As you can see, fairly simple, boiler plate code.  Next we get into the actual networking part of it.  Qt makes this exceptionally easy using the QTcpServer class.  So without further adue, here is the Server.h class definition

#ifndef SERVER_H
#define SERVER_H

#include <QTcpServer>
#include <QVector>

#include "Config.h"
#include "SoapThread.h"

class Server : public QTcpServer

      Server(QObject *parent,Config *confPtr);

      Config *myConfig;
      void incomingConnection(qintptr handle);
      QVector<SoapThread *> myThreads;

      void newConnection();

#endif // SERVER_H

A few items of note here.  Using this class is very easy, you pretty much just tell it which port / address to use and the override of incomingConnection will pass in the new socket descriptor.  The vector of SoapThread objects are all initialized on start up and in the next file I will show how we connect a connection to a thread.  Here is the Server.cpp file:
#include "Server.h"
#include <iostream>
#include "SoapThread.h"

Server::Server(QObject *parent,Config *confPtr)
   myConfig = confPtr;
   int maxThreads = confPtr->getSetting("threadpool").toInt();
   for (int i =0; i < maxThreads; i++)
      SoapThread *p = new SoapThread(confPtr);

void Server::incomingConnection(qintptr handle)
   int maxThreads = myConfig->getSetting("threadpool").toInt();
   int tries = 50000;
   while (tries)
      for (int i =0; i < maxThreads; i++)
         SoapThread *p = myThreads[i];
         if (!p->isBusy())

Theres a lot packed in here, this is the heart of the application that does the magic.  First in the constructor, we set up the listening socket, which returns immediately, the actual listening happens when the QCoreApplication enters its event loop in the exec() call.  Then we create the threads, each one is created, then started, then, very important because its not intuitive, move the object to itself.  What happens is the event loop and signal / slot dispatchers will remain in the current thread until you actually move it after the thread is started.  The single signal is connected to each thread.  The thread that has the socket descriptor set will process the request.  In real practice a minimal number of threads will be started and if all of them are busy, another one will be started then used to serve the request, then as they are used less and less and there is a sufficient timeout, the thread will clean itself up.  For this purposes though, this is just an example.

Now for the thread class itself.

#include "Config.h"
#include <QThread>
#include <QReadWriteLock>
#include <QSqlDatabase>
#include <QSqlQuery>

#include "soap/soapbeersoapService.h"

class SoapThread : public QThread

      SoapThread(Config *cfgPtr);
      void run();
      bool isBusy();
      void setPendingDescriptor(qintptr);
      QSqlDatabase dbHandle;
      QMap<QString,QSqlQuery> prepStmts;

   public slots:
      void serveRequest();

      Config *myConfig;
      beersoapService *mySoap;
      bool myBusy;
      QReadWriteLock myLock;
      qintptr myPendingDescriptor;


#endif // SOAPTHREAD_H
A little bit to explain here.  First, the code is in a threaded enivronment, so a lock is essential.  Qt makes locking easy, but it must still be done with care.  We also have not only a database handle, which must be unique per thread, but all the values in the prepstmts table (from step 2) will become prepared statements, stored by name in the prepStmts table.

And the implementation:
#include "SoapThread.h"
#include <QObject>
#include <QWriteLocker>
#include <QReadLocker>
#include "Server.h"

int get_handler(struct soap *s);

SoapThread::SoapThread(Config *cfgPtr)
   myConfig = cfgPtr;
   myBusy = true;
   myPendingDescriptor = 0;

void SoapThread::run()
   QWriteLocker lock(&myLock);
   mySoap = new beersoapService();
   mySoap->user = (void *)this;
   mySoap->fget = get_handler;
   dbHandle = QSqlDatabase::addDatabase("QPSQL",
                   QString("%1").arg((quintptr)this,QT_POINTER_SIZE *2,16,QChar('0')));
   QString hostname = myConfig->getSetting("dbhost");
   if (hostname.length() > 0 && hostname != "localhost")
   QSqlQuery pstmtq(dbHandle);
   pstmtq.exec("SELECT * FROM prepstmts");
   while (pstmtq.next())
      QSqlQuery p(dbHandle);
   myBusy = false;

void SoapThread::serveRequest()
   if (!myPendingDescriptor || myBusy) return;
   QWriteLocker lock(&myLock);
   myBusy = true;
   mySoap->socket = myPendingDescriptor;
   myPendingDescriptor = 0;

   myBusy = false;

bool SoapThread::isBusy()
   QReadLocker lock(&myLock);
   return myBusy;

void SoapThread::setPendingDescriptor(qintptr d)
   if (myBusy || myPendingDescriptor) return;
   QWriteLocker lock(&myLock);
   myPendingDescriptor = d;

Ok, to begin with, the real magic doesnt happen in the constructor.  At that point we are still running in the original thread, however, once start is called in the top object, run() is called here, but in a new thread that this object represents.  In there is where we make the connection to the database, create the prepared statements. and set up everything.  The setPendingDescriptor method sets the descriptor of the incoming request for this thread to execute momentarily.  isBusy returns if it is still executing a request.  All variables read or set from outside the thread need the locking around them, as shown above.  There is also way more error checking / handing that must be done for the database access / prep statements but for the sake of brevity I just connected.  When the Server object has an incoming connection, the serveRequest function actually gets called in every thread.  But since only the first non-busy thread got it set, the other ones just return immediately.  Also in the run method, the gsoap object is created here and the fget field is set to a static function shown next.  This supports non SOAP calls to the server (remember http://address?wsdl).  Yup thats coming up.  We also use the user field to point to the thread object so we have access to the public properties of the prepared statements and connected database handle.

The next and last file is the implementation of the soap methods themselves.
 * Core and standard functions for the beersoap service
#include "soap/beersoap.nsmap"

#include <QString>
#include <QVariant>
#include "soap/soapbeersoapService.h"
#include "SoapThread.h"

extern const char *wsdlTxt;

 * \brief Used to determine soap service operation, simply returns the string "PONG!"
 * \param [in] pong Pointer to return string
 * \return status of soap operation in this case always OK
static const char *pongStr = "PONG!";
int beersoapService::ping(void *_param_1, char *&pong)
   pong = (char *)pongStr;
   return SOAP_OK;

 * \brief Handle GET requests
int get_handler(struct soap *s)
   if (!s) return SOAP_GET_METHOD;
   QString url = s->path;
   int idx = url.indexOf("?");
   if (idx == -1) {
      // handle generic get request here
      return 404;
   QString queryStr = url.right(url.length()-idx-1);

   // WSDL Request
   if (queryStr == "wsdl")
      s->http_content = "text/xml";
      return SOAP_OK;

   return 404;

 * \brief Count the rows in the users table, demonstrates database access
int beersoapService::usercount(void *_, int &numUsers)
   (void)_; // unused
   numUsers = -1;
   SoapThread *sThread = (SoapThread *)user;
   QSqlQuery q = sThread->prepStmts.find("countUsers").value();
   numUsers = q.value(0).toInt();
   return SOAP_OK;

So, after all of that, once you get it to compile and run, you now have gsoap objects running in a multithreaded server. The database objects are already connected and ready to go before running a service function, so as you can see with only a few modifications can be made to run very quickly. Hopefully some of the explanations and code here can help someone

FreeBSD 9.0 and up - How to set up an IPSec VPN in the real world

After a frustrating week trying to figure out how to do this, I finally got it, and rather belabor why I switched to OpenBSD years ago the first time and why I want to come back to FreeBSD, and am still not completely sure I made the right decision I will forego the political talk and move on to the technical details.

Here is my setup.  I work from a remote location. I have a whole /24 subnet here at home that I want all of the computers on it to be able to access multiple subnets at work as if I were in the building.  I used to use VPN client software, aka Nortel, but that was very picky and dropped frequently.  So a couple years ago, we realized the box we had been using also spoke IPSec, so we endeavored to set up a connection between the two.  I got it working great on OpenBSD, but since there was multiple subnets, I would frequently lose one of them and have to "bounce" the whole IPSec thing.  In fact it became so frequent (2-3 times a day) that I wrote a shell script and would just run it when I say that things had hanged.  I got to where I was lucky enough to catch it before a terminal session dropped and I lost a bunch of typing I had done in a vi session.  I heard FreeBSD is better, so I'm willing to try it.  I spent all weekend making the switch and I will let you know about the performance later when I've had a chance to try it myself during a typical workday.

Ok, so just to be clear.  The end result is we are going to connect a subnet at a home network / small office with multiple subnets at a corporate office using IPSec and FreeBSD 9.0.  Inserted that to help Google find it.

Step 1 - Rebuild the kernel with IPSec support.

During install, make sure and select that you want the system source installed as well as the ports tree.

We are going to rebuild a kernel on an x64 (amd64) system and call it ROUTER, you can adjust it to what you need, as if youre reading this that should make perfect sense, ie i386
cd /usr/src/sys/amd64/conf

Inside the file change ident to ROUTER, and add the following lines somewhere

option IPSEC
option IPSEC_NAT_T
device crypto

Maybe take out some stuff you dont need, ie SCSI, RAID cards, whatever.

cd ../../..
make buildkernel KERNCONF=ROUTER && make installkernel KERNCONF=ROUTER

Go have a cup of coffee or watch a Star Trek episode, it will be busy for 30 mins or so.  Once its done, reboot and you will be in your new kernel.  In case you have came here after reading the handbook, the option IPSEC_NAT_T is to make an error go away that racoon throws if its not compiled in.  It may not technically be needed, but it takes one lead off the table when trying to troubleshoot.  The error is something like unable to set udp encap.

Step 2 - Install ipsec-tools from ports.

The easiest way, assuming you already have basic networking up: pkg_add -r ipsec-tools

Or cd /usr/ports/security/ipsec-tools then make install if you need special options.  If you are reading this, you are probably fine with the defaults.

Step 3 - Initial networking setup

From here on out I will use something very similar to the network I actually set up.  The first step is to set up one subnet, then we can add the other one(s) after its working.   In case you came here from the handbook, there is good news in case you were thinking of having to acquire all of this information like how the box is set up internally, dont fear. a gif0 tunnel is NOT required.

My setup is as follows, I am behind a regular DSL wireless router so that wireless devices and my TV dont have access to the corporate network, and my IP address is .  My internal subnet that I want to connect with work is  My internet facing address is  My network I am trying to connect to is and the VPN server is  Later I will want to add the network as well.

Another point of interest, unlike OpenBSD, a connection attempt that will use the tunnel must be made before it will start to negotiate a connection. So, here is what I did at first and later migrated to the startup scripts.

route add

Save a file name pingit.sh with the following command in it (assuming you know that a pingable machine on the other side exists at octet 11).  It will send a single ping to the box to start the tunnel, but not wait real long.

ping -c 1 -W 1

Save this file for later when we are ready to test...

Step 4 - IPSec tools configuration

I am using a pre-shared key in my setup, so the first file is psk.txt.  It lives in /usr/local/etc/racoon as does the other files.

It has the format: host key one per line, so in my case it would be  Mysecretpa33word

Wow, difficult, huh?  I didnt pay attention and just put the key in there without the host and it took me 2 hours to figure it out.  It also took me another hour to figure out that it needs chmod 600 psk.txt.

The next file, although deceptively easy, is picky and doesnt give much in the way of informative error messages when things go wrong.

ipsec.conf or setkey.conf, your choice I guess.

spdadd any -P out ipsec esp/tunnel/;
spdadd any -P in ipsec esp/tunnel/;

Pretty self explanatory, but one note.  If you have only one subnet to join, use "require" instead of "unique" on the end of the line.

spdadd yoursubnet theirsubnet any -P out ipsec esp/tunnel/youraddr-theiraddr/unique;

and reverse the addresses and use in instead of out.

Now, if when testing you get errors about a send error, check this file.  Its easy to write and deceptively easy and you can have an address transposed.

Now on to the racoon.conf file:

path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log     debug2; #log verbosity setting: set to 'notify' when testing and debugging is complete

padding # options are not to be changed
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;

timer   # timing options. change as needed
        counter         5;
        interval        20 sec;
        persend         1;
#       natt_keepalive  15 sec;
        phase1          30 sec;
        phase2          15 sec;

listen  # address [port] that racoon will listening on
        isakmp [500];

        exchange_mode   main;
        my_identifier address;
        nat_traversal off;
        initial_contact on;
# Phase 1
        proposal {
                encryption_algorithm    3des;
                hash_algorithm          md5;
                authentication_method   pre_shared_key;
                lifetime time           3600 sec;
                dh_group                modp1024;


#phase 2
sainfo  anonymous
        lifetime        time    1200 sec;
        encryption_algorithm    3des;
        authentication_algorithm      hmac_md5;
        compression_algorithm   deflate;


Pay most attention to the bolded areas above.

Step 4 - Firing it up

Set up 3 terminal sessions.  1 have a constant tcpdump -lnvvi <youroutsideinterface> udp port 500 running.  Another to use the script from step 3. And the last one to run the VPN.

First, only needs to be done once, or if it changes.
setkey -f /usr/local/etc/ipsec.conf

Then to fire it up:
racoon -F

That tells it to run in foreground mode outputting to stdout so you can see it.
Assuming there are no errors and its stays running,   hit the script from step 3. ./pingit.sh

It may take 3-4 times to successfully connect, unless you see a reason why not. But eventually, you will not only see pings come back, but a message like this:

 UPDATE succeeded: ESP/Tunnel[500]->[500] spi=67865083(0x40b89fb)

Here are some common other errors you may see and their solutions:

If you get

Jul  7 08:15:28 maricopacomputer racoon: DEBUG: 1 times of 100 bytes message will be sent to[500]
Jul  7 08:15:28 maricopacomputer racoon: DEBUG:  2fed9acf 4dbbc616 00000000 00000000 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0e10 80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Jul  7 08:15:28 maricopacomputer racoon: DEBUG: resend phase1 packet 2fed9acf4dbbc616:0000000000000000

And no reply, check that you arent routing traffic to the end host through your internal network.

If you get:

2012-07-07 00:16:02: ERROR: phase1 negotiation failed due to send error. dad1f78e51bb5b7e:0000000000000000
2012-07-07 00:16:02: ERROR: failed to begin ipsec sa negotication.

Check setkey.conf closely, especially that the addresses are not transposed or anything.

Step 5 - Adding other subnets

Now that you have subnet 1 working, lets say you want to add a second subnet?

That is very easy.  First of all, add the new records in ipsec.conf, 2 for each.  Then, notice how I had sainfo anonymous  in racoon.conf?  Use that, it makes it so much easier than specifying individual subnets over again.  In ipsec.conf change require to unique.  Otherwise it will only be able to use one subnet at a time and will drop one and connect the other each time there is traffic for the other one.


This set up worked for me.  It may not work for you.  Hopefully it helps other sysadmins out there set up ipsec tunnels in FreeBSD 9.0.  Happy VPN'ing!


After getting this set up over the weekend, today was a day with it in use for work.  And let me say... nice.  It seems more responsive and even a little quicker than OpenBSD.  It may be a beyatch to set up, but it runs like a champ once it is.  

Qt5 Tic-Tac-Toe

This was a fairly simple tic-tac-toe game.  The logic behind it is that it goes through every available move and sees which square will give the computer the highest chance of winning.  If two or more squares are equal, it just selects one at random.  To build this program, yu will need a C++ compiler and qt version 5 including qmake installed.  The idea between using characters X and O or to do native drawing commands was a tough one, but I finally settled on native drawing to a pixmap that was pretty big and then applied them to the squares.  The squares themselves are buttons, so that made the event system a lot easier to use.

Get source from here: https://github.com/beneschtech/qt5-tictactoe