[krbdev.mit.edu #8530] krb5- 1.15 KDC network performance issue
Richard Basch via RT
rt-comment at krbdev.mit.edu
Sat Dec 24 23:52:04 EST 2016
Based on a preliminary analysis of net-server.c, it seems that perhaps pktinfo should always be enabled on UDP sockets. It looks like it never causes a failure (at most a warning) and can only help. For instance, if you bind to 127.0.0.1 but the interface is defined as /8, it should still be able to respond even if a packet comes in via 127.1.2.3.
The following patch appears to fix the performance issue.
diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
index 171ecc4..4d5ed61 100644
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -752,8 +752,8 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
goto cleanup;
}
- /* Try to turn on pktinfo for UDP wildcard sockets. */
- if (ba->type == UDP && ba->address == NULL) {
+ /* Try to turn on pktinfo for UDP sockets. */
+ if (ba->type == UDP) {
krb5_klog_syslog(LOG_DEBUG, _("Setting pktinfo on socket %s"),
paddr(sock_address));
ret = set_pktinfo(sock, sock_address->sa_family);
@@ -762,9 +762,10 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
_("Cannot request packet info for UDP socket address "
"%s port %d"), paddr(sock_address), ba->port);
krb5_klog_syslog(LOG_INFO, _("System does not support pktinfo yet "
- "binding to a wildcard address. "
+ "binding to %s. "
"Packets are not guaranteed to "
- "return on the received address."));
+ "return on the received address."),
+ paddr(sock_address));
}
}
> On Dec 24, 2016, at 10:57 PM, Basch, Richard <Richard.Basch at gs.com> wrote:
>
>
>
> -----Original Message-----
> From: Greg Hudson via RT [mailto:rt-comment at krbdev.mit.edu]
> Sent: Saturday, December 24, 2016 1:01 PM
> To: Basch, Richard [Tech]
> Subject: [krbdev.mit.edu #8530] krb5- 1.15 KDC network performance issue
>
> Okay, that sounds like two bugs we need to fix:
>
> 1. If a wildcard address is explicitly specified, we don't set pktinfo on the socket. The one-second latency you observed likely occurs because the KDC sends the reply on the wrong source address and the client doesn't receive it.
>
> 2. If no address is specified and the machine doesn't have any IPv6 addresses (not even a loopback address), the KDC fails to start after failing to bind to the IPv6 wildcard address. The symmetric problem might exist for a machine with only IPv6 addresses.
More information about the krb5-bugs
mailing list