[krbdev.mit.edu #8530] krb5- 1.15 KDC network performance issue
Richard Basch via RT
rt-comment at krbdev.mit.edu
Sun Dec 25 22:08:07 EST 2016
The following patch may address both issues⦠I tested the earlier patch, but not this one (other than to make sure it compiles cleanly). Hopefully, this will allow the more generic wildcard addressing even when one of the protocol families isnât bound on any interface. Only the section â@@ -885,11 +886,26 @@ setup_addressesâ is new in this patch.
diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
index 171ecc4..13366f5 100644
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -752,8 +752,8 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
goto cleanup;
}
- /* Try to turn on pktinfo for UDP wildcard sockets. */
- if (ba->type == UDP && ba->address == NULL) {
+ /* Try to turn on pktinfo for UDP sockets. */
+ if (ba->type == UDP) {
krb5_klog_syslog(LOG_DEBUG, _("Setting pktinfo on socket %s"),
paddr(sock_address));
ret = set_pktinfo(sock, sock_address->sa_family);
@@ -762,9 +762,10 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
_("Cannot request packet info for UDP socket address "
"%s port %d"), paddr(sock_address), ba->port);
krb5_klog_syslog(LOG_INFO, _("System does not support pktinfo yet "
- "binding to a wildcard address. "
+ "binding to %s. "
"Packets are not guaranteed to "
- "return on the received address."));
+ "return on the received address."),
+ paddr(sock_address));
}
}
@@ -885,11 +886,26 @@ setup_addresses(struct socksetup *data)
verto_callbacks[addr.type],
bind_conn_types[addr.type]);
if (ret) {
- krb5_klog_syslog(LOG_ERR,
- _("Failed setting up a %s socket (for %s)"),
- bind_type_names[addr.type],
- paddr(ai->ai_addr));
- goto cleanup;
+ /*
+ * If a wildcard address resolves to multiple protocol
+ * families, we will only warn about the bind failure.
+ * For other conditions, error.
+ */
+ if ( (ai_list->ai_next == NULL) ||
+ (ai->ai_family == AF_INET && ((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr != INADDR_ANY) ||
+ (ai->ai_family == AF_INET6 && !IN6_ARE_ADDR_EQUAL(&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, &in6addr_any)) ) {
+ krb5_klog_syslog(LOG_ERR,
+ _("Failed setting up a %s socket (for %s)"),
+ bind_type_names[addr.type],
+ paddr(ai->ai_addr));
+ goto cleanup;
+ } else {
+ krb5_klog_syslog(LOG_WARNING,
+ _("Failed setting up a %s socket (for %s)"),
+ bind_type_names[addr.type],
+ paddr(ai->ai_addr));
+ continue;
+ }
}
}
> On Dec 24, 2016, at 11:52 PM, Richard Basch <basch at alum.mit.edu> wrote:
>
> Based on a preliminary analysis of net-server.c, it seems that perhaps pktinfo should always be enabled on UDP sockets. It looks like it never causes a failure (at most a warning) and can only help. For instance, if you bind to 127.0.0.1 but the interface is defined as /8, it should still be able to respond even if a packet comes in via 127.1.2.3.
>
> The following patch appears to fix the performance issue.
>
> diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
> index 171ecc4..4d5ed61 100644
> --- a/src/lib/apputils/net-server.c
> +++ b/src/lib/apputils/net-server.c
> @@ -752,8 +752,8 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
> goto cleanup;
> }
>
> - /* Try to turn on pktinfo for UDP wildcard sockets. */
> - if (ba->type == UDP && ba->address == NULL) {
> + /* Try to turn on pktinfo for UDP sockets. */
> + if (ba->type == UDP) {
> krb5_klog_syslog(LOG_DEBUG, _("Setting pktinfo on socket %s"),
> paddr(sock_address));
> ret = set_pktinfo(sock, sock_address->sa_family);
> @@ -762,9 +762,10 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
> _("Cannot request packet info for UDP socket address "
> "%s port %d"), paddr(sock_address), ba->port);
> krb5_klog_syslog(LOG_INFO, _("System does not support pktinfo yet "
> - "binding to a wildcard address. "
> + "binding to %s. "
> "Packets are not guaranteed to "
> - "return on the received address."));
> + "return on the received address."),
> + paddr(sock_address));
> }
> }
>
>> On Dec 24, 2016, at 10:57 PM, Basch, Richard <Richard.Basch at gs.com <mailto:Richard.Basch at gs.com>> wrote:
>>
>>
>>
>> -----Original Message-----
>> From: Greg Hudson via RT [mailto:rt-comment at krbdev.mit.edu <mailto:rt-comment at krbdev.mit.edu>]
>> Sent: Saturday, December 24, 2016 1:01 PM
>> To: Basch, Richard [Tech]
>> Subject: [krbdev.mit.edu <http://krbdev.mit.edu/> #8530] krb5- 1.15 KDC network performance issue
>>
>> Okay, that sounds like two bugs we need to fix:
>>
>> 1. If a wildcard address is explicitly specified, we don't set pktinfo on the socket. The one-second latency you observed likely occurs because the KDC sends the reply on the wrong source address and the client doesn't receive it.
>>
>> 2. If no address is specified and the machine doesn't have any IPv6 addresses (not even a loopback address), the KDC fails to start after failing to bind to the IPv6 wildcard address. The symmetric problem might exist for a machine with only IPv6 addresses.
>
More information about the krb5-bugs
mailing list