KDC worker processes project
Roland C. Dowdeswell
elric at imrryr.org
Thu Sep 16 19:42:48 EDT 2010
On Thu, Sep 16, 2010 at 05:50:53PM -0500, John Hascall wrote:
>
> "Roland C. Dowdeswell" <elric at imrryr.org> writes:
> > On Thu, Sep 16, 2010 at 03:44:39PM -0400, ghudson at MIT.EDU wrote:
> > > I'm beginning a formal review of the KDC worker processes project,
> > > ending next Friday. The project proposal is at:
> > >
> > > http://k5wiki.kerberos.org/wiki/Projects/Parallel_KDC
> >
> > Another feature that would be quite small but nonetheless would
> > increase robustness to some degree would be to have each child exit
> > after a set period of time and/or requests. This would reduce the
> > risks of memory leaks or gradual memory corruption in the various
> > DB backends. The supervisor could restart kids as it reaps them.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> I would prefer to see this behavior instead of the proposed behavior:
>
> "When any child process exits, the parent will terminate the
> other worker processes and exit.
>
> as it seems more robust. It also might provide a reasonable path
To add a bit of colour, if you think about what the proposed
behaviour means... It means that once a client sends a UDP packet
to a KDC which crashes it, the KDC will not reply to the client.
The client will then proceed down the list of KDCs dutifully making
sure that each and every KDC is exposed to the exact same packet
which will likely trigger the exact same bug and therefore result
in the exact same crash. This could leave you in a position where
you have no KDCs serving any requests at all which would be rather
problematic.
This is one of the main reasons that I put the patch in to start
krb5kdc out of inetd in ``wait'' mode---so that inetd would restart
the KDC if it crashed.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the krbdev
mailing list