Fwd: [Bug 1179820] New: Kerberos KDC connection limit too low
rmainz at redhat.com
Fri Jan 16 16:57:41 EST 2015
Does anyone know which limit the reporter in the bug report below may be referring to ?
AFAIK we have the following default limits in krb5kdc when running on Linux:
- 1 process (by default)
- max. 45 connections () as defined via |max_tcp_or_rpc_data_connections| in ./krb5/src/lib/apputils/net-server.c (per process, right ?)
- 1024 sockets/files max. as defined via Linux default resource limit for file descriptors (see $ ulimit -n #)
- [optionally] a fd limit imposed when |select()| is used, see |FD_SETSIZE|. Other event processing methods may have other limits
- <... did I miss any limits ? ...>
=The 45 connection limits defined per |max_tcp_or_rpc_data_connections| in ./krb5/src/lib/apputils/net-server.c may be (theory!) a result of the old 64 fd resource limit for user processes in UNIX SystemV+BSD4.3 (which still exists in modern Solaris/Illumos and maybe *BSD, too) ... guessing... maybe 45 was picked so there are at least 19 fds available for other purposes like config files and plugins.
If the "45 connections limit" is the issue... would a patch be acceptable which adds code to query the resource limit for file descriptors ($ ulimit -n #) and then do a |max_tcp_or_rpc_data_connections=MAX(result/2, 45)| ?
----- Forwarded Message -----
> From: bugzilla at redhat.com
> To: kerberos-dev-list at redhat.com
> Sent: Wednesday, January 7, 2015 4:39:27 PM
> Subject: [Bug 1179820] New: Kerberos KDC connection limit too low
> Bug ID: 1179820
> Summary: Kerberos KDC connection limit too low
> Component: krb5
> Description of problem:
> The Kerberos KDC has a low, hard-coded limit on concurrent tcp connections.
> This results in large numbers of INFO level log entries about dropped
> connections when many clients are trying to contact the KDC. It could lead to
> additional problems with more clients.
> My current scenario is not one that should be followed in real life, but
> similar situations could occur with larger numbers of clients that are not
> misconfigured. I anticipate regularly having many hundreds, potentially
> thousands, of connected clients booting nearly simultaneously within the
> How reproducible:
> Steps to Reproduce:
> 1. Configure 62 clients to use a KDC
> 2. Prevent replies from the KDC from reaching the clients
> 3. observe KDC logs as clients attempt to contact KDC
> Actual results:
> Logs fill up with dropped connection messages.
> Expected results:
> affected clients fail to authenticate, but do not exhaust all available open
> connections before they time out.
__ . . __
(o.\ \/ /.o) rmainz at redhat.com
\__\/\/__/ IPA/Kerberos5 team
/O /==\ O\
(;O/ \/ \O;)
More information about the krbdev