Fwd: [Bug 1179820] New: Kerberos KDC connection limit too low
Greg Hudson
ghudson at mit.edu
Sun Jan 18 12:39:15 EST 2015
On 01/16/2015 04:57 PM, Roland Mainz wrote:
> Does anyone know which limit the reporter in the bug report below may be referring to ?
Most likely the 45-connection limit in net-server.c.
> If the "45 connections limit" is the issue... would a patch be acceptable which adds code to query the resource limit for file descriptors ($ ulimit -n #) and then do a |max_tcp_or_rpc_data_connections=MAX(result/2, 45)| ?
I don't think the limit is there primarily to prevent fd exhaustion; it
also serves to limit user-space and kernel memory usage. A limit of 45
seems pretty low for any modern host, though.
I believe we would take a patch to make the limit configurable, and to
make the default somewhat higher than it is today. Configurable tuning
parameters aren't great, but I don't see any way to automatically choose
a limit in a way which approximates the highest load capacity while
preventing DOS attacks which disable the KDC through memory exhaustion.
More information about the krbdev
mailing list