[Bug 1179820] New: Kerberos KDC connection limit too low

Roland Mainz rmainz at redhat.com
Wed Jan 21 09:54:55 EST 2015 


----- Original Message -----
> From: "Greg Hudson" <ghudson at mit.edu>
> To: "Roland Mainz" <rmainz at redhat.com>, krbdev at mit.edu
> Sent: Sunday, January 18, 2015 6:39:15 PM
> Subject: Re: Fwd: [Bug 1179820] New: Kerberos KDC connection limit too low
> 
> On 01/16/2015 04:57 PM, Roland Mainz wrote:
> > Does anyone know which limit the reporter in the bug report below may be
> > referring to ?
> 
> Most likely the 45-connection limit in net-server.c.

Agreed.

> > If the "45 connections limit" is the issue... would a patch be acceptable
> > which adds code to query the resource limit for file descriptors ($ ulimit
> > -n #) and then do a |max_tcp_or_rpc_data_connections=MAX(result/2, 45)| ?
> 
> I don't think the limit is there primarily to prevent fd exhaustion; it
> also serves to limit user-space and kernel memory usage.

Right... but AFAIK even with the (current) upper limit of 65535 fds in modern Unix it's hard to imagine to drive such machines (assuming a server...) into a wall from the point of memory consumption... 65535 fds with 1MB memory consumption would be ~~64GB. Likely other things like database/LDAP/etc. connections etc. would be a bottleneck long before you run out of memory.

> A limit of 45
> seems pretty low for any modern host, though.
> 
> I believe we would take a patch to make the limit configurable, and to
> make the default somewhat higher than it is today.

Bumping the limit while ignoring the fd ulimit will likely cause trouble on Unix which still have (( $(ulimit -n) <= 64 )).
AFAIK options are:
1. ignore the fd ulimit issue and just bump the limit to something like 128
2. make default dynamic, based on the $(ulimit -n) value, but use |MIN(default, 45)|
3. make the default static but issue a warning when we're below a certain fd limit
4. set the ulimit for max. open files ourselves to 1024 when we're below that limit and issue a warning when the syscall fails
5. <... insert more options here...>

[1] will cause trouble on Unix which still have the low default fd ulimit
[3] is the least invasive change
[4] is likely a portability nightmare... ;-/

> Configurable tuning
> parameters aren't great, but I don't see any way to automatically choose
> a limit in a way which approximates the highest load capacity while
> preventing DOS attacks which disable the KDC through memory exhaustion.

Grumpf... I don't see a good way either... ;-(

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) rmainz at redhat.com
  \__\/\/__/  IPA/Kerberos5 team
  /O /==\ O\  
 (;O/ \/ \O;)

More information about the krbdev mailing list