[Bug 1179820] New: Kerberos KDC connection limit too low

Roland C. Dowdeswell elric at imrryr.org
Thu Jan 22 09:56:27 EST 2015

On Wed, Jan 21, 2015 at 11:34:52AM -0500, Greg Hudson wrote:

> I think the best choice is to leave the hardcoded limit at 45 and add a
> profile variable to change it.
> We could choose a default based on getrlimit(RLIMIT_NOFILE) and an
> imprecise estimate of fd usage by the rest of the KDC, bounded by some
> maximum, but I think that's too complicated.

A simple heuristic approach that would likely do what you want
would be to simply check the fd returned by accept(2) and if it is
``too close'' to the ulimit then switch off accepting connexions.
Then switch them back on whenever a connexion is closed.  This
would be self-tuning and deal with the fact that you don't know a
priori how many file descriptors the rest of the code is going to
use.  It would, however, fail to work if any other code dup2(2)s
any fds up to the top of the range but that is likely a manageable

This approach has the added advantage of using existing configuration
to determine the limit rather than creating new configuration
settings that admins would need to learn how to manage.

    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

More information about the krbdev mailing list