[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: connection timeout?



On Wed, 10 Oct 2001 20:27:12 -0700
"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

> Depends on the system, I guess.  If a kernel limit can be higher
> than the default FD_SETSIZE, then FD_SETSIZE should be redefinable.
> This allows a default suitable for the average user application,
> but redefinition as needed to support server applications.  If
> on your system redefining FD_SETSIZE as I shown cases warnings
> or errors, you'll have to take some other approach.

I think modern linux is quite flexible here: most of the kernel parameters
can be adjusted through /proc entries, for example NR_OPEN.
Googling around i found similiar problems with other software too:
http://www.google.com/search?q=cache:e-magIB58oU:www.jlinux.org/server.html+linux+2.4+1024+open+file+descriptors
http://www.google.com/search?q=cache:Bxmnr0lUjx0:www.kegel.com/c10k.html+linux+2.2+select+1024+open+file+descriptors
http://www.openldap.org/lists/openldap-software/200011/msg00180.html
Following this thread there are suggestions about nscd ... we tried with
it before, but were expiriencing client lockups in a short period of time
... Someone suggested updating nss_ldap; i'll see if that'll make nscd
work without locking the machines up.


> As my shell's unlimit doesn't have an -n option, I cannot be sure
> what -n does...

from man bash:
ulimit -n: the  maximum number of open file descriptors (most systems do
not allow this value to be set, only displayed)


> No, I was referring to idletimeout.

Yes yes ... i was looking at the 1.2.x man pages :) That looks like it can
help.
 
> I note that well behaved clients should maintain connections
> for as long as they need them, that can be days.
 
I know what persistant connections are, but our client machines use ldap
for authentication, uid/gid resolving, and run a couple of shell scripts
which use ldapsearch. I think those do not classify as persistant
connections.

And another thing (hm, the third so far :) :

#!/bin/bash
n=0
while [ "$n" -lt "4000" ]
do 
ldapsearch -h ldap-replica uid=someuid >/dev/null &
ldapsearch -h ldap-replica cn=somecn >/dev/null &
let "n += 1"
echo $n
done


Run such a shell script against your ldap server. It tries to make a lot
of connections at once. Now i have a 2.0.15 openldap server compiled with
FD_SETSIZE=16384 and the same setting for ulimit -n, but the above script
starts returning "Can't contact LDAP server" before the nuber reaches
2000. If you let it run in a permanent loop, it could be a simple DoS. 


--

Jure Pecar