Bug 526859

Summary: Modify racoon to allow more than 3,000 file handles.
Product: Red Hat Enterprise Linux 5 Reporter: Wade Mealing <wmealing>
Component: ipsec-toolsAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: herrold, tao
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-05 15:20:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 554476    

Description Wade Mealing 2009-10-02 06:40:17 UTC 
Description of problem:

Some customers use more than the standard 1024 file descriptors.  This is a particular problem for racoons IKE daemon binds to each of them separately at least once for its IKE ports.

Unfortunately this is more then the FD_SETSIZE limit for select().

I believe that this can be changed by using poll/epoll, however that would fall into the feature request more so than a bug fix.

Version-Release number of selected component (if applicable):

ipsec-tools-0.6.5-13.el5_3.1.src.rpm    


How reproducible:

Every time.

Steps to Reproduce:
1.  Configure racoon to setup 3000 rules for 3000 different ip addresses for IKE
2.  Start racoon
3.  Wait.
  
Actual results:


2009-08-25 10:53:21: INFO: fe80::21e:bff:fed1:44bc%bond0[500] used as isakmp port (fd=6114)
2009-08-25 10:53:21: INFO: fe80::fcff:ffff:feff:ffff%vif0.1[500] used as isakmp port (fd=6115)
2009-08-25 10:53:21: INFO: fe80::21e:bff:fed1:44be%bond1[500] used as isakmp port (fd=6116)
2009-08-25 10:53:21: INFO: fe80::200:ff:fe00:0%virbr0[500] used as isakmp port (fd=6117)
2009-08-25 10:53:21: ERROR: fd_set overrun

Expected results:

IKE to continue and finish.

Additional info:

I had previous attempted to modify FD_SETSIZE in a test program with a define, however this didn't seem to work in my application therefore I assume that with racoon being considerably more complicated it would not work either.
Comment 1 Tomas Mraz 2009-10-02 06:58:38 UTC 
This would require substantial changes to racoon implementation and it would have to be accepted by upstream first. Could the customer try to use openswan instead of ipsec-tools given that openswan is the preferred IKE solution in RHEL?
Comment 2 R P Herrold 2009-10-02 14:43:27 UTC 
Tomas

Your comment 1 startled me.  Where is this docoed as to 'preferred' applications when multiples exist?

I can get an opened case thru a TAC of course for the answer, but if you know off the top of your head, I'd appreciate it

-- Russ herrold
Comment 3 Tomas Mraz 2009-10-02 15:05:09 UTC 
I don't know if this is documented anywhere. It's just that openswan was recently added to RHEL-5 as it supports the Linux kernel interfaces for setting the IPSEC policies better and its design is probably more robust.
Comment 5 R P Herrold 2009-10-07 17:02:04 UTC 
Thank you, Tomas for your reply
Comment 7 RHEL Program Management 2009-11-06 18:56:38 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 11 Tomas Mraz 2012-03-05 15:20:51 UTC 
We currently do not plan to fix this issue in Red Hat Enterprise Linux 5.