Bug 992980
Summary: | Separate limits for anonymous and authenticated users | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Michal Privoznik <mprivozn> | |
Component: | libvirt | Assignee: | Michal Privoznik <mprivozn> | |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.0 | CC: | ajia, berrange, dyuan, gsun, lsu, rbalakri, rjones, weizhan, yanyang, zpeng | |
Target Milestone: | rc | Keywords: | Upstream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | libvirt-1.2.7-1.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 981729 | |||
: | 1086175 (view as bug list) | Environment: | ||
Last Closed: | 2015-03-05 07:24:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 981729, 1014604, 1058606, 1070221 | |||
Bug Blocks: | 1086175 |
Description
Michal Privoznik
2013-08-05 10:48:45 UTC
Patch proposed upstream: https://www.redhat.com/archives/libvir-list/2013-December/msg00453.html I've just pushed patches upstream: commit 68f60f669c566e53904ce39c95a57853f7f23638 Author: Michal Privoznik <mprivozn> AuthorDate: Tue Mar 4 18:55:24 2014 +0100 Commit: Michal Privoznik <mprivozn> CommitDate: Mon Mar 17 17:45:13 2014 +0100 daemon: Introduce max_anonymous_clients https://bugzilla.redhat.com/show_bug.cgi?id=992980 This config tunable allows users to determine the maximum number of accepted but yet not authenticated users. Signed-off-by: Michal Privoznik <mprivozn> commit 4015396b2cf9f43ff77d24e3a4d3e1372f5352a3 Author: Michal Privoznik <mprivozn> AuthorDate: Tue Mar 4 15:37:27 2014 +0100 Commit: Michal Privoznik <mprivozn> CommitDate: Mon Mar 17 17:37:42 2014 +0100 virNetServer: Introduce unauth clients counter The counter gets incremented on each unauthenticated client added to the server and decremented whenever the client authenticates. Signed-off-by: Michal Privoznik <mprivozn> v1.2.2-191-g68f60f6 Hi Michal, I set 'max_anonymous_clients' to '2' in libvirtd.conf. Then I tried to start 20 LXC containers. All of them are started. There is no error about 'dropping connection' in libvirt log. Could you please help check whether It can be verified by the following steps or not? Thanks in advance. Yang # rpm -q libvirt libvirt-1.2.8-5.el7.x86_64 # grep max /etc/libvirt/libvirtd.conf max_clients= 4 #max_queued_clients = 2 max_anonymous_clients = 2 max_workers =4 # virsh -c lxc:/// list --all Id Name State ---------------------------------------------------- - lxc-test-0 shut off - lxc-test-1 shut off - lxc-test-10 shut off - lxc-test-11 shut off - lxc-test-12 shut off - lxc-test-13 shut off - lxc-test-14 shut off - lxc-test-15 shut off - lxc-test-16 shut off - lxc-test-17 shut off - lxc-test-18 shut off - lxc-test-19 shut off - lxc-test-2 shut off - lxc-test-20 shut off - lxc-test-3 shut off - lxc-test-4 shut off - lxc-test-5 shut off - lxc-test-6 shut off - lxc-test-7 shut off - lxc-test-8 shut off - lxc-test-9 shut off # for i in {1..20}; do virsh -c lxc:/// start lxc-test-$i & done # virsh -c lxc:/// list Id Name State ---------------------------------------------------- 22004 lxc-test-13 running 22025 lxc-test-1 running 22031 lxc-test-7 running 22037 lxc-test-12 running 22049 lxc-test-5 running 22069 lxc-test-3 running 22078 lxc-test-18 running 22082 lxc-test-20 running 22102 lxc-test-16 running 22110 lxc-test-4 running 22113 lxc-test-11 running 22134 lxc-test-14 running 22142 lxc-test-6 running 22145 lxc-test-2 running 22156 lxc-test-17 running 22179 lxc-test-8 running 22186 lxc-test-9 running 22191 lxc-test-19 running 22202 lxc-test-15 running 22217 lxc-test-10 running [root@rhel7_test yy]# grep virNetServerAddClient /var/log/libvirtd.log 2014-10-30 08:40:49.111+0000: 20961: debug : virNetServerAddClient:289 : Temporarily suspending services due to max_anonymous_clients 2014-10-30 08:40:49.125+0000: 20961: debug : virNetServerAddClient:289 : Temporarily suspending services due to max_anonymous_clients 2014-10-30 08:40:49.127+0000: 20961: debug : virNetServerAddClient:295 : Temporarily suspending services due to max_clients 2014-10-30 08:41:19.346+0000: 20961: debug : virNetServerAddClient:295 : Temporarily suspending services due to max_clients 2014-10-30 08:41:49.574+0000: 20961: debug : virNetServerAddClient:289 : Temporarily suspending services due to max_anonymous_clients 2014-10-30 08:41:49.574+0000: 20961: debug : virNetServerAddClient:295 : Temporarily suspending services due to max_clients ...snip... [root@rhel7_test yy]# grep virNetServerCheckLimits /var/log/libvirtd.log 2014-10-30 08:40:49.113+0000: 20965: debug : virNetServerCheckLimits:1078 : Considering re-enabling services: nclients=2 nclients_max=4 nclients_unauth=1 nclients_unauth_max=2 2014-10-30 08:40:49.113+0000: 20965: debug : virNetServerCheckLimits:1083 : Re-enabling services 2014-10-30 08:40:49.126+0000: 20970: debug : virNetServerCheckLimits:1078 : Considering re-enabling services: nclients=3 nclients_max=4 nclients_unauth=1 nclients_unauth_max=2 2014-10-30 08:40:49.126+0000: 20970: debug : virNetServerCheckLimits:1083 : Re-enabling services 2014-10-30 08:40:49.127+0000: 20970: debug : virNetServerCheckLimits:1078 : Considering re-enabling services: nclients=3 nclients_max=4 nclients_unauth=0 nclients_unauth_max=2 2014-10-30 08:40:49.127+0000: 20970: debug : virNetServerCheckLimits:1083 : Re-enabling services 2014-10-30 08:40:49.128+0000: 20968: debug : virNetServerCheckLimits:1078 : Considering re-enabling services: nclients=4 nclients_max=4 nclients_unauth=0 nclients_unauth_max=2 2014-10-30 08:41:19.343+0000: 20961: debug : virNetServerCheckLimits:1078 : Considering re-enabling services: nclients=3 nclients_max=4 nclients_unauth=0 nclients_unauth_max=2 2014-10-30 08:41:19.343+0000: 20961: debug : virNetServerCheckLimits:1083 : Re-enabling services ...snip... (In reply to yangyang from comment #5) > Hi Michal, > > I set 'max_anonymous_clients' to '2' in libvirtd.conf. Then I tried to start > 20 LXC containers. All of them are started. There is no error about > 'dropping connection' in libvirt log. Could you please help check whether It > can be verified by the following steps or not? > > Thanks in advance. > Yang > > # rpm -q libvirt > libvirt-1.2.8-5.el7.x86_64 > > # grep max /etc/libvirt/libvirtd.conf > max_clients= 4 > #max_queued_clients = 2 > max_anonymous_clients = 2 > max_workers =4 This could be used, however, you need to set max_queued_clients=0. The problem is, even though libvirt doesn't accept incoming client on the socket, kernel will do parial opening, and queue clients on the socket from which they are taken off by calling accept(). The size of the queue is managed by max_queued_clients. So to disable this set it to zero and you should start seeing connection errors. (In reply to Michal Privoznik from comment #6) > (In reply to yangyang from comment #5) > > Hi Michal, > > > > I set 'max_anonymous_clients' to '2' in libvirtd.conf. Then I tried to start > > 20 LXC containers. All of them are started. There is no error about > > 'dropping connection' in libvirt log. Could you please help check whether It > > can be verified by the following steps or not? > > > > Thanks in advance. > > Yang > > > > # rpm -q libvirt > > libvirt-1.2.8-5.el7.x86_64 > > > > # grep max /etc/libvirt/libvirtd.conf > > max_clients= 4 > > #max_queued_clients = 2 > > max_anonymous_clients = 2 > > max_workers =4 > > This could be used, however, you need to set max_queued_clients=0. The > problem is, even though libvirt doesn't accept incoming client on the > socket, kernel will do parial opening, and queue clients on the socket from > which they are taken off by calling accept(). The size of the queue is > managed by max_queued_clients. So to disable this set it to zero and you > should start seeing connection errors. If 'max_queued_clients' is set to zero, it will be translated into 30, right? If 'max_anonymous_clients' is set to '-1', it will be translated into '18446744073709551615', is it expected result ? for example: # grep max /etc/libvirt/libvirtd.conf max_clients= 40 max_queued_clients = 0 max_anonymous_clients = -1 max_workers =40 #grep virNetServerCheckLimits /var/log/libvirtd.log 2014-10-31 05:38:14.146+0000: 29136: debug : virNetServerCheckLimits:1078 : Considering re-enabling services: nclients=0 nclients_max=40 nclients_unauth=0 nclients_unauth_max=18446744073709551615 2014-10-31 05:38:14.146+0000: 29136: debug : virNetServerCheckLimits:1083 : Re-enabling services Thanks Yang (In reply to yangyang from comment #7) > (In reply to Michal Privoznik from comment #6) > > (In reply to yangyang from comment #5) > > > Hi Michal, > > > > > > I set 'max_anonymous_clients' to '2' in libvirtd.conf. Then I tried to start > > > 20 LXC containers. All of them are started. There is no error about > > > 'dropping connection' in libvirt log. Could you please help check whether It > > > can be verified by the following steps or not? > > > > > > Thanks in advance. > > > Yang > > > > > > # rpm -q libvirt > > > libvirt-1.2.8-5.el7.x86_64 > > > > > > # grep max /etc/libvirt/libvirtd.conf > > > max_clients= 4 > > > #max_queued_clients = 2 > > > max_anonymous_clients = 2 > > > max_workers =4 > > > > This could be used, however, you need to set max_queued_clients=0. The > > problem is, even though libvirt doesn't accept incoming client on the > > socket, kernel will do parial opening, and queue clients on the socket from > > which they are taken off by calling accept(). The size of the queue is > > managed by max_queued_clients. So to disable this set it to zero and you > > should start seeing connection errors. > > If 'max_queued_clients' is set to zero, it will be translated into 30, right? Correct. > > If 'max_anonymous_clients' is set to '-1', it will be translated into > '18446744073709551615', is it expected result ? Well, it's a broader problem I think. I mean, we don't check for negative values in other cases too (e.g. all these max_*). So I'd save it for separate bug. It shouldn't be a show stopper for this feature. > > for example: > # grep max /etc/libvirt/libvirtd.conf > max_clients= 40 > max_queued_clients = 0 > max_anonymous_clients = -1 > max_workers =40 > > #grep virNetServerCheckLimits /var/log/libvirtd.log > 2014-10-31 05:38:14.146+0000: 29136: debug : virNetServerCheckLimits:1078 : > Considering re-enabling services: nclients=0 nclients_max=40 > nclients_unauth=0 nclients_unauth_max=18446744073709551615 > 2014-10-31 05:38:14.146+0000: 29136: debug : virNetServerCheckLimits:1083 : > Re-enabling services > So it works, nice. Opened a separate bug to track the negative value issue https://bugzilla.redhat.com/show_bug.cgi?id=1160995 Verify this one as following Product version libvirt-1.2.8-6.el7.x86_64 Steps 1. set 'max_*' as following # grep max /etc/libvirt/libvirtd.conf max_clients= 40 max_queued_clients = 0 max_anonymous_clients = 2 max_workers = 40 #service libvirtd restart 2. concurrent starting 50 lxc containers #for i in {1..50}; do virsh -c lxc:/// start lxc-test-$i & done All the lxc containers are started, no error in libvirtd.log. And from the libvirtd.log, the 'max_anonymous_clients' works # grep virNetServerAddClient /var/log/libvirtd.log2014-11-06 05:45:06.761+0000: 24051: debug : virNetServerAddClient:289 : Temporarily suspending services due to max_anonymous_clients 2014-11-06 05:45:06.768+0000: 24051: debug : virNetServerAddClient:289 : Temporarily suspending services due to max_anonymous_clients 2014-11-06 05:45:06.913+0000: 24051: debug : virNetServerAddClient:289 : Temporarily suspending services due to max_anonymous_clients 2014-11-06 05:45:06.916+0000: 24051: debug : virNetServerAddClient:289 : Temporarily suspending services due to max_anonymous_clients 2014-11-06 05:45:06.921+0000: 24051: debug : virNetServerAddClient:289 : Temporarily suspending services due to max_anonymous_clients # grep virNetServerCheckLimits /var/log/libvirtd.log 2014-11-06 05:45:06.733+0000: 24229: debug : virNetServerCheckLimits:1078 : Considering re-enabling services: nclients=1 nclients_max=40 nclients_unauth=0 nclients_unauth_max=2 2014-11-06 05:45:06.733+0000: 24229: debug : virNetServerCheckLimits:1083 : Re-enabling services 2014-11-06 05:45:06.762+0000: 24058: debug : virNetServerCheckLimits:1078 : Considering re-enabling services: nclients=3 nclients_max=40 nclients_unauth=1 nclients_unauth_max=2 2014-11-06 05:45:06.762+0000: 24058: debug : virNetServerCheckLimits:1083 : Re-enabling services 2014-11-06 05:45:06.912+0000: 24058: debug : virNetServerCheckLimits:1078 : Considering re-enabling services: nclients=4 nclients_max=40 nclients_unauth=1 nclients_unauth_max=2 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0323.html |