[PATCH] winbindd: control number of winbindd's client connections

Mon Jul 13 19:34:14 UTC 2015

Hi,

Attached pls find version 6 of this patch set, based on Volker's version:
- Added bug report - https://bugzilla.samba.org/show_bug.cgi?id=11397
- Squashed Volker's structural changes
- Added three patches (7-10) that utilize DLIST_PROMOTE to keep the
client list sorted and make list scanning O(1)
- The first patch which self-modifies the FD limit is there for the
time being - awaiting comments. Indeed, the reason I did it that way
was that smbd is already doing it.

Thanks!
Uri

On Mon, Jul 13, 2015 at 11:04 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> Hi!
>
> On Mon, Jul 06, 2015 at 09:40:32PM +0300, Uri Simchoni wrote:
>> Attached pls find V4 of this patch, handling the case where winbindd
>> runs out of file descriptors during heavy load. This patch takes a
>> different approach suggested by Volker:
>> 1. The assumption is that we can estimate a limit on the number of
>> winbindd clients (estimate number of processes using winbindd, at most
>> 1 client per process).
>> 2. This limit should be configured into "winbind max clients"
>> 3. Winbindd shall modify its fd limit accordingly
>
> I'm not 100% sure I like winbind to modify that limit
> itself. Isn't that more a task of the surrounding init
> scripts? I know we do it in smbd too, so this is more a
> request for other opinions.
>
>> 4. Add code that closes the winbindd side of the socket immediately if
>> the client closes the socket (up until now, while a request was queued
>> or being processed, the client socket was not sampled) - This ensures
>> one socket per client
>
> These patches look really good. I have some very minor
> cosmetic comments.
>
>> 5. Take from previous patch the changes in client side - avoid retries
>> 6. Take from previous patch the change to enforce "winbind request
>> timeout" at all times, not just when the number of client connections
>> exceeds the limit.
>
> Here I'm not sure how much load this will bring. Walking
> 10.000 winbind connections every 5 seconds might be
> visible. I haven't really looked -- is it possible to sort
> the client list according to what we're looking for using
> DLIST_PROMOTE?
>
>> While the approach of the previous patch set a hard limit on number of
>> file descriptors, at the cost of suspending new connection acceptance,
>> this patch set never stops accepting connections, at the cost of
>> staying with the soft limit (but has provisions to ensure that a
>> carefully planned system will not reach the limit).
>>
>> The patch set:
>> V4 1/7 - Set winbindd process file descriptor limit according to
>> "winbind max clients" and "winbind max domain connections"
>> V4 2/7 - Monitor client socket when request is queued / processed
>> V4 3/7+4/7 - Refine 2/7 by emitting differnet debug messages according
>> to type of client activity while socket is being monitored
>> V4 5/7 - Same as V3 5/6 (changes to client side)
>> V4 6/7 - Same as V3 6/6 (request timeout)
>> V4 7/7 - Change to documentation, clarifying that "winbind max
>> clients" is not a hard limit.
>
> Attached find a patchset with a few Reviewed-by's. Two
> patches in between are "my comments", feel free to squash.
>
> Thanks a lot for looking at this!
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de