389-ds-base

Clone
Source Code
GIT

#50330 Ticket 50329 - improve connection default parameters
Closed 3 years ago by spichugi. Opened 5 years ago by firstyear.
firstyear/389-ds-base 50329-improve-connection-defaults  into  master

file modified
+2 -1 
@@ -935,7 +935,8 @@ 
 

  #define CONN_DONE 3
 

  #define CONN_TIMEDOUT 4
 

  

- #define CONN_TURBO_TIMEOUT_INTERVAL 1000 /* milliseconds */
 

+ #define CONN_TURBO_TIMEOUT_INTERVAL 400 /* milliseconds */
 

+ #define CONN_TURBO_TIMEOUT_MAXIMUM 5 /* attempts * interval IE 2000ms with 400 * 5 */
 

  #define CONN_TURBO_CHECK_INTERVAL 5      /* seconds */
 

  #define CONN_TURBO_PERCENTILE 50         /* proportion of threads allowed to be in turbo mode */
 

  #define CONN_TURBO_HYSTERESIS 0          /* avoid flip flopping in and out of turbo mode */

file modified
+4 -4 
@@ -241,8 +241,8 @@ 
 

  

  #define SLAPD_DEFAULT_FILE_MODE S_IRUSR | S_IWUSR
 

  #define SLAPD_DEFAULT_DIR_MODE S_IRWXU
 

- #define SLAPD_DEFAULT_IDLE_TIMEOUT 0 /* seconds - 0 == never */
 

- #define SLAPD_DEFAULT_IDLE_TIMEOUT_STR "0"
 

+ #define SLAPD_DEFAULT_IDLE_TIMEOUT 3600 /* seconds - 0 == never */
 

+ #define SLAPD_DEFAULT_IDLE_TIMEOUT_STR "3600"
 

  #define SLAPD_DEFAULT_SIZELIMIT 2000 /* use -1 for no limit */
 

  #define SLAPD_DEFAULT_SIZELIMIT_STR "2000"
 

  #define SLAPD_DEFAULT_TIMELIMIT 3600 /* use -1 for no limit */
 
@@ -252,8 +252,8 @@ 
 

  #define SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL 40 /* use -1 for no limit */
 

  #define SLAPD_DEFAULT_MAX_SASLIO_SIZE 2097152  /* 2MB in bytes.  Use -1 for no limit */
 

  #define SLAPD_DEFAULT_MAX_SASLIO_SIZE_STR "2097152"
 

- #define SLAPD_DEFAULT_IOBLOCK_TIMEOUT 300000 /* 5 minutes in ms */
 

- #define SLAPD_DEFAULT_IOBLOCK_TIMEOUT_STR "300000"
 

+ #define SLAPD_DEFAULT_IOBLOCK_TIMEOUT 10000 /* 10 second in ms */
 

+ #define SLAPD_DEFAULT_IOBLOCK_TIMEOUT_STR "10000"
 

  #define SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT 300000 /* 5 minutes in ms */
 

  #define SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT_STR "300000"
 

  #define SLAPD_DEFAULT_RESERVE_FDS 64

Bug Description: An issue was raised that appears that our default
values may be misleading and hard to configure correctly in some
circumstances. We should improve our default values to have better
time sharing for connections.

Fix Description: Improve ioblock to be shorter to prevent write
blocks, make reads quicker for sharing, and by default have an
idle disconnect to clients.

https://pagure.io/389-ds-base/issue/50329

Author: William Brown william@blackhats.net.au

Review by: ???

An ioblocktimeout of 1 second is too aggressive. This topic has been debated before in https://pagure.io/389-ds-base/issue/49194. The current timeout is 5 minutes, and personally I feel that is too long, but 1 second is too short. I think something between 10 and 30 seconds might be more appropriate.

10 seconds then? I think that would be a large improvement here. This timeout is only for how long we block, not how long we can maxium time to send.

rebased onto 28dc8733a6a01a6210045742e2a12d2341a02f1c
5 years ago

Updated to 10 seconds

Freeipa is setting it to 10s as well so it is probably a good tuning. I would prefer 30s default value to be smart with slow clients.
ioblocktimeout is a way to support reasonably slow clients and protecting the server from attack. If clients are slow, it could be fine for a worker to wait for several minutes as long as it does not hang the server. On the other side, if all workers get busy with slow clients, the admin would like to protect the server with small timeout.

Freeipa is setting it to 10s as well so it is probably a good tuning. I would prefer 30s default value to be smart with slow clients.
ioblocktimeout is a way to support reasonably slow clients and protecting the server from attack. If clients are slow, it could be fine for a worker to wait for several minutes as long as it does not hang the server. On the other side, if all workers get busy with slow clients, the admin would like to protect the server with small timeout.

I'm going to reach out to support to see if they have had problems with customers who set the ioblocktimeout too low...

If there are no known complaints then I think it's safe to set it to 10 seconds as that would address the more common problems. Having to increase it from 10 seconds would probably be the corner case. I'd rather have one 1 out of 100 customers that have to increase it, rather than have 40 out of 100 customers that need to lower it.

I think if IPA is doing 10s, and they have lots of "demanding" clients already, then this is a good baseline. I'll wait to hear what @mreynolds contact with GSS is like, but I think this sounds pretty well like everyone is in agreement here. :)

I think if IPA is doing 10s, and they have lots of "demanding" clients already, then this is a good baseline. I'll wait to hear what @mreynolds contact with GSS is like, but I think this sounds pretty well like everyone is in agreement here. :)

GSS said they typically tell customers to use between 5 and 10 seconds. So 10 seconds works for me.

Great, so I'm assuming that's an ack from you then?

Great, so I'm assuming that's an ack from you then?

Yessir!

rebased onto 6d080a0
5 years ago

Pull-Request has been merged by firstyear
5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3389

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi
3 years ago
Metadata
None
No Tags
Changes Summary 2
+2 -1
file changed
ldap/servers/slapd/connection.c
+4 -4
file changed
ldap/servers/slapd/slap.h
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.