From: Stephen Gallagher <sgallagh@redhat.com>
To: Development of the System Security Services Daemon <sssd-devel@lists.fedorahosted.org>
Cc: Shantanu Goel <sgoel01@yahoo.com>
Sent: Monday, June 18, 2012 2:43 PM
Subject: Re: [SSSD] [PATCH] Add support for terminating idle connections in sssd_nss
On Mon, 2012-06-18 at 14:11 -0400, Simo Sorce wrote:
> On Mon, 2012-06-18 at 13:49 -0400, Stephen Gallagher wrote:
> > On Mon, 2012-06-18 at 13:32 -0400, Simo Sorce wrote:
> > > On Mon, 2012-06-18 at 11:33 -0400, Stephen Gallagher wrote:
> > > > On Mon, 2012-06-18 at 09:33 -0400, Stephen Gallagher wrote:
> > > > > On Mon, 2012-06-18 at 06:30 -0700, Shantanu Goel wrote:
> > > > > > Hi Stephen,
> > > > > >
> > > > > >
> > > > > > Please feel free to modify the patch in any way or shape you deem
> > > > > > necessary for inclusion. We are just glad that you agree there is a
> > > > > > real problem which needs fixing. One thing I ask is if you expect to
> > > > > > have rhel 5 or 6 test RPMs that we could test with the ultimate fix
>
> > > > > any time soon, please drop me a note and we will gladly install them
> > > > > > on some of our problematic machines here to see if they address the
> > > > > > problems we have seen.
> > > > >
> > > > > Sure, once this is done I'm going to be committing it upstream for the
> > > > > master branch (future 1.9), the sssd-1-8 branch (our current LTM
> > > > > release) and the sssd-1-5 branch (our previous LTM release).
> > > > >
> > > > > You should be able to pull the patches from the sssd-1-5 branch and
> > > > > build them for your systems once they're ready.
> > > >
> > > > Ok, new patches attached. Shantanu, these are currently designed for the
> > > > master branch. We'll get them committed there first and tested
out for a
> > > > little while, then we'll backport them.
> > > >
> > > > Patch 0001: Return the correct errno value. Previously it could have
> > > > been reset by closing the socket.
> > > >
> > > > Patch 0002: Add some additional debugging to the client_destructor()
> > > >
> > > > Patch 0003: On systems that support MSG_NOSIGNAL, we should use it. This
> > > > way, if a client app isn't configured to listen for SIGPIPE, it will not
> > > > crash.
> > > >
> > > > Patch 0004: Add a timer to each client context. If sixty seconds pass
> > > > (configurable in the patch 0005) without either read or write activity,
> > > > we will free the client context and close the socket. The client code is
> > > > already written to be
tolerant of this and will reconnect on the next
> > > > request. This will help us avoid resource exhaustion if we have clients
> > > > that hang on to NSS and PAM file descriptors indefinitely (like 'su' and
> > > > 'login' do for PAM).
> > > >
> > > > Patch 0005: Make the client idle timeout value configurable and add it
> > > > to the manpages and config API.
> > >
> > > 0001 ack
> > > 0002 ack
> > > 0003 Please always use send with a default set of flags, make the ifdef
> > > set the default set of flags (0 vs MSG_NOSIGNAL)
> > > 0004 ack (not like much the TODO but I was told 4/5 got split for
> > > reviewability, so ok)
> > > 0005 ack
> >
> >
> >
> > Thanks for the review. New patches attached.
>
> ack to
all.
Pushed to master. Also backported to sssd-1-8 and sssd-1-5 and pushed
there as well. See attachments for the exact backported patches.