Re: [libvirt] PATCH: 27/28: Configurable threading in libvirtd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch extends the libvirtd configuration file to allow various thread
related parameters to be tuned. It introduces a limit on the number of
client connections allowed over TCP socket to prevent DOS attacks on the
machine resources. It also adds a min/max worker thread pool size for
handling RPC calls. 

 libvirtd.aug      |    6 ++++++
 libvirtd.conf     |   19 +++++++++++++++++++
 qemud.c           |   17 ++++++++++++++++-
 test_libvirtd.aug |   38 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 79 insertions(+), 1 deletion(-)

Daniel

diff --git a/qemud/libvirtd.aug b/qemud/libvirtd.aug
--- a/qemud/libvirtd.aug
+++ b/qemud/libvirtd.aug
@@ -13,11 +13,13 @@ module Libvirtd =
 
    let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
    let bool_val = store /0|1/
+   let int_val = store /[0-9]+/
    let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
    let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
 
    let str_entry       (kw:string) = [ key kw . value_sep . str_val ]
    let bool_entry      (kw:string) = [ key kw . value_sep . bool_val ]
+   let int_entry      (kw:string) = [ key kw . value_sep . int_val ]
    let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
 
 
@@ -48,6 +50,9 @@ module Libvirtd =
                            | str_array_entry "tls_allowed_dn_list"
                            | str_array_entry "sasl_allowed_username_list"
 
+   let processing_entry = int_entry "min_workers"
+                        | int_entry "max_workers"
+                        | int_entry "max_clients"
 
    (* Each enty in the config is one of the following three ... *)
    let entry = network_entry
@@ -55,6 +60,7 @@ module Libvirtd =
              | authentication_entry
              | certificate_entry
              | authorization_entry
+             | processing_entry
    let comment = [ label "#comment" . del /#[ \t]*/ "# " .  store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
    let empty = [ label "#empty" . eol ]
 
diff --git a/qemud/libvirtd.conf b/qemud/libvirtd.conf
--- a/qemud/libvirtd.conf
+++ b/qemud/libvirtd.conf
@@ -225,3 +225,22 @@
 #sasl_allowed_username_list = ["joe@xxxxxxxxxxx", "fred@xxxxxxxxxxx" ]
 
 
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+# max_clients = 20
+
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, upto max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
diff --git a/qemud/qemud.c b/qemud/qemud.c
--- a/qemud/qemud.c
+++ b/qemud/qemud.c
@@ -129,6 +129,10 @@ static char *crl_file = (char *) "";
 
 static gnutls_certificate_credentials_t x509_cred;
 static gnutls_dh_params_t dh_params;
+
+static int min_workers = 5;
+static int max_workers = 20;
+static int max_clients = 20;
 
 #define DH_BITS 1024
 
@@ -1167,6 +1171,12 @@ static int qemudDispatchServer(struct qe
         return -1;
     }
 
+    if (server->nclients >= max_clients) {
+        qemudLog(QEMUD_ERR, "%s", _("Too many active clients, dropping connection"));
+        close(fd);
+        return -1;
+    }
+
     if (VIR_REALLOC_N(server->clients, server->nclients+1) < 0) {
         qemudLog(QEMUD_ERR, "%s", _("Out of memory allocating clients"));
         close(fd);
@@ -1825,7 +1835,7 @@ static int qemudRunLoop(struct qemud_ser
 
     pthread_mutex_lock(&server->lock);
 
-    server->nworkers = 10;
+    server->nworkers = min_workers;
     if (VIR_ALLOC_N(server->workers, server->nworkers) < 0) {
         qemudLog(QEMUD_ERR, "%s", _("Failed to allocate workers"));
         return -1;
@@ -2221,6 +2231,11 @@ remoteReadConfigFile (struct qemud_serve
 
     if (remoteReadSaslAllowedUsernameList (conf, server, filename) < 0)
         goto free_and_fail;
+
+
+    GET_CONF_INT (conf, filename, min_workers);
+    GET_CONF_INT (conf, filename, max_workers);
+    GET_CONF_INT (conf, filename, max_clients);
 
     virConfFree (conf);
     return 0;
diff --git a/qemud/test_libvirtd.aug b/qemud/test_libvirtd.aug
--- a/qemud/test_libvirtd.aug
+++ b/qemud/test_libvirtd.aug
@@ -227,6 +227,25 @@ sasl_allowed_username_list = [
   \"joe@xxxxxxxxxxx\",
   \"fred@xxxxxxxxxxx\"
 ]
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+max_clients = 20
+
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, upto max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+min_workers = 5
+max_workers = 20
 "
 
    test Libvirtd.lns get conf =
@@ -461,3 +480,22 @@ sasl_allowed_username_list = [
              { "1" = "joe@xxxxxxxxxxx" }
              { "2" = "fred@xxxxxxxxxxx" }
         }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "################################################################"}
+        { "#comment" = ""}
+        { "#comment" = "Processing controls"}
+        { "#comment" = ""}
+        { "#empty" }
+        { "#comment" = "The maximum number of concurrent client connections to allow"}
+        { "#comment" = "over all sockets combined."}
+        { "max_clients" = "20" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "The minimum limit sets the number of workers to start up"}
+        { "#comment" = "initially. If the number of active clients exceeds this,"}
+        { "#comment" = "then more threads are spawned, upto max_workers limit."}
+        { "#comment" = "Typically you'd want max_workers to equal maximum number"}
+        { "#comment" = "of clients allowed"}
+        { "min_workers" = "5" }
+        { "max_workers" = "20" }

-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]