This patch extends the libvirtd configuration file to allow various thread
related parameters to be tuned. It introduces a limit on the number of
client connections allowed over TCP socket to prevent DOS attacks on the
machine resources. It also adds a min/max worker thread pool size for
handling RPC calls.
libvirtd.aug | 6 ++++++
libvirtd.conf | 19 +++++++++++++++++++
qemud.c | 17 ++++++++++++++++-
test_libvirtd.aug | 38 ++++++++++++++++++++++++++++++++++++++
4 files changed, 79 insertions(+), 1 deletion(-)
Daniel
diff --git a/qemud/libvirtd.aug b/qemud/libvirtd.aug
--- a/qemud/libvirtd.aug
+++ b/qemud/libvirtd.aug
@@ -13,11 +13,13 @@ module Libvirtd =
let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
let bool_val = store /0|1/
+ let int_val = store /[0-9]+/
let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
let str_entry (kw:string) = [ key kw . value_sep . str_val ]
let bool_entry (kw:string) = [ key kw . value_sep . bool_val ]
+ let int_entry (kw:string) = [ key kw . value_sep . int_val ]
let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
@@ -48,6 +50,9 @@ module Libvirtd =
| str_array_entry "tls_allowed_dn_list"
| str_array_entry "sasl_allowed_username_list"
+ let processing_entry = int_entry "min_workers"
+ | int_entry "max_workers"
+ | int_entry "max_clients"
(* Each enty in the config is one of the following three ... *)
let entry = network_entry
@@ -55,6 +60,7 @@ module Libvirtd =
| authentication_entry
| certificate_entry
| authorization_entry
+ | processing_entry
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ]
diff --git a/qemud/libvirtd.conf b/qemud/libvirtd.conf
--- a/qemud/libvirtd.conf
+++ b/qemud/libvirtd.conf
@@ -225,3 +225,22 @@
#sasl_allowed_username_list = ["joe@xxxxxxxxxxx", "fred@xxxxxxxxxxx" ]
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+# max_clients = 20
+
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, upto max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
diff --git a/qemud/qemud.c b/qemud/qemud.c
--- a/qemud/qemud.c
+++ b/qemud/qemud.c
@@ -129,6 +129,10 @@ static char *crl_file = (char *) "";
static gnutls_certificate_credentials_t x509_cred;
static gnutls_dh_params_t dh_params;
+
+static int min_workers = 5;
+static int max_workers = 20;
+static int max_clients = 20;
#define DH_BITS 1024
@@ -1167,6 +1171,12 @@ static int qemudDispatchServer(struct qe
return -1;
}
+ if (server->nclients >= max_clients) {
+ qemudLog(QEMUD_ERR, "%s", _("Too many active clients, dropping connection"));
+ close(fd);
+ return -1;
+ }
+
if (VIR_REALLOC_N(server->clients, server->nclients+1) < 0) {
qemudLog(QEMUD_ERR, "%s", _("Out of memory allocating clients"));
close(fd);
@@ -1825,7 +1835,7 @@ static int qemudRunLoop(struct qemud_ser
pthread_mutex_lock(&server->lock);
- server->nworkers = 10;
+ server->nworkers = min_workers;
if (VIR_ALLOC_N(server->workers, server->nworkers) < 0) {
qemudLog(QEMUD_ERR, "%s", _("Failed to allocate workers"));
return -1;
@@ -2221,6 +2231,11 @@ remoteReadConfigFile (struct qemud_serve
if (remoteReadSaslAllowedUsernameList (conf, server, filename) < 0)
goto free_and_fail;
+
+
+ GET_CONF_INT (conf, filename, min_workers);
+ GET_CONF_INT (conf, filename, max_workers);
+ GET_CONF_INT (conf, filename, max_clients);
virConfFree (conf);
return 0;
diff --git a/qemud/test_libvirtd.aug b/qemud/test_libvirtd.aug
--- a/qemud/test_libvirtd.aug
+++ b/qemud/test_libvirtd.aug
@@ -227,6 +227,25 @@ sasl_allowed_username_list = [
\"joe@xxxxxxxxxxx\",
\"fred@xxxxxxxxxxx\"
]
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+max_clients = 20
+
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, upto max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+min_workers = 5
+max_workers = 20
"
test Libvirtd.lns get conf =
@@ -461,3 +480,22 @@ sasl_allowed_username_list = [
{ "1" = "joe@xxxxxxxxxxx" }
{ "2" = "fred@xxxxxxxxxxx" }
}
+ { "#empty" }
+ { "#empty" }
+ { "#comment" = "################################################################"}
+ { "#comment" = ""}
+ { "#comment" = "Processing controls"}
+ { "#comment" = ""}
+ { "#empty" }
+ { "#comment" = "The maximum number of concurrent client connections to allow"}
+ { "#comment" = "over all sockets combined."}
+ { "max_clients" = "20" }
+ { "#empty" }
+ { "#empty" }
+ { "#comment" = "The minimum limit sets the number of workers to start up"}
+ { "#comment" = "initially. If the number of active clients exceeds this,"}
+ { "#comment" = "then more threads are spawned, upto max_workers limit."}
+ { "#comment" = "Typically you'd want max_workers to equal maximum number"}
+ { "#comment" = "of clients allowed"}
+ { "min_workers" = "5" }
+ { "max_workers" = "20" }
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list