7:45 a.m.
Hi,
since quite some time libldap enables tcp-keepalive, e.g. to detected dangling
syncrepl connections. However the default timeout of two hours that most
systems are using might be a bit too long for some applications (e.g. I had a
problem lately were nscd didn't answer queries anymore because nss_ldap was
blocking in SSL_read() while the underlying connection has been cut off). On
the other hand messing with the system wide settings might no be a good idea
either. On Linux it is possible to configure the keepalive settings on a per
socket basis through the TCP_KEEP* socket options.
Would it be worth adding ldap_set_option() support for those, even if they are
not really portable?
--
regards,
Ralf
2:50 a.m.
Hi,
since quite some time libldap enables tcp-keepalive, e.g. to detected
dangling
syncrepl connections. However the default timeout of two hours that most
systems are using might be a bit too long for some applications (e.g. I
had a
problem lately were nscd didn't answer queries anymore because nss_ldap
was
blocking in SSL_read() while the underlying connection has been cut off).
On
the other hand messing with the system wide settings might no be a good
idea
either. On Linux it is possible to configure the keepalive settings on a
per
socket basis through the TCP_KEEP* socket options.
Would it be worth adding ldap_set_option() support for those, even if they
are
not really portable?
I think it would; for archs that do not support it, it could do nothing
(and log accordingly, just in case).
p.
8:39 a.m.
Am Freitag 01 Mai 2009 11:50:15 schrieb masarati(a)aero.polimi.it:
> Hi,
>
> since quite some time libldap enables tcp-keepalive, e.g. to detected
> dangling
> syncrepl connections. However the default timeout of two hours that most
> systems are using might be a bit too long for some applications (e.g. I
> had a
> problem lately were nscd didn't answer queries anymore because nss_ldap
> was
> blocking in SSL_read() while the underlying connection has been cut off).
> On
> the other hand messing with the system wide settings might no be a good
> idea
> either. On Linux it is possible to configure the keepalive settings on a
> per
> socket basis through the TCP_KEEP* socket options.
>
> Would it be worth adding ldap_set_option() support for those, even if
> they are
> not really portable?
I think it would; for archs that do not support it, it could do nothing
(and log accordingly, just in case).
Ok, I'll introduce the following new options for keepalive support then:
LDAP_OPT_X_KEEPALIVE_IDLE 0x6300
LDAP_OPT_X_KEEPALIVE_PROBES 0x6301
LDAP_OPT_X_KEEPALIVE_INTERVAL 0x6302
We might also think about adding support to set those values for syncrepl and
back-ldap/back-meta.
--
regards,
Ralf
1:48 p.m.
Ralf Haferkamp wrote:
Am Freitag 01 Mai 2009 11:50:15 schrieb masarati(a)aero.polimi.it:
>> Hi,
>>
>> since quite some time libldap enables tcp-keepalive, e.g. to detected
>> dangling
>> syncrepl connections. However the default timeout of two hours that most
>> systems are using might be a bit too long for some applications (e.g. I
>> had a
>> problem lately were nscd didn't answer queries anymore because nss_ldap
>> was
>> blocking in SSL_read() while the underlying connection has been cut off).
>> On
>> the other hand messing with the system wide settings might no be a good
>> idea
>> either. On Linux it is possible to configure the keepalive settings on a
>> per
>> socket basis through the TCP_KEEP* socket options.
>>
>> Would it be worth adding ldap_set_option() support for those, even if
>> they are
>> not really portable?
>
> I think it would; for archs that do not support it, it could do nothing
> (and log accordingly, just in case).
Ok, I'll introduce the following new options for keepalive support then:
LDAP_OPT_X_KEEPALIVE_IDLE 0x6300
LDAP_OPT_X_KEEPALIVE_PROBES 0x6301
LDAP_OPT_X_KEEPALIVE_INTERVAL 0x6302
We might also think about adding support to set those values for syncrepl and
back-ldap/back-meta.
I'd prefer a portable solution vs something so extremely platform-dependent.
As already discussed many times before, we just need a client to send a
periodic LDAP no-op message to get the same effect. (Abandon 0 will work
fine.) While it's not as general purpose as setting a keepalive in the socket
layer, I think we only need to worry about the syncrepl client. back-ldap/meta
already have their own retry mechanisms, they can take care of themselves.
So - I'd rather see an option for a periodic LDAP ping added to the syncrepl
client - that will work uniformly across all platforms.
And in general - I am opposed to any code that causes our feature set /
behavior to differ from platform to platform.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2:05 a.m.
Am Dienstag 05 Mai 2009 22:48:10 schrieb Howard Chu:
Ralf Haferkamp wrote:
> Am Freitag 01 Mai 2009 11:50:15 schrieb masarati(a)aero.polimi.it:
>>> Hi,
>>>
>>> since quite some time libldap enables tcp-keepalive, e.g. to detected
>>> dangling
>>> syncrepl connections. However the default timeout of two hours that
>>> most systems are using might be a bit too long for some applications
>>> (e.g. I had a
>>> problem lately were nscd didn't answer queries anymore because nss_ldap
>>> was
>>> blocking in SSL_read() while the underlying connection has been cut
>>> off). On
>>> the other hand messing with the system wide settings might no be a good
>>> idea
>>> either. On Linux it is possible to configure the keepalive settings on
>>> a per
>>> socket basis through the TCP_KEEP* socket options.
>>>
>>> Would it be worth adding ldap_set_option() support for those, even if
>>> they are
>>> not really portable?
>>
>> I think it would; for archs that do not support it, it could do nothing
>> (and log accordingly, just in case).
>
> Ok, I'll introduce the following new options for keepalive support then:
> LDAP_OPT_X_KEEPALIVE_IDLE 0x6300
> LDAP_OPT_X_KEEPALIVE_PROBES 0x6301
> LDAP_OPT_X_KEEPALIVE_INTERVAL 0x6302
>
> We might also think about adding support to set those values for syncrepl
> and back-ldap/back-meta.
I'd prefer a portable solution vs something so extremely
platform-dependent. As already discussed many times before, we just need a
client to send a periodic LDAP no-op message to get the same effect.
(Abandon 0 will work fine.)
Something like proposed in ITS#5133? It seems that it
was rejected with a
reference to the enablement of SO_KEEPALIVE, though. Should we revisit that?
My problem was not so much with syncrepl though, I had nss_ldap making me
trouble.
While it's not as general purpose as setting a
keepalive in the socket layer, I think we only need to worry about the
syncrepl client. back-ldap/meta already have their own retry mechanisms,
they can take care of themselves.
There seems to be a problem with many retry
mechanisms when it comes to the
scenario I described in my orignial post. On a TLS protected connection
SSL_read (called from ldap_result) might trigger multiple read() calls. As
there are no select/poll calls inbetween them, one of those read()s might
block forever (until TCP keepalive kicks in) in case the server is not
answering anymore and didn't close the connection correctly (power failure,
...)
I havn't had a good idea yet how to easily fix this case, apart from
leveraging TCP keepalives.
(According to the docs, SSL_read() would return SSL_ERROR_WANT_READ when the
underlying BIO is non-blocking. But we're using blocking IO. I am unsure how
much effort it would be to port that to non-blocking. I'd think it's a non-
trivial task ;)).
So - I'd rather see an option for a periodic LDAP ping added to
the
syncrepl client - that will work uniformly across all platforms.
And in general - I am opposed to any code that causes our feature set /
behavior to differ from platform to platform.
Understandable, that's why I was
asking before commiting anything. But AFAIK
we have plattform specific issues in other places as well. (Or think about the
various different LDAP_OPT_X_TLS-settings depending on which underlying SSL
implementation is used.)
--
Ralf
2:27 a.m.
Ralf Haferkamp wrote:
Am Dienstag 05 Mai 2009 22:48:10 schrieb Howard Chu:
Something like proposed in ITS#5133? It seems that it was rejected with a
reference to the enablement of SO_KEEPALIVE, though. Should we revisit that?
Seems like it, yes.
My problem was not so much with syncrepl though, I had nss_ldap
making me
trouble.
> While it's not as general purpose as setting a
> keepalive in the socket layer, I think we only need to worry about the
> syncrepl client. back-ldap/meta already have their own retry mechanisms,
> they can take care of themselves.
There seems to be a problem with many retry mechanisms when it comes
to the
scenario I described in my orignial post. On a TLS protected connection
SSL_read (called from ldap_result) might trigger multiple read() calls. As
there are no select/poll calls inbetween them, one of those read()s might
block forever (until TCP keepalive kicks in) in case the server is not
answering anymore and didn't close the connection correctly (power failure,
...)
I havn't had a good idea yet how to easily fix this case, apart from
leveraging TCP keepalives.
(According to the docs, SSL_read() would return SSL_ERROR_WANT_READ when the
underlying BIO is non-blocking. But we're using blocking IO. I am unsure how
much effort it would be to port that to non-blocking. I'd think it's a non-
trivial task ;)).
I don't think there's any particular dependencies left in our code in this
regard; ber_get_next() can be called as many times as necessary to retrieve a
complete message. All of our input is triggered by select/poll/etc. What's
less clear is how well OpenSSL actually behaves with non-blocking sockets;
there are a lot of bug reports on that as I recall. You interested in testing
that?
I guess, in the absence of a better solution, go ahead with what you've
already worked up. We'll just have to document somewhere (Admin Guide I
suppose) that a system's TCP keepalive setting may need to be adjusted if not
on Linux...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4:20 a.m.
Am Mittwoch 06 Mai 2009 11:27:29 schrieb Howard Chu:
Ralf Haferkamp wrote:
> Am Dienstag 05 Mai 2009 22:48:10 schrieb Howard Chu:
> Something like proposed in ITS#5133? It seems that it was rejected with a
> reference to the enablement of SO_KEEPALIVE, though. Should we revisit
> that?
Seems like it, yes.
Btw, you mentioned that sending Abandon 0 will be sufficient as
a no-op. How's
that going to work?
[..]
> I havn't had a good idea yet how to easily fix this case,
apart from
> leveraging TCP keepalives.
>
> (According to the docs, SSL_read() would return SSL_ERROR_WANT_READ when
> the underlying BIO is non-blocking. But we're using blocking IO. I am
> unsure how much effort it would be to port that to non-blocking. I'd
> think it's a non- trivial task ;)).
I don't think there's any particular dependencies left in our code in this
regard; ber_get_next() can be called as many times as necessary to retrieve
a complete message. All of our input is triggered by select/poll/etc.
What's less clear is how well OpenSSL actually behaves with non-blocking
sockets; there are a lot of bug reports on that as I recall. You interested
in testing that?
Apart from the usual time-constraints, I am not too keen on that.
;)
I guess, in the absence of a better solution, go ahead with what
you've
already worked up. We'll just have to document somewhere (Admin Guide I
suppose) that a system's TCP keepalive setting may need to be adjusted if
not on Linux...
I just submitted the libldap part, will see how/if I can work out
the syncrepl
part later. I need to finish some other stuff first.
--
regards,
Ralf
8:35 a.m.
Ralf Haferkamp writes:
Btw, you mentioned that sending Abandon 0 will be sufficient as a
no-op. How's
that going to work?
It's a no-op, thus it can be sent when you just want to send some message:
* The Abandon request has no reponse.
* rfc4511 §4.11: "Servers MUST discard Abandon requests for messageIDs
they do not recognize, for operations that cannot be abandoned, (...)
* No request may have Message ID 0 (§4.1.1.1); 0 is reserved for
Unsolicited Notifications. Yet Message IDs are just defined as
0..2^^31-1, so abandon(0) is not a protocolError.
Thus abandon(0) is a no-op.
I can imagine some implementation treating it as protocolError anyway
though. It's not as if everyone agrees what the letter of the standard
means, and follow it to the letter.
--
Hallvard
2:06 a.m.
i always thought that having a separate, specific NOOP operation would
be helpful in such cases [not to be mixed up with NOOP control] because
similar kinda problems tend to surface in various scenarios and while
there are workarounds, they are well, workarounds. some deployments out
there might want to have such operation disabled since it can be abused
by clients, in which case it can have a response defined and servers
can send unwilling to perform or something similar if that is the case.
Hallvard B Furuseth wrote:
Ralf Haferkamp writes:
> Btw, you mentioned that sending Abandon 0 will be sufficient as a no-op. How's
> that going to work?
It's a no-op, thus it can be sent when you just want to send some message:
* The Abandon request has no reponse.
* rfc4511 §4.11: "Servers MUST discard Abandon requests for messageIDs
they do not recognize, for operations that cannot be abandoned, (...)
* No request may have Message ID 0 (§4.1.1.1); 0 is reserved for
Unsolicited Notifications. Yet Message IDs are just defined as
0..2^^31-1, so abandon(0) is not a protocolError.
Thus abandon(0) is a no-op.
I can imagine some implementation treating it as protocolError anyway
though. It's not as if everyone agrees what the letter of the standard
means, and follow it to the letter.
2:58 a.m.
Anton Bobrov wrote:
i always thought that having a separate, specific NOOP operation would
be helpful in such cases [not to be mixed up with NOOP control] because
similar kinda problems tend to surface in various scenarios and while
there are workarounds, they are well, workarounds. some deployments out
there might want to have such operation disabled since it can be abused
by clients, in which case it can have a response defined and servers
can send unwilling to perform or something similar if that is the case.
Yes, given the spotty nature of network connectivity it probably should have
been part of the original spec. (Then again, prople probably weren't thinking
about long-lived sessions or persistent search back then...) But at this point
it's too late; adding a new NoOp request probably isn't going to get
sufficient adoption/deployment to actually be useful to any clients.
For the purpose of detecting a failed TCP connection, Abandon ought to be
sufficient. No LDAP-level reply is needed since TCP will ACK the message. As
an alternative you could send a Search request (as noted in ITS#5133) against
the rootDSE, if you wanted to also measure the latency. The advantage of using
Abandon is that it could easily be hidden from any applications by doing it
invisibly in the library. For any other request with a reply, you'd also have
to intercept / discard the result. (Though you could always send the request
immediately followed by its own Abandon, I suppose.)
Hallvard B Furuseth wrote:
> Ralf Haferkamp writes:
>> Btw, you mentioned that sending Abandon 0 will be sufficient as a no-op.
How's
>> that going to work?
>
> It's a no-op, thus it can be sent when you just want to send some message:
>
> * The Abandon request has no reponse.
> * rfc4511 §4.11: "Servers MUST discard Abandon requests for messageIDs
> they do not recognize, for operations that cannot be abandoned, (...)
> * No request may have Message ID 0 (§4.1.1.1); 0 is reserved for
> Unsolicited Notifications. Yet Message IDs are just defined as
> 0..2^^31-1, so abandon(0) is not a protocolError.
> Thus abandon(0) is a no-op.
>
> I can imagine some implementation treating it as protocolError anyway
> though. It's not as if everyone agrees what the letter of the standard
> means, and follow it to the letter.
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5071
days inactive
5078
days old
9 comments
5 participants
participants (5)
-
Anton Bobrov -
Hallvard B Furuseth -
Howard Chu -
masarati@aero.polimi.it -
Ralf Haferkamp