[zorp] Connection limit in SSL?
thomas.wenz at gmx-topmail.de
thomas.wenz at gmx-topmail.de
Mon Jul 28 14:48:58 CEST 2008
Hi,
Well it should not be a problem of RAM...the system has 4GB and only 150MB are in use.
However, I noticed something strange:
If I start zorp with
/usr/lib/zorp/zorp --as https --verbose 8 --policy /home/zorp/conf/HTTPS.py --autobind-ip 172.30.1.1 --threads 30 --idle-threads 30 --threadpools
there's no problem with file descriptors. Whereas if I use zorpctl with the same command in the instances file
https --verbose 8 --policy /home/zorp/conf/HTTPS.py --autobind-ip 172.30.1.1 --threads 30 --idle-threads 30 --threadpools
there is the problem.
So i did an strace on zorpctl and saw that the proxy instance is called via:
execve("/usr/lib/zorp/zorp", ["/usr/lib/zorp/zorp", "--as", "https", "--verbose", "8", "--policy", "/home/zorp/conf/HTTPS.py", "--autobind-ip", "172.30.1.1", "--threads", "30", "--idle-threads", "30", "--threadpools", "--fd-limit-min", "34", ...], [/* 15 vars */]) = 0
So it's quite clear why it runs out of ressources so fast ;) 34 is definately not enough. According to the strace, no system calls are done in /proc or else (see below).
I then looked into the zorpctl/main.c source. I found the following line:
inst->fd_limit = fd_limit = MAX(fd_limit_threshold * threads + 64, fd_limit_min);
and fd_limit_threshold as well as fd_limit_min seems to be ALWAYS set to "-1" (and declared as obsolete). threads is the variable I set in the instances.conf-file. So the calculation is
MAX(-1 * 30 + 64, -1)
which exactly results in 34. If I set the threads in the instances-file to only 10, I consequently get 54 available descriptors (proved by looking into strace). So this calculation seems to be definately wrong...
Thomas Wenz
4238 execve("/usr/sbin/zorpctl", ["zorpctl", "start", "https"], [/* 15 vars */]) = 0
4238 uname({sys="Linux", node="bridge", ...}) = 0
4238 brk(0) = 0x8054000
4238 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
4238 mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fb0000
4238 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
4238 open("/etc/ld.so.cache", O_RDONLY) = 3
4238 fstat64(3, {st_mode=S_IFREG|0644, st_size=17114, ...}) = 0
4238 mmap2(NULL, 17114, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fab000
4238 close(3) = 0
4238 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
4238 open("/lib/tls/i686/cmov/libnsl.so.1", O_RDONLY) = 3
4238 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p5\0\000"..., 512) = 512
4238 fstat64(3, {st_mode=S_IFREG|0644, st_size=76548, ...}) = 0
4238 mmap2(NULL, 87808, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f95000
4238 mmap2(0xb7fa7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11) = 0xb7fa7000
4238 mmap2(0xb7fa9000, 5888, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fa9000
4238 close(3) = 0
4238 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
4238 open("/usr/lib/libglib-2.0.so.0", O_RDONLY) = 3
4238 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\322\0"..., 512) = 512
4238 fstat64(3, {st_mode=S_IFREG|0644, st_size=596608, ...}) = 0
4238 mmap2(NULL, 596204, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f03000
4238 mmap2(0xb7f94000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x91) = 0xb7f94000
4238 close(3) = 0
4238 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
4238 open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
4238 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240O\1"..., 512) = 512
4238 fstat64(3, {st_mode=S_IFREG|0644, st_size=1241392, ...}) = 0
4238 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f02000
4238 mmap2(NULL, 1247388, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7dd1000
4238 mmap2(0xb7ef8000, 28672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x127) = 0xb7ef8000
4238 mmap2(0xb7eff000, 10396, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7eff000
4238 close(3) = 0
4238 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
4238 open("/lib/tls/i686/cmov/librt.so.1", O_RDONLY) = 3
4238 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\36\0"..., 512) = 512
4238 fstat64(3, {st_mode=S_IFREG|0644, st_size=30612, ...}) = 0
4238 mmap2(NULL, 33384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7dc8000
4238 mmap2(0xb7dcf000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6) = 0xb7dcf000
4238 close(3) = 0
4238 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
4238 open("/lib/tls/i686/cmov/libpthread.so.0", O_RDONLY) = 3
4238 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240H\0"..., 512) = 512
4238 fstat64(3, {st_mode=S_IFREG|0755, st_size=89370, ...}) = 0
4238 mmap2(NULL, 70104, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7db6000
4238 mmap2(0xb7dc4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe) = 0xb7dc4000
4238 mmap2(0xb7dc6000, 4568, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7dc6000
4238 close(3) = 0
4238 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7db5000
4238 mprotect(0xb7ef8000, 20480, PROT_READ) = 0
4238 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7db58e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
4238 munmap(0xb7fab000, 17114) = 0
4238 set_tid_address(0xb7db5928) = 4238
4238 rt_sigaction(SIGRTMIN, {0xb7dba4c0, [], SA_SIGINFO}, NULL, 8) = 0
4238 rt_sigaction(SIGRT_1, {0xb7dba420, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
4238 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
4238 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
4238 uname({sys="Linux", node="bridge", ...}) = 0
4238 rt_sigaction(SIGALRM, NULL, {SIG_DFL}, 8) = 0
4238 rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0
4238 rt_sigaction(SIGALRM, {0x8049f40, [ALRM], 0}, {SIG_DFL}, 8) = 0
4238 brk(0) = 0x8054000
4238 brk(0x8075000) = 0x8075000
4238 open("/etc/zorp/zorpctl.conf", O_RDONLY) = 3
4238 fstat64(3, {st_mode=S_IFREG|0644, st_size=1666, ...}) = 0
4238 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7faf000
4238 read(3, "#\n# This file is sourced by zorp"..., 4096) = 1666
4238 read(3, "", 4096) = 0
4238 open("/etc/zorp/instances.conf", O_RDONLY) = 4
4238 fstat64(4, {st_mode=S_IFREG|0644, st_size=254, ...}) = 0
4238 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fae000
4238 read(4, "http --verbose 1 --policy /home/"..., 4096) = 254
4238 gettimeofday({1217208680, 1756}, NULL) = 0
4238 read(4, "", 4096) = 0
4238 socket(PF_FILE, SOCK_STREAM, 0) = 5
4238 fcntl64(5, F_GETFL) = 0x2 (flags O_RDWR)
4238 fcntl64(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0
4238 connect(5, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = 0
4238 poll([{fd=5, events=POLLOUT|POLLERR|POLLHUP, revents=POLLOUT}], 1, 5000) = 1
4238 writev(5, [{"\2\0\0\0\v\0\0\0\7\0\0\0", 12}, {"passwd\0", 7}], 2) = 19
4238 poll([{fd=5, events=POLLIN|POLLERR|POLLHUP, revents=POLLIN|POLLHUP}], 1, 5000) = 1
4238 recvmsg(5, {msg_name(0)=NULL, msg_iov(1)=[{"passwd\0", 7}], msg_controllen=16, {cmsg_len=16, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {6}}, msg_flags=0}, MSG_NOSIGNAL) = 7
4238 fstat64(6, {st_mode=S_IFREG|0600, st_size=217016, ...}) = 0
4238 pread64(6, "\1\0\0\0h\0\0\0\"\2\0\0\1\0\0\0[\37\215H\0\0\0\0\323\0"..., 104, 0) = 104
4238 mmap2(NULL, 217016, PROT_READ, MAP_SHARED, 6, 0) = 0xb7d80000
4238 close(6) = 0
4238 close(5) = 0
4238 socket(PF_FILE, SOCK_STREAM, 0) = 5
4238 fcntl64(5, F_GETFL) = 0x2 (flags O_RDWR)
4238 fcntl64(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0
4238 connect(5, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = 0
4238 poll([{fd=5, events=POLLOUT|POLLERR|POLLHUP, revents=POLLOUT}], 1, 5000) = 1
4238 writev(5, [{"\2\0\0\0\f\0\0\0\6\0\0\0", 12}, {"group\0", 6}], 2) = 18
4238 poll([{fd=5, events=POLLIN|POLLERR|POLLHUP, revents=POLLIN|POLLHUP}], 1, 5000) = 1
4238 recvmsg(5, {msg_name(0)=NULL, msg_iov(1)=[{"group\0", 6}], msg_controllen=16, {cmsg_len=16, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {6}}, msg_flags=0}, MSG_NOSIGNAL) = 6
4238 fstat64(6, {st_mode=S_IFREG|0600, st_size=217016, ...}) = 0
4238 pread64(6, "\1\0\0\0h\0\0\0002\1\0\0\1\0\0\0[\37\215H\0\0\0\0\323\0"..., 104, 0) = 104
4238 mmap2(NULL, 217016, PROT_READ, MAP_SHARED, 6, 0) = 0xb7d4b000
4238 close(6) = 0
4238 close(5) = 0
4238 stat64("/var/run/zorp", {st_mode=S_IFDIR|0770, st_size=4096, ...}) = 0
4238 stat64("/etc/zorp", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
4238 write(1, "Starting Zorp Firewall Suite: ", 30) = 30
4238 open("/var/run/zorp/zorp-https.pid", O_RDONLY) = -1 ENOENT (No such file or directory)
4238 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7db5928) = 4239
4238 alarm(10) = 0
4238 waitpid(4239, <unfinished ...>
4239 setrlimit(RLIMIT_NPROC, {rlim_cur=256, rlim_max=256}) = 0
4239 setsid() = 4239
4239 execve("/usr/lib/zorp/zorp", ["/usr/lib/zorp/zorp", "--as", "https", "--verbose", "8", "--policy", "/home/zorp/conf/HTTPS.py", "--autobind-ip", "172.30.1.1", "--threads", "30", "--idle-threads", "30", "--threadpools", "--fd-limit-min", "34", ...], [/* 15 vars */]) = 0
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
More information about the zorp
mailing list