[zorp] Connection limit in SSL?

[Balazs Scheidler]

On Mon, 2008-07-28 at 14:48 +0200, thomas.wenz at gmx-topmail.de wrote:
> Hi,
> 
> Well it should not be a problem of RAM...the system has 4GB and only 150MB are in use.
> 
> However, I noticed something strange:
> If I start zorp with
> /usr/lib/zorp/zorp --as https --verbose 8 --policy /home/zorp/conf/HTTPS.py --autobind-ip 172.30.1.1 --threads 30 --idle-threads 30 --threadpools
> there's no problem with file descriptors. Whereas if I use zorpctl with the same command in the instances file
> https --verbose 8 --policy /home/zorp/conf/HTTPS.py --autobind-ip 172.30.1.1 --threads 30 --idle-threads 30 --threadpools
> there is the problem. 
> 
> So i did an strace on zorpctl and saw that the proxy instance is called via:
> execve("/usr/lib/zorp/zorp", ["/usr/lib/zorp/zorp", "--as", "https", "--verbose", "8", "--policy", "/home/zorp/conf/HTTPS.py", "--autobind-ip", "172.30.1.1", "--threads", "30", "--idle-threads", "30", "--threadpools", "--fd-limit-min", "34", ...], [/* 15 vars */]) = 0
> So it's quite clear why it runs out of ressources so fast ;) 34 is definately not enough. According to the strace, no system calls are done in /proc or else (see below).
> 
> I then looked into the zorpctl/main.c source. I found the following line:
> inst->fd_limit = fd_limit = MAX(fd_limit_threshold * threads + 64, fd_limit_min);
> and fd_limit_threshold as well as fd_limit_min seems to be ALWAYS set to "-1" (and declared as obsolete). threads is the variable I set in the instances.conf-file. So the calculation is
> MAX(-1 * 30 + 64, -1)
> which exactly results in 34. If I set the threads in the instances-file to only 10, I consequently get 54 available descriptors (proved by looking into strace). So this calculation seems to be definately wrong...

wow, thanks for the detailed diagnosis. This is definitely wrong. I just
don't see how this does not get triggered under Zorp Pro. zorpctl is the
same for both.

-- 
Bazsi