From 4afecf883d588625a680fe6cb01ba34716be7e21 Mon Sep 17 00:00:00 2001 From: Alban Crequy Date: Wed, 16 Jul 2014 14:34:35 +0100 Subject: [PATCH 1/3] config: add new limit: max_connections_per_cgroup dbus-daemon already has the following limits: - max_completed_connections: (default|system bus)=2048 (session bus)=100000 - max_connections_per_user: (default|system bus)=256 (session bus)=100000 So an user on the system bus cannot use all connections and prevent other users from connecting to the bus. But this per-user granularity does not allow to distinguish different services running as the same user. For example, both Avahi and ConsoleKit are system services, running as the same user root, and they connect to the system bus. If one of them starts to use all the available connections due to a bug, the other will not be able to connect. To fix this issue, this patch introduces a new configurable limit: - max_connections_per_cgroup: (default|system bus)=256 (session bus)=100000 The default values are large enough to avoid impacting current systems but an administrator could restrict it more. --- bus/bus.c | 6 ++++++ bus/bus.h | 2 ++ bus/config-parser.c | 8 ++++++++ bus/session.conf.in | 1 + doc/dbus-daemon.1.xml.in | 3 +++ 5 files changed, 20 insertions(+) diff --git a/bus/bus.c b/bus/bus.c index a514e31..a3df56e 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -1249,6 +1249,12 @@ bus_context_get_max_incomplete_connections (BusContext *context) } int +bus_context_get_max_connections_per_cgroup (BusContext *context) +{ + return context->limits.max_connections_per_cgroup; +} + +int bus_context_get_max_connections_per_user (BusContext *context) { return context->limits.max_connections_per_user; diff --git a/bus/bus.h b/bus/bus.h index 3597884..2e3fd84 100644 --- a/bus/bus.h +++ b/bus/bus.h @@ -56,6 +56,7 @@ typedef struct int auth_timeout; /**< How long to wait for an authentication to time out */ int max_completed_connections; /**< Max number of authorized connections */ int max_incomplete_connections; /**< Max number of incomplete connections */ + int max_connections_per_cgroup; /**< Max number of connections with the same cgroup */ int max_connections_per_user; /**< Max number of connections auth'd as same user */ int max_pending_activations; /**< Max number of pending activations for the entire bus */ int max_services_per_connection; /**< Max number of owned services for a single connection */ @@ -108,6 +109,7 @@ int bus_context_get_activation_timeout (BusContext int bus_context_get_auth_timeout (BusContext *context); int bus_context_get_max_completed_connections (BusContext *context); int bus_context_get_max_incomplete_connections (BusContext *context); +int bus_context_get_max_connections_per_cgroup (BusContext *context); int bus_context_get_max_connections_per_user (BusContext *context); int bus_context_get_max_pending_activations (BusContext *context); int bus_context_get_max_services_per_connection (BusContext *context); diff --git a/bus/config-parser.c b/bus/config-parser.c index a6a8e1c..5d79197 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -441,6 +441,7 @@ bus_config_parser_new (const DBusString *basedir, parser->limits.auth_timeout = 30000; /* 30 seconds */ parser->limits.max_incomplete_connections = 64; + parser->limits.max_connections_per_cgroup = 256; parser->limits.max_connections_per_user = 256; /* Note that max_completed_connections / max_connections_per_user @@ -1920,6 +1921,12 @@ set_limit (BusConfigParser *parser, must_be_int = TRUE; parser->limits.max_incomplete_connections = value; } + else if (strcmp (name, "max_connections_per_cgroup") == 0) + { + must_be_positive = TRUE; + must_be_int = TRUE; + parser->limits.max_connections_per_cgroup = value; + } else if (strcmp (name, "max_connections_per_user") == 0) { must_be_positive = TRUE; @@ -3110,6 +3117,7 @@ limits_equal (const BusLimits *a, || a->auth_timeout == b->auth_timeout || a->max_completed_connections == b->max_completed_connections || a->max_incomplete_connections == b->max_incomplete_connections + || a->max_connections_per_cgroup == b->max_connections_per_cgroup || a->max_connections_per_user == b->max_connections_per_user || a->max_pending_activations == b->max_pending_activations || a->max_services_per_connection == b->max_services_per_connection diff --git a/bus/session.conf.in b/bus/session.conf.in index 74d9d1f..67693b2 100644 --- a/bus/session.conf.in +++ b/bus/session.conf.in @@ -54,6 +54,7 @@ 240000 100000 10000 + 100000 100000 10000 50000 diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in index 7b7f4a1..d1a9b74 100644 --- a/doc/dbus-daemon.1.xml.in +++ b/doc/dbus-daemon.1.xml.in @@ -531,6 +531,9 @@ Available limit names are: "max_completed_connections" : max number of authenticated connections "max_incomplete_connections" : max number of unauthenticated connections + "max_connections_per_cgroup" : max number of completed connections from + the same cgroup path in the hierarchy + with the lowest hierarchy id "max_connections_per_user" : max number of completed connections from the same user "max_pending_service_starts" : max number of service launches in -- 1.8.5.3