#5383 Reduce ioblocktimeout and idletimeout defaults
Closed: fixed None Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1271321

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

This RFE is regarding the following tunables:

    nsslapd-ioblocktimeout
    Default: 1800000 milliseconds

    nsslapd-idletimeout
    Default: 0 seconds - server never closes idle connections

In the IPA context, we have found numerous cases in which the
directory server goes into an unresponsive state due to hung connections or
connections not being closed properly. A number of these cases have been fixed
by setting low values to the above timeout tunables.

There have been bugs addressed to fix these types of issues however due to the
volume of occurrences we believe that the above tunables should be set to a low value
by default. For example:

    https://www.redhat.com/archives/freeipa-users/2015-April/msg00073.html

If you need specific case examples then let me know and I can provide them here
in this RFE.

Although this could potentially mask an underlying issue, the access logs still
can be reviewed to find the connection closed status that indicates the timeout
was triggered by ns-slapd to help track down 'bad' clients with stalled
connections.

DS team had a poll about the defaults.

The result is(reported by Ludwig):

  • idletimeout: no strong opinion, need to verify if longer existing connections like doing simple paged results searches or sync repl could be affected, so I would say there is no real need to change the default.
  • ioblocktimeout: everyone sees the need to reduce the default, suggestions range from 10-30seconds, the majority is for 10. I think we still can fight about the correct value during review

only ioblocktimeout changed, idletimeout has no real effect for us
https://www.redhat.com/archives/freeipa-devel/2016-June/msg00019.html

master:

  • e9f0e9d Decreased timeout for IO blocking for DS

Metadata Update from @pvoborni:
- Issue assigned to stlaz
- Issue set to the milestone: FreeIPA 4.4

7 years ago

Uhh hi. We recently reduced this further to a safe level here:

https://pagure.io/389-ds-base/issue/49194

Can the FreeIPA team undo this? It would be better for FreeIPA if you did not try to alter this value, as the setting you provide here is not as effective as what the DS team provides.

Thanks,

@firstyear In what version of 389-ds so the minimum requirement can be set as well?

Metadata Update from @rcritten:
- Issue close_status updated to: None (was: Fixed)

6 years ago

This is available in 1.3.6 of Directory Server.

Just in principle, when you make tuning changes like these, It's a good idea to engage us in the DS team, because we may have already solved it, and generally, we are in a better place to solve this than IPA IMO. :)

Pagure for some reason changed Fixed -> None. Fixing for posterity.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed

6 years ago

It's not worth arguing about but just to note, IPA did engage the DS team per comment #2.

Login to comment on this ticket.

Metadata