tech-userlevel archive
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index][
Old Index]
Re: proposal: inetd improvements.
On Wed, Jun 02, 2010 at 11:16:40AM +0100, elric%imrryr.org@localhost wrote:
> I am thinking of using inetd to run a few services in a production
> environment and in order to make it robust and featureful enough to
> do so, I would like to make the following list of changes to it:
Speaking for a moment as the person who used to wrangle the Linux port
of inetd (ages back, before the whole Linux world switched to xinetd):
> 1. maximum connexions per unit time is not a terribly
> useful feature and in fact makes the use of inetd in
> an enterprise unusable as it is a built-in denial of
> service. I propose that we keep track of the number
> of outstanding children and place a maximum on that
> rather than connexions per second. Perhaps we can
> leave connexions per unit time in the code but strongly
> discourage its use,
I'm not going to ask what you mean by "in an enterprise". However, try
the following exercise:
- edit inetd.conf
- enable talkd
- attempt to enable logging with talkd's -l option, but fat-finger
it and enter -lk
- restart inetd
- send yourself a talk request
- examine your syslog
Perhaps in your enterprise (like the apparent audience of other
"enterprise" software I shan't name) having this go on forever is
desirable behavior, but that's not the case in my environment.
Anyway, real rate limiting would be a good thing but let's not break
what's already there.
> 2. inetd should be able to optionally signal kids of wait
> services when it is HUPed or stopped,
that's a good idea.
> 3. for wait services for which inetd fails to bind, it should
> retry later as it is possible that a daemon that it HUPed
> earlier is taking a while to exit,
It already does; maybe just not fast enough for you. (The timeout is a
fixed ten-minute interval, which probably isn't the right approach.)
> 4. % should be defined as an address type and it should expand
> into a list of IP addresses which is periodically regenerated
> by iterating over the interfaces,
>
> 5. it should be possible to configure multiple kids on a wait
> service to give the ability to trivially run pre-forked services,
These are also good ideas.
> 6. put in some interpolation in args so that we can tell the daemon
> a few things.
This is not. inetd.conf isn't a shell, it shouldn't be a shell, and if
you want a shell script that's why we have /usr/local/libexec.
> 7. add a few extra socket options here and there,
possibly.
> 8. maybe a chroot option, maybe unnecessary given that you can
> already do this via chroot(1), and
this seems unnecessary.
> 9. convert it to libevent for portability and provide autoconf
> so that it can be built on other OSes (not used on NetBSD of
> course).
and so does this, to be honest.
You've also forgotten
10. Improve the config syntax.
which is a can of worms.
--
David A. Holland
dholland%netbsd.org@localhost
Home |
Main Index |
Thread Index |
Old Index