tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: proposal: inetd improvements.

On Wed, Jun 02, 2010 at 11:16:40AM +0100, wrote:
 > I am thinking of using inetd to run a few services in a production
 > environment and in order to make it robust and featureful enough to
 > do so, I would like to make the following list of changes to it:

Speaking for a moment as the person who used to wrangle the Linux port
of inetd (ages back, before the whole Linux world switched to xinetd):

 >      1.  maximum connexions per unit time is not a terribly
 >          useful feature and in fact makes the use of inetd in
 >          an enterprise unusable as it is a built-in denial of
 >          service.  I propose that we keep track of the number
 >          of outstanding children and place a maximum on that
 >          rather than connexions per second.  Perhaps we can
 >          leave connexions per unit time in the code but strongly
 >          discourage its use,

I'm not going to ask what you mean by "in an enterprise". However, try
the following exercise:

   - edit inetd.conf
   - enable talkd
   - attempt to enable logging with talkd's -l option, but fat-finger
     it and enter -lk
   - restart inetd
   - send yourself a talk request
   - examine your syslog

Perhaps in your enterprise (like the apparent audience of other
"enterprise" software I shan't name) having this go on forever is
desirable behavior, but that's not the case in my environment.

Anyway, real rate limiting would be a good thing but let's not break
what's already there.

 >      2.  inetd should be able to optionally signal kids of wait
 >          services when it is HUPed or stopped,

that's a good idea.

 >      3.  for wait services for which inetd fails to bind, it should
 >          retry later as it is possible that a daemon that it HUPed
 >          earlier is taking a while to exit,

It already does; maybe just not fast enough for you. (The timeout is a
fixed ten-minute interval, which probably isn't the right approach.)

 >      4.  % should be defined as an address type and it should expand
 >          into a list of IP addresses which is periodically regenerated
 >          by iterating over the interfaces,
 >      5.  it should be possible to configure multiple kids on a wait
 >          service to give the ability to trivially run pre-forked services,

These are also good ideas.

 >      6.  put in some interpolation in args so that we can tell the daemon
 >          a few things.

This is not. inetd.conf isn't a shell, it shouldn't be a shell, and if
you want a shell script that's why we have /usr/local/libexec.

 >      7.  add a few extra socket options here and there,


 >      8.  maybe a chroot option, maybe unnecessary given that you can
 >          already do this via chroot(1), and

this seems unnecessary.

 >      9.  convert it to libevent for portability and provide autoconf
 >          so that it can be built on other OSes (not used on NetBSD of
 >          course).

and so does this, to be honest.

You've also forgotten

   10. Improve the config syntax.

which is a can of worms.

David A. Holland

Home | Main Index | Thread Index | Old Index