|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2004
/
2004-12
/
reconfiguration without restart
[
Max connections, dos detection like ... ]
[
holidays / Robert Segall <roseg(at)apsis.ch> ]
reconfiguration without restart
Dennis Allison <allison(at)sumeru.stanford.EDU> |
2004-12-20 22:20:50 |
[ SNIP ]
|
Robert,
It would be nice if we could change the configuration without stopping
Pound. Any chance this could become a feature?
-d
|
|
|
Re: reconfiguration without restart
Michal <michalg(at)gmail.com> |
2004-12-20 22:50:30 |
[ SNIP ]
|
On Mon, 20 Dec 2004 13:20:50 -0800 (PST), Dennis Allison
<allison(at)sumeru.stanford.edu> wrote:
>
> Robert,
> It would be nice if we could change the configuration without stopping
> Pound. Any chance this could become a feature?
The only time I can see this being a concern is when you don't want to
interrupt existing connections -- for example, if you are serving
large files which take a long time to transfer. In that case, maybe
periodically inspecting netstat's output could reveal a window of
opportunity during which to restart pound (which should be very fast
anyways, provided your pound.cfg file is without errors :) ).
Anyway, I think a "natural" way to do this is to have the running
process receive a signal (HUP?) and re-read its configuration. But,
that might break the security model since pound may run as a user
without the privileges to reading the pound.cfg file. Perhaps this
could be implemented but just log an error if the effective uid/gid
cannot re-read the cfg file.
-Michal
|
|
|
Re: reconfiguration without restart
Dennis Allison <allison(at)sumeru.stanford.EDU> |
2004-12-20 23:33:49 |
[ SNIP ]
|
We are growing and need to change the Pound configuration (e.g. adding
domains) on a daily basis. We have active users 24x7 and would prefer not
to distrupt their activity by having Pound go away. Currently we wait for
a moment of opportunity and then restart pound, but finding a lull is
difficult, particularly when there are many users. This request was
prompted by a problem we had this morning when one of our development
folks restarted Pound during a lull that was not a lull and ruffled some
content developers feathers.
On Mon, 20 Dec 2004, Michal wrote:
> On Mon, 20 Dec 2004 13:20:50 -0800 (PST), Dennis Allison
> <allison(at)sumeru.stanford.edu> wrote:
> >
> > Robert,
> > It would be nice if we could change the configuration without stopping
> > Pound. Any chance this could become a feature?
>
> The only time I can see this being a concern is when you don't want to
> interrupt existing connections -- for example, if you are serving
> large files which take a long time to transfer. In that case, maybe
> periodically inspecting netstat's output could reveal a window of
> opportunity during which to restart pound (which should be very fast
> anyways, provided your pound.cfg file is without errors :) ).
>
> Anyway, I think a "natural" way to do this is to have the running
> process receive a signal (HUP?) and re-read its configuration. But,
> that might break the security model since pound may run as a user
> without the privileges to reading the pound.cfg file. Perhaps this
> could be implemented but just log an error if the effective uid/gid
> cannot re-read the cfg file.
>
> -Michal
>
|
|
|
Re: reconfiguration without restart
Robert Segall <roseg(at)apsis.ch> |
2004-12-21 19:27:09 |
[ SNIP ]
|
On Monday 20 December 2004 23.33, Dennis Allison wrote:
> We are growing and need to change the Pound configuration (e.g. adding
> domains) on a daily basis. We have active users 24x7 and would prefer not
> to distrupt their activity by having Pound go away. Currently we wait for
> a moment of opportunity and then restart pound, but finding a lull is
> difficult, particularly when there are many users. This request was
> prompted by a problem we had this morning when one of our development
> folks restarted Pound during a lull that was not a lull and ruffled some
> content developers feathers.
>
> On Mon, 20 Dec 2004, Michal wrote:
> > On Mon, 20 Dec 2004 13:20:50 -0800 (PST), Dennis Allison
> >
> > <allison(at)sumeru.stanford.edu> wrote:
> > > Robert,
> > > It would be nice if we could change the configuration without stopping
> > > Pound. Any chance this could become a feature?
> >
> > The only time I can see this being a concern is when you don't want to
> > interrupt existing connections -- for example, if you are serving
> > large files which take a long time to transfer. In that case, maybe
> > periodically inspecting netstat's output could reveal a window of
> > opportunity during which to restart pound (which should be very fast
> > anyways, provided your pound.cfg file is without errors :) ).
> >
> > Anyway, I think a "natural" way to do this is to have the running
> > process receive a signal (HUP?) and re-read its configuration. But,
> > that might break the security model since pound may run as a user
> > without the privileges to reading the pound.cfg file. Perhaps this
> > could be implemented but just log an error if the effective uid/gid
> > cannot re-read the cfg file.
> >
> > -Michal
The idea is nice, but it raises a few questions:
- what happens if Pound runs setuid and/or chroot and has no access to the
config file?
- signals and threads are a nasty mix: you never really know which thread will
get the signal - and how it happens is architecture dependent. We need some
other mechanism for a refresh (one of the service threads checking on config
file modification time? How to deal with file locking issues?)
- if the new config file misses or changes the definition for some
UrlGroup/BackEnd what should be done with the existing sessions (keep
existing sessions until they expire, but create new sessions based on new
config? Perhaps fail existing sessions?)
I would appreciate additional suggestions and ideas.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904
|
|
|
Re: reconfiguration without restart
Michal <michalg(at)gmail.com> |
2004-12-21 19:40:49 |
[ SNIP ]
|
On Tue, 21 Dec 2004 19:27:09 +0100, Robert Segall <roseg(at)apsis.ch> wrote:
> I would appreciate additional suggestions and ideas.
Most likely the answer is "no" for reasons I have not yet thought
about, but can Pound listen on a seperate TCP port that responds to
HTTP requests by furnishing an administrative web interface to
configure its state? Naturally, a firewall would be needed to block
access to said administrative port #, and possibly a hardcoded rule in
Pound to allow only 127.0.0.1 access.
-Michal
|
|
|
Re: reconfiguration without restart
Robert Segall <roseg(at)apsis.ch> |
2004-12-22 20:53:39 |
[ SNIP ]
|
On Tuesday 21 December 2004 19.40, Michal wrote:
> On Tue, 21 Dec 2004 19:27:09 +0100, Robert Segall <roseg(at)apsis.ch> wrote:
> > I would appreciate additional suggestions and ideas.
>
> Most likely the answer is "no" for reasons I have not yet thought
> about, but can Pound listen on a seperate TCP port that responds to
> HTTP requests by furnishing an administrative web interface to
> configure its state? Naturally, a firewall would be needed to block
> access to said administrative port #, and possibly a hardcoded rule in
> Pound to allow only 127.0.0.1 access.
>
> -Michal
Not really TCP - that is hardly secure. More likely Unix socket or SysV-style
shared memory (though probably the first due to portability issues). This
still doesn't solve the rootjail problem - how do you open the config file
and the socket if you can't access them? What about file locking?
At a more basic level - is it worth doing? Creating such a protocol means
additional complexity (you have to have a listener, a protocol parser, and an
additional program to talk to it, or some code to generate HTTP in Pound
itself).
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904
|
|
|
|
