Dear Lennart, I'm sorry, I don't get.
Quoting the https://www.freedesktop.org/software/systemd/man/systemd.socket.html#TriggerLimitIntervalSec= Configures a limit on how often this socket unit may be activated within a specific time interval. The TriggerLimitIntervalSec= may be used to configure the length of the time interval in the usual time units "us", "ms", "s", "min", "h", … and defaults to 2s (See systemd.time(7) for details on the various time units understood). The TriggerLimitBurst= setting takes a positive integer value and specifies the number of permitted activations per time interval, and defaults to 200 for Accept=yes sockets (thus by default permitting 200 activations per 2s), and 20 otherwise (20 activations per 2s). Set either to 0 to disable any form of trigger rate limiting. If the limit is hit, the socket unit is placed into a failure mode, and will not be connectible anymore until restarted. Note that this limit is enforced before the service activation is enqueued. But this behavior (the last sentence) exactly matches the DoS described here: https://bugs.archlinux.org/task/62248 Too many connections to an sshd server, configured using socket activation can cause the socket to be disabled permanently ("sshd.socket: Trigger limit hit, refusing further activation."). On Mon, Aug 7, 2023 at 11:48 AM Lennart Poettering <mzerq...@0pointer.de> wrote: > > On Do, 03.08.23 11:29, Dmitry Belyavskiy (dbely...@redhat.com) wrote: > > > Dear colleagues, > > > > I've pushed a fresh build of OpenSSH to rawhide. > > We decided to drop the sshd.socket unit from rawhide. We don't think > > it's worth going through the changes process, but would like to > > provide a heads-up. > > Hmm, why drop it? For many setups, it makes not sense to continously > run sshd, so socket activation should be fine. > > I don't understand the reasoning behind this change. You claim a > DoS. Which DoS is that supposed to be? That we enforce a trigger time > limit on socket units by default? If you don't want this, turn it off, > that's what TriggerLimitIntervalSec=/TriggerLimitBurst= is for, see > docs. > > The discussion makes this sound as if there was a bug in systemd or > so, but there really isn't, it's literally a safety feature you ran > into. It might not make sense to have the trigger rate limit in place > for all usecases, ssh might be one where it is not advisable, but then > the right approach is to just turn that part off, as documented, via > the aforementioned options. > > See for details: > > https://www.freedesktop.org/software/systemd/man/systemd.socket.html#TriggerLimitIntervalSec= > > I don't care too much whether you make ssh socket-activated by default > or not. But at least the option should exist, already for compat with > existing setups. > > Lennart > > -- > Lennart Poettering, Berlin > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- Dmitry Belyavskiy _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
