Increasing concurrent connections on ubuntu for iperf3 server - sockets

I'm trying to run a iperf3 client (ubuntu server 17.04 VM) to server(ubuntu server 17.04 VM) test for maximum parallel streams possible with the -P option. Currently have reached a max of ~1022 streams before it will terminate with buffer overflow error. Have made the following changes to stretch the limits -
- Increased the /etc/security/limits.conf soft and hard limits for nofile to 16384
- Increases the ulimit to 16384
Are there any other changes that I can make to exceed the ~1022 limit that I am reaching?
Test:
iperf3 client:
iperf3 -c 10.37.129.4 -P 4096
iperf3 server:
iperf3 -s
Error:
root#ubuntu-server# iperf3 -s
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 10.37.129.5, port 26967
[ 5] local 10.37.129.4 port 5201 connected to 10.37.129.5 port 50920
[ 6] local 10.37.129.4 port 5201 connected to 10.37.129.5 port 26980
*****output omitted***********
[1016] local 10.37.129.4 port 5201 connected to 10.37.129.5 port 24249
[1018] local 10.37.129.4 port 5201 connected to 10.37.129.5 port 42339
[1020] local 10.37.129.4 port 5201 connected to 10.37.129.5 port 10062
***** buffer overflow detected ***: iperf3 terminated**
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7908b)[0x7fa0cf99208b]

That’s a security hole in iperf3. I strongly suggest that you report it.

Related

Flutter WebRTC server is not letting me connect

I recently started using flutter to create an app that has video and audio calling, so I thought of using WebRTC to accomplish this. However, when I tried to create a local WebRTC server from the WebRTC Github it doesn't let me connect to it. When I run the server from the command prompt it tells me that the server is listening at the given local IP, but when I try to connect to it, it says the site can't be reached. Also when I ping the url it says the ping request could not find the host. Any kind of help would really be appreciated.
WebRTC server: https://github.com/flutter-webrtc/flutter-webrtc-server
Starting server in command prompt
netstat when server running
pinging server
The IP 0.0.0.0 is not the IP address the server is binding/listening too.
It is a common way that servers allow configurion 0.0.0.0 to express binding to all IPv4 the host has (see https://en.wikipedia.org/wiki/0.0.0.0 ). To acually reach your server use whatever IP you have on the host (if you are starting the server on your workstation 127.0.0.1 ought to work)
Ping on Windows is only ICMP if I am not mistaken, this means a TCP port number is not part of it's expected input. Eg. "0.0.0.0:8086" is not a valid target for that command (see https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/ping )
>ping 0.0.0.0:8086
Ping request could not find host 0.0.0.0:8086. Please check the name and try again.
>ping 0.0.0.0
Pinging 0.0.0.0 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
Ping statistics for 0.0.0.0:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
>ping 127.0.0.1
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
Since what you are trying to connect to is a webserver you could use something like curl instead to try to verify your connection. Should be available without any further install if you are on Windows 10 1803 or newer.
>curl https://0.0.0.0:8086
curl: (7) Failed to connect to 0.0.0.0 port 8086: Address not available
>curl https://127.0.0.1:8086
<html><head><title>Unauthorized</title></head><body><h1>401 Unauthorized</h1></body></html>
Some browsers might support https://0.0.0.0:8086 in a similar way server do but I wouldn't rely on it. Go with https://127.0.0.1:8086 or a non localhost IP address of the host.

Too many connections on zookeper server

Environment: HDP 2.6.4
Ambari – 2.6.1
3 zookeeper server
23.1.35.185 - is the IP of the first zookeeper server
hi all,
In the first zookeeper server it seems that even after closing the connection to zookeeper is not getting closed,
which causes the maximum number of client connections to be reached from a host - we have maxClientCnxns as 60 in zookeeper config
As a result when a new application comes and tries to create a connection it fails.
Example when Connections are:
echo stat | nc 23.1.35.185 2181
Latency min/avg/max: 0/71/399
Received: 3031 Sent: 2407
Connections: 67
Outstanding: 622
Zxid: 0x130000004d
Mode: follower
Node count: 3730
But after some time when connection comes to ~70 we see
echo stat | nc 23.1.35.185 2181
Ncat: Connection reset by peer.
And We can see also many CLOSE_WAIT
java 58936 zookeeper 60u IPv6 381963738 0t0 TCP Zookeper_server.sys54.com:eforward->zookeper_server.sys54.com:44983 (CLOSE_WAIT)
From the zookeeper log
2018-12-26 02:50:46,382 [myid:1] - WARN [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory#193]
- Too many connections from /23.1.35.185 - max is 60
In the ambari we can see also
Connection failed: [Errno 104] Connection reset by peer to zookeper_server.sys54.com.:2181
I must to say that this not happening on zookeeper servers 2 and 3
NOTE - if we increase the maxClientCnxns to 300 , its not help because after some time we get more the 300 connections ( CLOSE_WAIT ) and then we see from the log
2018-12-26 02:50:49,375 [myid:1] - WARN [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory#193] - Too many connections from /23.1.35.187 - max is 300
so any hint why the connection are CLOSE_WAIT ?
CLOSE_WAIT means that the local end of the connection has received a FIN from the other end, but the OS is waiting for the program at the local end to actually close its connection.
The problem is your program running on the local machine is not closing the socket. It is not a TCP tuning issue. A connection can (and quite correctly) stay in CLOSE_WAIT forever while the program holds the connection open.
Once the local program closes the socket, the OS can send the FIN to the remote end which transitions you to LAST_ACK while you wait for the ACK of the FIN. Once that is received, the connection is finished and drops from the connection table (if your end is in CLOSE_WAIT you do not end up in the TIME_WAIT state).
There is a kernel level property to reuse the connection and reduce the CLOSE_WAIT time.
I suggest you to follow this tutorial http://www.linuxbrigade.com/reduce-time_wait-socket-connections/
This should probably solve your problem.

uwsgi always binds to 80 port. Even when configured not to

I'm trying to start uwsgi listening on custom 8008 port. As mentioned in security section of uwsgi docs I used uid and gid params to make it from www-data user
uwsgi --http-socket :8008 --uid=www-data --gid=www-data
But I continuously get an error
bind(): Permission denied [core/socket.c line 769]
After straceing this problem I figured out that uwsgi tries to bind to 80 port even when I choose another one.
After many attempts it seems that it allways binds to 80 port. Along with the port I choosed.
For example (running as root)
output of
uwsgi --http-socket :8008
contains
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to TCP address :80 fd 3
uwsgi socket 1 bound to TCP address :8008 fd 4
uWSGI running as root, you can use --uid/--gid/--chroot options
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
another example with environment variable configuration:
UWSGI_SOCKET=:8009 uwsgi --http-socket :8008
produces
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to TCP address :8009 fd 3
uwsgi socket 1 bound to TCP address :80 fd 4
uwsgi socket 2 bound to TCP address :8008 fd 5
uWSGI running as root, you can use --uid/--gid/--chroot options
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
No matter how to configure it: via cli-params, .yml-file or
environment variables.
No matter what parameter to choose http-socket or http or just socket
No matter how to point to that port: 0.0.0.0:8008 or just :8008 (or even UNIX socket)
It always tries to bind to 80-th port and reasonably fails if doing it from not-root user
Doing all that stuff under Ubuntu 17.10 in docker with uwsgi 2.0.17.1
Trying to install uwsgi from debian packages and from python pip3 - same behaviour.
Any ideas of what I'm missing?
Thanks in advance.
What about:
uwsgi --http 127.0.0.1:80 --uid=www-data --gid=www-data
Finally I figured out what is going on.
I had wrong configuration in my docker-compose.yml file.
environment:
UWSGI_HTTP_SOCKET: :80
That was the problem.

could not bind IPv4 socket: Permission denied

I am trying to set up a new instance of PostgreSQL 9.6 on a machine. I have tested it on another machine and its working fine on that machine. But the same process is not working on new machine. Below are the steps I am using
created a new data directory with below command
/opt/rh/rh-postgresql96/root/bin/initdb -D /var/lib/pgsql/9.6/data/
created a service file /etc/systemd/system/rh-postgresql96-inst2.service with below content
.include /lib/systemd/system/rh-postgresql96-postgresql.service
[Service]
Environment=PGDATA=/var/lib/pgsql/9.6/data/
Environment=PGPORT=5433
User=postgres
Group=root
registered service using command systemctl enable rh-postgresql96-inst2
now using command systemctl start rh-postgresql96-inst2 to start service.
All these steps are working fine on one machine but not on the 2nd one.
I am getting below error while starting service on the 2nd machine
rh-postgresql96-inst2.service - PostgreSQL database server
Loaded: loaded (/etc/systemd/system/rh-postgresql96-inst2.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2018-06-18 09:59:01 UTC; 10s ago
Process: 7552 ExecStart=/opt/rh/rh-postgresql96/root/usr/libexec/postgresql-ctl start -D ${PGDATA} -s -w -t ${PGSTARTTIMEOUT} (code=exited, status=1/FAILURE)
Process: 7550 ExecStartPre=/opt/rh/rh-postgresql96/root/usr/libexec/postgresql-check-db-dir %N (code=exited, status=0/SUCCESS)
HINT: Is another postmaster already running on port 5433? If not, wait a few seconds and retry.
LOG: could not bind IPv4 socket: Permission denied
HINT: Is another postmaster already running on port 5433? If not, wait a few seconds and retry.
WARNING: could not create listen socket for "localhost"
FATAL: could not create any TCP/IP sockets
LOG: database system is shut down
systemd[1]: rh-postgresql96-inst2.service: control process exited, code=exited status=1
systemd[1]: Failed to start PostgreSQL database server.
systemd[1]: Unit rh-postgresql96-inst2.service entered failed state.
systemd[1]: rh-postgresql96-inst2.service failed.
However, I am able to start service using pg_ctl.
Also, I have checked with netstat, lsof command to check if any other postgresql instance is running on port 5433 but its not the case.
Infact i tried 5431, 5434 ports also but server is not starting up
Instead of turning of SELinux you should allow postgres to bind to port 5433 in SELinux.
There is a port parameter postgresql_port_t which by default has port 5432 and 9898.
semanage port -l | grep post
postgresql_port_t tcp 5433, 9898
What you could do is simply add port 5433 to this list.
semanage port -a -t postgresql_port_t 5433 -p tcp
semanage port -l | grep post
postgresql_port_t tcp 5433, 5432, 9898
After that you can start your postgres server listening on port 5433
systemctl enable rh-postgresql96-postgresql
systemctl start rh-postgresql96-postgresql
netstat -tulpn
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 2847/postgres
tcp 0 0 127.0.0.1:5433 0.0.0.0:* LISTEN 2775/postgres
There is also a handy tool called audit2allow to help debug selinux problems.
audit2allow -m whatiswrong < /var/log/audit/audit.log > /root/showme.te
The file showme.te show you why SELinux is not allowing the service to do what you need.
You should not turn off SELinux just because it's hard to understand or if you don't know how it works. Instead you should study it :)
I reccomend this lecture from the Red Hat Summit https://www.redhat.com/en/about/videos/summit-2018-security-enhanced-linux-mere-mortals
This issue was related to SELinux.
When I run command sestatus on both machines, output was a little bit different.
One server had Current mode: permissive and 2nd one had Current mode: enforcing.
So I changed the current mode to permissive on the 2nd machine using command setenforce 0.
and it resolved the permission related issue. Now I am able to start 2nd instance.

SSH Tunnelling - Remote Debugging

I can ssh into the server say abc.xyz on port 22 but i can't remote debug it in Eclipse. Here is the additional info :
Server startup arguments -
-Xdebug -Xrunjdwp:transport=dt_socket,address=1234,server=y,suspend=n
Confirmation from logs -
Listening for transport dt_socket at address: 1234
When I telnet on my local system -
local-machine% telnet abc-xyz 1234
Trying xx.xx.xx.xx...
telnet: connect to address xx.xx.xx.xx: Connection timed out
telnet: Unable to connect to remote host: Connection timed out
When I telnet on the server(abc.xyz) -
abc-xyz% telnet localhost 1234
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
Connection closed by foreign host.
I've tried setting up tunnel via -
ssh -L 1234:localhost:1234 user#abc-xyz
ssh -L 1234:127.0.0.1:1234 user#abc-xyz
I'm attaching debugger in Eclipse with this config -
Connection type - Standard (Socket attach)
Host - localhost
Port - 1234
Can't get Eclipse to attach to 1234.
After setting up SSH Tunnel, if i manually try to connect to the port, i get this response -
local-machine% telnet localhost 1234
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
Connection closed by foreign host.
and I see an entry in catalina.out as:
channel 4: open failed: connect failed: Connection refused
Any help would be appreciated.
EDIT - 1:
I ran
abc-xyz% ~#
and got the following output:
The following connections are open:
#2 client-session (t4 r0 i0/0 o0/0 fd 7/8 cc -1)
#3 direct-tcpip: listening port 1234 for localhost port 1234, connect from 127.0.0.1 port 23456 (t4 r1 i0/0 o0/0 fd 10/10 cc -1)
I think ssh tunneling is working, it's just the way i'm connecting with Eclipse which is going wrong here.
I just had to increase timeout. (Can be done via Window->Preferences->Java->Debugging. Set it to some appropriate value.)