[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Shutting down some slapd listeners

To: Michael Ströder <michael@stroeder.com>, "Hallvard Breien Furuseth" <h.b.furuseth@usit.uio.no>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: Shutting down some slapd listeners
From: Chris Jacobs <Chris.Jacobs@apollo.edu>
Date: Tue, 16 Feb 2016 17:08:16 +0000
Accept-language: en-US
Authentication-results: stroeder.com; dkim=none (message not signed) header.d=none;stroeder.com; dmarc=none action=none header.from=apollo.edu;
Content-language: en-US
In-reply-to: <56C1EF6A.7050408@stroeder.com>
References: <56C1DFC7.1070304@usit.uio.no> <56C1EF6A.7050408@stroeder.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:23
Thread-index: AQHRZ/zWbv8BYd0SGUeVut2IO8oveZ8tPAUAgAGrYNA=
Thread-topic: Shutting down some slapd listeners

We do something similar when preparing apps for backups, we block NEW incoming connections from our load balancers with a TCP Reset:

iptables -A INPUT -p tcp --dport $appport --source $loadbalancerhost -m state --state NEW -j REJECT --reject-with-tcp-reset

That seems to clue the load balancers in pretty fast that this node is no longer available, and allows for ESTABLISHED connections to continue - and we can safely perform local operations like when we wait for the app to finish starting and then unblock those connections.

(Not directly related to OpenLDAP, but interesting for sysadmins who manage it.)

-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Michael Ströder
Sent: Monday, February 15, 2016 7:32 AM
To: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>; openldap-technical@openldap.org
Subject: Re: Shutting down some slapd listeners

Hallvard Breien Furuseth wrote:
> Sometimes I want slapd to stop listening for new connections
> to ldap:// and ldaps://, but keep listening to ldapi://,
> for maintenance before shutdown.
>
> One way would be to extend the 'gentlehup' config option
> with a list of which URIs it should affect.  Or we could
> add some sort of 'command language' to cn=config/cn=monitor.
>
> Or should I play some temporary tricks with iptables or whatever,
> so new connections never reach slapd?  I've never tried that.

Yupp. I'd implement that with temporary local firewall rules suppressing TCP SYN
packets. On Linux: iptables --syn. Local firewall rules are a good idea anyway.

Ciao, Michael.

“This message is intended only for the use of the addressee(s) and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not the intended recipient(s), you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately.”

References:
- Shutting down some slapd listeners
  - From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
- Re: Shutting down some slapd listeners
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: how to add users to LDAP and test authentication?
Next by Date: Work Queues, MDB_NOTLS, MDB_NOLOCK, and Concurrent Map() Over Sub Database
Index(es):
- Chronological
- Thread