[EXT] How make freeradius - rlm_exec run multithreaded?

Ryan Allen ryanallenemail at gmail.com
Sat Jan 11 01:18:08 CET 2020

> A1) have you reduced your thread pool for some reason or

# In file: raddb/radiusd.conf, I have:
thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
    auto_limit_acct = no

Is there anything else we need to set in this file or another file?

> A2) are you running in a single threaded debug mode?

When I start freeradius, it is in a docker container, that runs:
# Inside Docker file: /docker-entrypoint.sh
set -e

# this if will check if the first argument is a flag
# but only works if all arguments require a hyphenated flag
# -v; -SL; -f arg; etc will work, but not arg1 arg2
if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
    set -- freeradius "$@"

# check for the expected command
if [ "$1" = 'freeradius' ]; then
    exec freeradius -f "$@"

# many people are likely to call "radiusd" as well, so allow that
if [ "$1" = 'radiusd' ]; then
    exec freeradius -f "$@"

# else default to run whatever the user wanted like "bash" or "sh"
exec "$@"

In the above file, it runs:
exec freeradius -f "$@"

I don't think it is in debug mode.  When it starts there is only one
line in docker logs which is:
Sat Jan 11 00:00:20 2020 : Info: Ready to process requests

I was running debug mode earlier by changing the line to:
exec freeradius -f -X "$@"
but I removed the -X and still doing one request at a time

Is there anything else we need to do to make sure debug mode is off?

> B) Are you sending a bunch of the same requests with the
> same sequence numbers... FreeRADIUS might think your requests
> are retransmissions rather than new requests.  Check the logs.

I deployed the code to an enterprise Linux server that is hit by an
enterprise server.  Then two of us tried to sign-in at the same time.
We could see that only one request was processed at a time while the
other waited.
The request was sent to an F5 load balancer that would "snat" the IP,
so based on my understanding, both our requests would come from the
same IP, but we are using different usernames, so I would hope it
treats them differently.

Any other ideas?

More information about the Freeradius-Users mailing list