diff --git a/SOURCES/bz1429880-optimize-close-syscalls.patch b/SOURCES/bz1429880-optimize-close-syscalls.patch
new file mode 100644
index 0000000..9184c9d
--- /dev/null
+++ b/SOURCES/bz1429880-optimize-close-syscalls.patch
@@ -0,0 +1,329 @@
+diff --git a/configure b/configure
+index dcb9f06..bdc7ba7 100755
+--- a/configure
++++ b/configure
+@@ -4753,7 +4753,7 @@ cat >>confdefs.h <<_ACEOF
+ _ACEOF
+
+
+-for ac_func in gettimeofday select socket strerror strtol uname
++for ac_func in gettimeofday select socket strerror strtol uname pipe2
+ do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+diff --git a/configure.in b/configure.in
+index 8aba44a..808401c 100644
+--- a/configure.in
++++ b/configure.in
+@@ -303,7 +303,7 @@ dnl ----[ Checks for library functions ]----
+ AC_PROG_GCC_TRADITIONAL
+ AC_FUNC_MEMCMP
+ AC_TYPE_SIGNAL
+-AC_CHECK_FUNCS(gettimeofday select socket strerror strtol uname)
++AC_CHECK_FUNCS(gettimeofday select socket strerror strtol uname pipe2)
+
+ dnl ----[ Process output target ]----
+ OUTPUT_TARGET="$OUTPUT_TARGET keepalived/Makefile lib/Makefile"
+diff --git a/genhash/layer4.c b/genhash/layer4.c
+index ba7b05b..bdf3580 100644
+--- a/genhash/layer4.c
++++ b/genhash/layer4.c
+@@ -231,18 +231,18 @@ tcp_connect_thread(thread_t * thread)
+
+ if(req->dst){
+ if(req->dst->ai_family == AF_INET6) {
+- if ((sock_obj->fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP)) == -1) {
++ if ((sock_obj->fd = socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
+ DBG("WEB connection fail to create socket.\n");
+ return 0;
+ }
+ } else {
+- if ((sock_obj->fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
++ if ((sock_obj->fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
+ DBG("WEB connection fail to create socket.\n");
+ return 0;
+ }
+ }
+ } else {
+- if ((sock_obj->fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
++ if ((sock_obj->fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
+ DBG("WEB connection fail to create socket.\n");
+ return 0;
+ }
+diff --git a/keepalived/check/check_http.c b/keepalived/check/check_http.c
+index 18431f9..830f05b 100644
+--- a/keepalived/check/check_http.c
++++ b/keepalived/check/check_http.c
+@@ -869,7 +869,7 @@ http_connect_thread(thread_t * thread)
+ }
+
+ /* Create the socket */
+- if ((fd = socket(co->dst.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
++ if ((fd = socket(co->dst.ss_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
+ log_message(LOG_INFO, "WEB connection fail to create socket. Rescheduling.");
+ thread_add_timer(thread->master, http_connect_thread, checker,
+ checker->vs->delay_loop);
+diff --git a/keepalived/check/check_misc.c b/keepalived/check/check_misc.c
+index 53e08e9..1f8ad19 100644
+--- a/keepalived/check/check_misc.c
++++ b/keepalived/check/check_misc.c
+@@ -150,7 +150,6 @@ misc_check_thread(thread_t * thread)
+
+ /* Child part */
+ signal_handler_destroy();
+- closeall(0);
+
+ open("/dev/null", O_RDWR);
+ ret = dup(0);
+diff --git a/keepalived/check/check_smtp.c b/keepalived/check/check_smtp.c
+index a52b755..1baaacf 100644
+--- a/keepalived/check/check_smtp.c
++++ b/keepalived/check/check_smtp.c
+@@ -774,7 +774,7 @@ smtp_connect_thread(thread_t *thread)
+ smtp_host = smtp_checker->host_ptr;
+
+ /* Create the socket, failling here should be an oddity */
+- if ((sd = socket(smtp_host->dst.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
++ if ((sd = socket(smtp_host->dst.ss_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
+ log_message(LOG_INFO, "SMTP_CHECK connection failed to create socket. Rescheduling.");
+ thread_add_timer(thread->master, smtp_connect_thread, checker,
+ checker->vs->delay_loop);
+diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
+index aa19011..2035a67 100644
+--- a/keepalived/check/check_ssl.c
++++ b/keepalived/check/check_ssl.c
+@@ -199,8 +199,11 @@ ssl_connect(thread_t * thread, int new_req)
+
+ /* First round, create SSL context */
+ if (new_req) {
++ int bio_fd;
+ req->ssl = SSL_new(check_data->ssl->ctx);
+ req->bio = BIO_new_socket(thread->u.fd, BIO_NOCLOSE);
++ BIO_get_fd(req->bio, &bio_fd);
++ fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC);
+ SSL_set_bio(req->ssl, req->bio, req->bio);
+ }
+
+diff --git a/keepalived/check/check_tcp.c b/keepalived/check/check_tcp.c
+index b941ab2..c595935 100644
+--- a/keepalived/check/check_tcp.c
++++ b/keepalived/check/check_tcp.c
+@@ -131,7 +131,7 @@ tcp_connect_thread(thread_t * thread)
+ return 0;
+ }
+
+- if ((fd = socket(co->dst.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
++ if ((fd = socket(co->dst.ss_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
+ log_message(LOG_INFO, "TCP connect fail to create socket. Rescheduling.");
+ thread_add_timer(thread->master, tcp_connect_thread, checker,
+ checker->vs->delay_loop);
+diff --git a/keepalived/core/smtp.c b/keepalived/core/smtp.c
+index 6b1cf7e..34bb126 100644
+--- a/keepalived/core/smtp.c
++++ b/keepalived/core/smtp.c
+@@ -560,7 +560,7 @@ smtp_connect(smtp_t * smtp)
+ {
+ enum connect_result status;
+
+- if ((smtp->fd = socket(global_data->smtp_server.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
++ if ((smtp->fd = socket(global_data->smtp_server.ss_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP)) == -1) {
+ DBG("SMTP connect fail to create socket.");
+ free_smtp_all(smtp);
+ return;
+diff --git a/keepalived/libipvs-2.4/libipvs.c b/keepalived/libipvs-2.4/libipvs.c
+index be0329e..ff95e8c 100644
+--- a/keepalived/libipvs-2.4/libipvs.c
++++ b/keepalived/libipvs-2.4/libipvs.c
+@@ -35,7 +35,7 @@ int ipvs_init(void)
+ socklen_t len;
+
+ len = sizeof(ipvs_info);
+- if ((sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
++ if ((sockfd = socket(AF_INET, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_RAW)) == -1)
+ return -1;
+
+ ipvs_cmd = GET_CMD(IP_VS_SO_GET_INFO);
+diff --git a/keepalived/vrrp/vrrp.c b/keepalived/vrrp/vrrp.c
+index 2d41ae2..0133ff5 100644
+--- a/keepalived/vrrp/vrrp.c
++++ b/keepalived/vrrp/vrrp.c
+@@ -1073,7 +1073,7 @@ open_vrrp_send_socket(sa_family_t family, int proto, int idx, int unicast)
+ ifp = if_get_by_ifindex(idx);
+
+ /* Create and init socket descriptor */
+- fd = socket(family, SOCK_RAW, proto);
++ fd = socket(family, SOCK_RAW | SOCK_CLOEXEC, proto);
+ if (fd < 0) {
+ log_message(LOG_INFO, "cant open raw socket. errno=%d", errno);
+ return -1;
+@@ -1119,7 +1119,7 @@ open_vrrp_socket(sa_family_t family, int proto, int idx, int unicast)
+ ifp = if_get_by_ifindex(idx);
+
+ /* open the socket */
+- fd = socket(family, SOCK_RAW, proto);
++ fd = socket(family, SOCK_RAW | SOCK_CLOEXEC, proto);
+ if (fd < 0) {
+ int err = errno;
+ log_message(LOG_INFO, "cant open raw socket. errno=%d", err);
+diff --git a/keepalived/vrrp/vrrp_arp.c b/keepalived/vrrp/vrrp_arp.c
+index e53b9d7..58116a9 100644
+--- a/keepalived/vrrp/vrrp_arp.c
++++ b/keepalived/vrrp/vrrp_arp.c
+@@ -98,7 +98,7 @@ void gratuitous_arp_init(void)
+ garp_buffer = (char *)MALLOC(sizeof(arphdr_t) + ETHER_HDR_LEN);
+
+ /* Create the socket descriptor */
+- garp_fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_RARP));
++ garp_fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, htons(ETH_P_RARP));
+
+ if (garp_fd > 0)
+ log_message(LOG_INFO, "Registering gratuitous ARP shared channel");
+diff --git a/keepalived/vrrp/vrrp_if.c b/keepalived/vrrp/vrrp_if.c
+index 4bb2356..3b3209d 100644
+--- a/keepalived/vrrp/vrrp_if.c
++++ b/keepalived/vrrp/vrrp_if.c
+@@ -190,7 +190,7 @@ if_mii_probe(const char *ifname)
+ {
+ uint16_t *data = (uint16_t *) (&ifr.ifr_data);
+ int phy_id;
+- int fd = socket(AF_INET, SOCK_DGRAM, 0);
++ int fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+ int status = 0;
+
+ if (fd < 0)
+@@ -239,7 +239,7 @@ if_ethtool_status(const int fd)
+ int
+ if_ethtool_probe(const char *ifname)
+ {
+- int fd = socket(AF_INET, SOCK_DGRAM, 0);
++ int fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+ int status = 0;
+
+ if (fd < 0)
+@@ -255,7 +255,7 @@ if_ethtool_probe(const char *ifname)
+ void
+ if_ioctl_flags(interface_t * ifp)
+ {
+- int fd = socket(AF_INET, SOCK_DGRAM, 0);
++ int fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+
+ if (fd < 0)
+ return;
+diff --git a/keepalived/vrrp/vrrp_ndisc.c b/keepalived/vrrp/vrrp_ndisc.c
+index 1399095..84e77be 100644
+--- a/keepalived/vrrp/vrrp_ndisc.c
++++ b/keepalived/vrrp/vrrp_ndisc.c
+@@ -187,7 +187,7 @@ ndisc_init(void)
+ sizeof(struct ndhdr) + sizeof(struct nd_opt_hdr) + ETH_ALEN);
+
+ /* Create the socket descriptor */
+- ndisc_fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_IPV6));
++ ndisc_fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, htons(ETH_P_IPV6));
+ }
+
+ void
+diff --git a/keepalived/vrrp/vrrp_netlink.c b/keepalived/vrrp/vrrp_netlink.c
+index d7adffa..f73810e 100644
+--- a/keepalived/vrrp/vrrp_netlink.c
++++ b/keepalived/vrrp/vrrp_netlink.c
+@@ -56,7 +56,7 @@ netlink_socket(nl_handle_t *nl, unsigned long groups)
+
+ memset(nl, 0, sizeof (*nl));
+
+- nl->fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
++ nl->fd = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_ROUTE);
+ if (nl->fd < 0) {
+ log_message(LOG_INFO, "Netlink: Cannot open netlink socket : (%s)",
+ strerror(errno));
+diff --git a/keepalived/vrrp/vrrp_scheduler.c b/keepalived/vrrp/vrrp_scheduler.c
+index 10d9539..05dd1d8 100644
+--- a/keepalived/vrrp/vrrp_scheduler.c
++++ b/keepalived/vrrp/vrrp_scheduler.c
+@@ -983,7 +983,6 @@ vrrp_script_thread(thread_t * thread)
+
+ /* Child part */
+ signal_handler_destroy();
+- closeall(0);
+ open("/dev/null", O_RDWR);
+ ret = dup(0);
+ if (ret < 0) {
+diff --git a/lib/notify.c b/lib/notify.c
+index 80cc91e..188423d 100644
+--- a/lib/notify.c
++++ b/lib/notify.c
+@@ -48,15 +48,6 @@ system_call(char *cmdline)
+ return retval;
+ }
+
+-/* Close all FDs >= a specified value */
+-void
+-closeall(int fd)
+-{
+- int fdlimit = sysconf(_SC_OPEN_MAX);
+- while (fd < fdlimit)
+- close(fd++);
+-}
+-
+ /* Execute external script/program */
+ int
+ notify_exec(char *cmd)
+@@ -77,7 +68,6 @@ notify_exec(char *cmd)
+ return 0;
+
+ signal_handler_destroy();
+- closeall(0);
+
+ open("/dev/null", O_RDWR);
+
+diff --git a/lib/notify.h b/lib/notify.h
+index a17cb75..9b81da1 100644
+--- a/lib/notify.h
++++ b/lib/notify.h
+@@ -25,7 +25,6 @@
+
+ /* system includes */
+ extern int system_call(char *cmdline);
+-extern void closeall(int fd);
+ extern int notify_exec(char *cmd);
+
+ #endif
+diff --git a/lib/signals.c b/lib/signals.c
+index 983c71d..5eb1ee3 100644
+--- a/lib/signals.c
++++ b/lib/signals.c
+@@ -125,12 +125,21 @@ signal_ignore(int signo)
+ void
+ signal_handler_init(void)
+ {
+- int n = pipe(signal_pipe);
+- assert(!n);
++ int n;
+
++#ifdef HAVE_PIPE2
++ n = pipe2(signal_pipe, O_CLOEXEC | O_NONBLOCK);
++#else
++ n = pipe(signal_pipe);
++
+ fcntl(signal_pipe[0], F_SETFL, O_NONBLOCK | fcntl(signal_pipe[0], F_GETFL));
+ fcntl(signal_pipe[1], F_SETFL, O_NONBLOCK | fcntl(signal_pipe[1], F_GETFL));
+-
++
++ fcntl(signal_pipe[0], F_SETFD, FD_CLOEXEC | fcntl(signal_pipe[0], F_GETFD));
++ fcntl(signal_pipe[1], F_SETFD, FD_CLOEXEC | fcntl(signal_pipe[1], F_GETFD));
++#endif
++ assert(!n);
++
+ signal_SIGHUP_handler = NULL;
+ signal_SIGINT_handler = NULL;
+ signal_SIGTERM_handler = NULL;
+@@ -172,10 +181,6 @@ void
+ signal_handler_destroy(void)
+ {
+ signal_wait_handlers();
+- close(signal_pipe[1]);
+- close(signal_pipe[0]);
+- signal_pipe[1] = -1;
+- signal_pipe[0] = -1;
+ }
+
+ int
diff --git a/SPECS/keepalived.spec b/SPECS/keepalived.spec
index 2ca56d3..097baa8 100644
--- a/SPECS/keepalived.spec
+++ b/SPECS/keepalived.spec
@@ -9,7 +9,7 @@
Name: keepalived
Summary: Load balancer and high availability service
Version: 1.2.13
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
URL: http://www.keepalived.org/
Group: System Environment/Daemons
@@ -19,6 +19,7 @@ Source1: keepalived.service
Patch0: bz1085535-keepalived-man-snmp.patch
Patch1: bz1181107-global-data-after-parse.patch
+Patch2: bz1429880-optimize-close-syscalls.patch
Requires(post): systemd
Requires(preun): systemd
@@ -48,6 +49,7 @@ Keepalived also implements the Virtual Router Redundancy Protocol
%setup -q
%patch0 -p1
%patch1 -p1
+%patch2 -p1
%build
%configure \
@@ -103,6 +105,9 @@ Keepalived also implements the Virtual Router Redundancy Protocol
%{_mandir}/man8/keepalived.8*
%changelog
+* Mon Mar 27 2017 Ryan O'Hara <rohara@redhat.com> - 1.2.13-9
+- Fix high number of close system calls (#1429880)
+
* Fri Jul 01 2016 Ryan O'Hara <rohara@redhat.com> - 1.2.13-8
- Add PIDFile to systemd unit file (#1336190)