loke.dev
Header image for A Strategic Shard for the Listen Socket: Scaling Multi-Core Servers with SO_REUSEPORT

A Strategic Shard for the Listen Socket: Scaling Multi-Core Servers with SO_REUSEPORT

Exposing the performance limitations of the single-acceptor model and how kernel-level socket sharding enables true parallel connection handling across CPU cores.

· 8 min read

I remember staring at htop during a stress test for a high-throughput proxy I’d written, watching Core 0 scream at 100% while the other thirty-one cores hovered lazily at 2%. It was a classic bottleneck: thousands of concurrent connections were fighting over a single listening socket, and the kernel was doing its best to play referee. That afternoon, I realized that having a massive multi-core server doesn't mean your software actually knows how to use it.

In the world of high-performance networking, we often talk about "scaling out," but we rarely talk about the friction that happens at the very front door of your application: the listen() socket.

The Single-Acceptor Bottleneck

For decades, the standard way to write a network server was simple. You create a socket, bind() it to a port, call listen(), and then either accept() connections in a loop or hand that file descriptor off to an event loop like epoll.

If you wanted to use multiple cores, you’d usually follow one of two patterns:
1. The Leader-Follower: One process accepts connections and passes the resulting file descriptor to worker threads.
2. The Shared Listener: You fork() the process after the socket is bound, and every child process calls accept() on the same shared file descriptor.

Both of these approaches have a ceiling. In the shared listener model, when a new connection arrives, the kernel has to wake up the processes waiting on that socket. Historically, this triggered the "thundering herd" problem, where every process wakes up, but only one wins the race to accept(), while the others go back to sleep, wasting CPU cycles on context switches.

Even with modern kernel optimizations like EPOLLEXCLUSIVE, you’re still dealing with a single lock on the listener's accept queue. As your connection rate climbs into the hundreds of thousands per second, that lock becomes a point of extreme contention. Your CPU cores aren't processing data; they're fighting each other for the right to talk to the kernel.

Sharding the Socket with SO_REUSEPORT

Introduced in Linux 3.9, SO_REUSEPORT changed the game. It allows multiple independent sockets (each with its own file descriptor) to bind to the exact same IP address and port.

This isn't just about avoiding a "thundering herd." It’s about kernel-level load balancing. When you have multiple sockets bound to the same port with this flag, the Linux kernel treats them as a group. When a new SYN packet arrives, the kernel hashes the connection's 4-tuple (source IP, source port, destination IP, destination port) and assigns the connection to one of the sockets in the group.

Each process or thread gets its own dedicated listener and its own dedicated accept queue. No more contention. No more single-lock bottlenecks.

A Practical C Implementation

Let's look at how you actually implement this at the system level. The magic happens via setsockopt before you call bind.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <pthread.h>

void *start_worker(void *arg) {
    int opt = 1;
    int server_fd;
    struct sockaddr_in address;
    int addrlen = sizeof(address);

    // 1. Create the socket
    if ((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == 0) {
        perror("socket failed");
        exit(EXIT_FAILURE);
    }

    // 2. Set SO_REUSEPORT
    // This allows multiple sockets to bind to the same port
    if (setsockopt(server_fd, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt))) {
        perror("setsockopt SO_REUSEPORT");
        exit(EXIT_FAILURE);
    }

    address.sin_family = AF_INET;
    address.sin_addr.s_addr = INADDR_ANY;
    address.sin_port = htons(8080);

    // 3. Bind to the same port as other threads
    if (bind(server_fd, (struct sockaddr *)&address, sizeof(address)) < 0) {
        perror("bind failed");
        exit(EXIT_FAILURE);
    }

    if (listen(server_fd, 128) < 0) {
        perror("listen");
        exit(EXIT_FAILURE);
    }

    printf("[Worker %ld] Listening on port 8080\n", (long)pthread_self());

    while (1) {
        int new_socket = accept(server_fd, (struct sockaddr *)&address, (socklen_t*)&addrlen);
        if (new_socket < 0) {
            perror("accept");
            continue;
        }
        
        // Handle connection...
        send(new_socket, "Hello from a sharded socket!\n", 29, 0);
        close(new_socket);
    }
}

int main() {
    int num_workers = 4;
    pthread_t threads[num_workers];

    for (int i = 0; i < num_workers; i++) {
        pthread_create(&threads[i], NULL, start_worker, NULL);
    }

    for (int i = 0; i < num_workers; i++) {
        pthread_join(threads[i], NULL);
    }

    return 0;
}

In this example, each thread creates its own socket and binds it to port 8080. Because SO_REUSEPORT is set, the kernel doesn't throw an "Address already in use" error. Instead, it creates an array of listeners for port 8080 and distributes incoming connections across them.

Why Hashing is Better than Round-Robin

You might wonder why the kernel hashes the 4-tuple instead of just doing a simple round-robin distribution. The answer lies in CPU Cache Locality and Statefulness.

When the kernel uses a hash of the source IP and port, it ensures that all packets for a specific connection (and often all connections from a specific client) land on the same listener. This is critical for two reasons:

1. Warm Caches: If a specific CPU core is handling a connection, the data structures for that connection stay in that core's L1/L2 cache. If the kernel constantly bounced packets for the same connection between different cores, you’d suffer from constant cache misses and "inter-processor interrupts" (IPIs).
2. TCP Fast Open and Early Data: For protocols that rely on state across multiple packets before the accept() is finalized, keeping the state on one "owner" socket simplifies the kernel’s job immensely.

Zero-Downtime Deploys: The Hidden Superpower

Beyond raw performance, SO_REUSEPORT provides a elegant solution for zero-downtime restarts.

In a traditional setup, to upgrade your server, you have to stop the old process and start a new one. Even if this happens in milliseconds, there’s a window where the port is closed, and incoming SYN packets are rejected with a RST.

With SO_REUSEPORT, you can:
1. Spin up a new version of your server.
2. It binds to the same port (the kernel adds it to the list of listeners).
3. For a brief moment, both the old and new versions are accepting connections.
4. Send a SIGQUIT or SIGTERM to the old version.
5. The old version stops accepting *new* connections but finishes processing the ones it already has.
6. The kernel automatically stops routing new connections to the old socket once it's closed.

This transition is completely transparent to the client. No dropped packets, no refused connections.

Implementation in Modern Languages

While the C example shows the raw mechanics, you likely use higher-level languages. Most modern runtimes support this, though some require you to dig into the socket options.

Python (using socket)

In Python, you have to manually set the flag on the socket object before binding.

import socket
import os

def create_server():
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    # Enable SO_REUSEPORT
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
    
    sock.bind(('0.0.0.0', 8888))
    sock.listen(128)
    
    print(f"Process {os.getpid()} listening on port 8888")
    while True:
        conn, addr = sock.accept()
        conn.sendall(b"Handled by PID " + str(os.getpid()).encode() + b"\n")
        conn.close()

# You would then run multiple instances of this script

Go (using control in ListenConfig)

Go’s standard net.Listen doesn't expose socket options easily. You have to use a net.ListenConfig and a "control" function to set the setsockopt on the raw file descriptor.

package main

import (
	"context"
	"fmt"
	"net"
	"os"
	"syscall"

	"golang.org/x/sys/unix"
)

func main() {
	lc := net.ListenConfig{
		Control: func(network, address string, c syscall.RawConn) error {
			var err error
			c.Control(func(fd uintptr) {
				err = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEPORT, 1)
			})
			return err
		},
	}

	lsnr, err := lc.Listen(context.Background(), "tcp", "127.0.0.1:8080")
	if err != nil {
		panic(err)
	}
	defer lsnr.Close()

	fmt.Printf("PID %d listening on 8080\n", os.getpid())
	for {
		conn, _ := lsnr.Accept()
		conn.Write([]byte(fmt.Sprintf("Hi from PID %d\n", os.getpid())))
		conn.Close()
	}
}

The Hardware Connection: RSS and RFS

To get the absolute most out of SO_REUSEPORT, you have to look one layer deeper: the Network Interface Card (NIC).

Modern NICs use Receive Side Scaling (RSS). RSS uses a hardware-level hash to distribute incoming packets across different hardware RX queues, which are serviced by different CPU cores.

Here is the "gotcha": If your NIC’s RSS hash sends a packet to Core 0, but the kernel’s SO_REUSEPORT hash decides the connection belongs to a socket being handled by a process on Core 5, the packet has to be copied across the CPU’s interconnect (like Intel’s QPI or AMD’s Infinity Fabric). This "cross-talk" introduces latency.

To truly squeeze every drop of performance, you want the hardware hash and the software hash to align. Some advanced users use ebpf with SO_ATTACH_REUSEPORT_EBPF to write custom logic that ensures the socket selected by the kernel matches the CPU core already processing the packet from the NIC. This is the "holy grail" of networking: a straight line from the wire to the application code.

When Should You Avoid It?

SO_REUSEPORT isn't a magic "make fast" button for every scenario. There are a few edge cases to keep in mind:

1. Uneven Distribution: If you have a few long-lived connections (like heavy hardware sensors or long-polling clients) and many short-lived ones, the hashing might result in an uneven load. One worker might get stuck with four "heavy" clients while another gets forty "light" ones.
2. Scaling Down is Tricky: Adding a new listener is easy. Removing one is harder. If you close a socket, any connections sitting in its individual accept queue that haven't been accept()'d yet will be dropped (sent a RST). You need to be careful with your shutdown logic.
3. Kernel Support: While Linux has had this since 3.9, other OSs vary. BSD has had its own version of SO_REUSEPORT for a long time, but its behavior differs slightly from Linux's.

Summary

The transition from a single-acceptor model to a sharded model is often the difference between a server that chokes at 50k connections per second and one that cruises through 500k. By sharding the listen socket, you transform a serialized bottleneck into a parallel gateway.

If you’re building high-concurrency systems, stop letting your cores fight over one socket. Shard it. The kernel is already built to do the heavy lifting for you—you just have to ask.