Bug 141048

Summary: ntpd dies with "out of memory" due to misconfiguration
Product: [Fedora] Fedora Reporter: Thomas Zehetbauer <thomasz>
Component: ntpAssignee: Petr Raszyk <praszyk>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: g.eustace, rh-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ntp-4.2.0.a.20050816 Release 10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-11-10 10:02:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
modified ntpd.init file to allow configuration of max locked memory
none
ntp-4.2.0.a.20050816-10.src.rpm none

Description Thomas Zehetbauer 2004-11-28 19:46:58 UTC 
ntpd dies with "out of memory" or "Exiting: No more memory!" because
of a combination of the following issues:

The default restrict line allows everyone to set up a bi-directional
association causing peer memory to be allocated. I recommend this line
to be changed to include "nopeer" keyword.

Additional memory for per-client statistics can be saved by using the
"disable monitor" directive, so I recommend to use this as well.

The noquery option does however prevent clients to trace their
synchronization back to it's source. This is bad practice and I
recommend to remove it.

RLIMIT_MEMLOCK defaults to only 32kB, this a far to low for ntpd
trying to lock itself into memory. I suggest this limit to be raised
in /etc/init.d/ntpd or to be configurable via /etc/sysconfig/ntpd.
Comment 1 udo 2004-11-29 17:11:57 UTC 
tweaking of /etc/security/limits.conf should be the fix?
Comment 2 Thomas Zehetbauer 2004-11-29 18:09:41 UTC 
This cannot work, the /etc/security/limits.conf file is processed by
/lib/security/pam_limits.so which is only called by pam enabled
applications and only if it is enabled in /etc/pam.d/system-auth. But
like most daemons ntpd does not use pam but direct calls to setuid()
and setgid().
Comment 3 Brian Fahrlander 2005-01-11 16:40:22 UTC 
I've managed to make it reliably run for 8H, so I'm telling cron to
bounce it every 8H.  At least I can use it, kinda...
Comment 4 Glen Eustace 2005-01-12 21:39:02 UTC 
I upgraded from FC1 to FC3 yesterday on our two time servers and are 
now getting this error. I have tried reducing the number of servers 
we query but the only thing so far that has enabled me to get the 
daemon to stay running was to add 'disable monitor' to the config.
Comment 5 Glen Eustace 2005-01-12 22:32:06 UTC 
Having managed to get the ntpd process to stay running, it now will 
not accept synchronisation from any of the configured servers.  It 
used to only take a couple of minutes. 
 
ntpq> lpeer 
     remote           refid      st t when poll reach   delay   
offset  jitter 
============================================================================== 
 132.181.10.44   .RSTR.          16 u    -   64    0    0.000    
0.000 4000.00 
 timekeeper.isi. .RSTR.          16 u    -  128    0    0.000    
0.000 4000.00 
 tick.usno.navy. .RSTR.          16 u    -  256    0    0.000    
0.000 4000.00 
 ntp1.usno.navy. .RSTR.          16 u    -  512    0    0.000    
0.000 4000.00 
 mu-relay2.masse .INIT.          16 u    - 1024    0    0.000    
0.000 4000.00 
*LOCAL(0)        LOCAL(0)        10 l   51   64  377    0.000    
0.000   0.001
Comment 6 Glen Eustace 2005-01-13 00:58:08 UTC 
I got caught out. The meaning of restrict notrust has changed between 
4.1 and 4.2. Removing the notrust from the restrict config line has 
restored the service. 
 
I have still had to reduce the number of servers we sere attempting 
to sync with in order to not exceed the mem_lock limit.
Comment 7 Neil Horman 2005-09-01 17:23:40 UTC 
Created attachment 118356 [details]
modified ntpd.init file to allow configuration of max locked memory

This is new version of the nptd.init script from the ntp source rpm.  It allows
you to set the locked memory limits for ntpd by setting the NTPD_MEMLOCK
variable in /etc/sysconfig/ntpd.
Comment 8 Enrico Scholz 2005-09-07 07:12:53 UTC 
I have already

| ulimit -HS -l 1024

in my /etc/sysconfig/ntpd but the daemon still dies all 1-2 days with

| 7 Sep 09:07:25 ntpd[8298]: receive: fatal error 608 for 192.168.0.13
| 7 Sep 09:08:10 ntpd[8298]: make_keys error:0306A041:bignum routines:BN_CTX_new:malloc failure
| 7 Sep 09:08:12 ntpd[8298]: Exiting: No more memory!
Comment 9 Enrico Scholz 2005-09-21 06:59:18 UTC 
'ulimit' in the initscript will not help as the rlimit will be set by 'ntpd'
itself. Please upgrade to the recent version as it seems to be fixed there:

------
ChangeSet
  1.1196 05/08/15 04:01:26 stenn.edu +1 -0
  [Bug 477] Linux needs larger RLIM_MEMLOCK, from Cristoph Gysin

  ntpd/ntpd.c
    1.55 05/08/15 04:01:12 stenn.edu +12 -0
    [Bug 477] Linux needs larger RLIM_MEMLOCK, from Cristoph Gysin
------
Comment 10 Petr Raszyk 2005-11-10 10:00:46 UTC 
Created attachment 120875 [details]
ntp-4.2.0.a.20050816-10.src.rpm

Fixed in ntp-4.2.0.a.20050816-10.src.rpm above.