Bug 1619547

Summary: Couldn't create a AF_PACKET socket, error Too many open files
Product: [Fedora] Fedora Reporter: redhat
Component: suricataAssignee: Steve Grubb <sgrubb>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 28CC: athmanem, jmlich83, jtfas90, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-07 19:07:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description redhat 2018-08-21 07:49:03 UTC 
Description of problem:
After 3 weeks of uptime suricata runs into fail state.

Version-Release number of selected component (if applicable):
suricata-4.0.5-1.fc28

How reproducible:
Always after some weeks uptime.

Steps to Reproduce:
1. Install, enable and start suricata service
2. Wait some weeks (no reboot)
3.

Actual results:
suricata[2589]: 19/8/2018 -- 03:25:02 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't create a AF_PACKET socket, error Too many open files


Expected results:
No erors.

Additional info:
Comment 1 Jason Taylor 2018-08-23 00:59:31 UTC 
Could you share your suricata.yaml config?

Also could you provide an lsof output for the suricata process when it starts generating the error indicated above?

Thanks!

JT
Comment 2 Jason Taylor 2018-08-29 13:05:31 UTC 
Thanks for the report and thanks sgrubb for reporting.

According to the suricata devs this issue should be fixed with:

https://github.com/OISF/suricata/pull/3463

JT
Comment 3 Steve Grubb 2018-08-29 21:42:18 UTC 
The question is should we patch that up or will there be a new release soonish?
Comment 4 Jason Taylor 2018-08-29 22:43:56 UTC 
I didn't get a chance to about a bugfix release, I will tomorrow.

If no release is imiment, I'm for a patch and new build.

JT
Comment 5 redhat 2018-08-30 14:42:50 UTC 
Well, as stated in the initial report, it takes weeks. I will of course provide the required information when it occurs again.Please stay patient.

As far as my configuration file is concerned, it corresponds to what is configured by default after the installation. I did not edit it. Hope this helps.
Comment 6 Jason Taylor 2018-08-30 16:45:35 UTC 
Understood, whenever you are able. It appears the devs were able to track it down but if we could get any additional information to ensure a proper fix.

Thanks in advance!

JT
Comment 7 Jason Taylor 2018-08-31 13:28:36 UTC 
Word back about a bugfix release is that, yes there will be one but the timeframe is unknown.

That being the case, do you want to do local patch Steve?

JT
Comment 8 Steve Grubb 2019-03-07 19:07:16 UTC 
Looks like this was fixed in suricata-4.0.6. I'm going to close this out since that was pushed out back in December. If there is still a problem, feel free to re-open the bug report. Thanks.