Bug 1942597

Summary:	vsftpd session_support=YES causes continual growth of utmp and high system cpu%
Product:	Red Hat Enterprise Linux 8	Reporter:	jtougne
Component:	vsftpd	Assignee:	Richard Lescak <rlescak>
Status:	CLOSED MIGRATED	QA Contact:	Ondrej Mejzlik <omejzlik>
Severity:	high	Docs Contact:
Priority:	high
Version:	8.2	CC:	cldavey, jbreitwe, jorton, omejzlik, piqin, rmetrich
Target Milestone:	rc	Keywords:	MigratedToJIRA, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-09-21 22:51:28 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description jtougne 2021-03-24 15:30:02 UTC

Description of problem:
I tried to clone Bug #1688848, that did not work:

vsftpd sessions enabled causes continual growth of utmp and high system cpu% 



Cloning justification: See Red Hat support case: https://access.redhat.com/support/cases/#/case/02896756

Hi, We are cloning that BZ because it seems we have similar issue on RHEL8.2, with slightly different symptoms:


-We do have session_support in the vsftpd configuration:
sudo less /etc/vsftpd/vsftpd.conf | grep session
# You may change the default value for timing out an idle session.
...
session_support=YES



-We do have rather massive /run/utmp:
sudo du -sh /run/utmp 
292M	/run/utmp



-We do have impact on CPU, quoting from our Red Hat support case:
The root cause for the CPU consumption for sshd is definitely having a large /run/utmp database on the system.
Checking the strace again, we can see that all the entries except a few are "vsftpd" entries (105683 over 105690)
We have some monitoring screenshot illustrating the cpu impact.



-We did a utmpdump and confirmed the above, it's vsftpd the culprit:

utmpdump /run/utmp 
[8] [92690] [    ] [        ] [vsftpd:92690] [                    ] [0.0.0.0        ] [1970-01-01T00:00:00,000000+00:00]
[8] [92725] [    ] [        ] [vsftpd:92725] [                    ] [0.0.0.0        ] [1970-01-01T00:00:00,000000+00:00]
[8] [92788] [    ] [        ] [vsftpd:92788] [                    ] [0.0.0.0        ] [1970-01-01T00:00:00,000000+00:00]
[8] [92796] [    ] [        ] [vsftpd:92796] [                    ] [0.0.0.0        ] [1970-01-01T00:00:00,000000+00:00]
[8] [92812] [    ] [        ] [vsftpd:92812] [                    ] [0.0.0.0        ] [1970-01-01T00:00:00,000000+00:00]
[8] [92844] [    ] [        ] [vsftpd:92844] [                    ] [0.0.0.0        ] [1970-01-01T00:00:00,000000+00:00]
... (thousands and thousands of similar lines; see the incorrect timestamp also)


-At the time of the issue, "who" command is barely responding (due to the size of /run/utmp)

- We do not have the same "gone - no logout" with the last command:
From the server (RHEL8):
last -f /var/run/utmp
user1 vsftpd:33661 10.3.20.96       Wed Mar 24 14:41   still logged in
user2 vsftpd:33651 10.3.20.93       Wed Mar 24 14:40   still logged in
user2 vsftpd:33632 10.3.20.94       Wed Mar 24 14:38   still logged in
user3 vsftpd:33632 10.3.20.94       Wed Mar 24 14:38   still logged in
user2 vsftpd:33558 10.3.20.93       Wed Mar 24 14:28   still logged in
user3 vsftpd:33430 47.x.y.z     Wed Mar 24 14:11   still logged in
user1 vsftpd:33632 10.3.20.93       Wed Mar 24 14:38   still logged in
user4 vsftpd:33634 10.3.221.20      Wed Mar 24 14:39   still logged in
adminuser   pts/0        178.x.y.z   Wed Mar 24 14:41   still logged in
reboot   system boot  4.18.0-193.41.1. Tue Mar  2 19:16   still running

utmp begins Tue Mar  2 19:16:24 2021
[qa/DMZ] adminuser@hostname:~$ date
Wed 24 Mar 14:41:46 UTC 2021


We have seen an ERRATA was published, not available for RHEL8:

https://access.redhat.com/errata/RHBA-2020:1010


Version-Release number of selected component (if applicable):

vsftpd.x86_64                                                   3.0.3-31.el8



How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
/run/utmp is very big and impact cpu

Expected results:
/run/utmp should not be soo big and/or impacting performances

Additional info:

Customer had to restart the server, so that /run/utmp gets to a reasonnable size, then it seems to progressively grow up and consumme more cpu.

Comment 2 Renaud Métrich 2021-03-25 09:13:48 UTC

See also #BZ 1688852 but this seems to be another scenario (here we don't have "gone - no logout")

Comment 10 aegorenk 2021-11-04 10:44:43 UTC

*** Bug 1942596 has been marked as a duplicate of this bug. ***

Comment 14 RHEL Program Management 2023-09-21 22:47:41 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 15 RHEL Program Management 2023-09-21 22:51:28 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.