Bug 1947475

Summary: httpd: improve OOM handling w/systemd
Product: Red Hat Enterprise Linux 9 Reporter: Joe Orton <jorton>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED CURRENTRELEASE QA Contact: Branislav Náter <bnater>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: bnater, luhliari, praiskup
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd-2.4.48-10.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 21:57:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Orton 2021-04-08 14:35:16 UTC 
Description of problem:
At the moment the httpd service is terminated if a single child is killed by the OOM killer.

Version-Release number of selected component (if applicable):
httpd-2.4.46-9.fc33

How reproducible:
always

Steps to Reproduce:
1. trigger excess memory consumption in one child

Actual results:
httpd.service is terminated after the oom-killer kills the child with excess memory consumption

Apr 08 15:14:19 systemd[1]: Started The Apache HTTP Server.
Apr 08 15:15:27 systemd[1]: httpd.service: A process of this unit has been killed by the OOM killer.
Apr 08 15:15:35 systemd[1]: httpd.service: Failed with result 'oom-kill'.

Expected results:
httpd should continue operating even if the child is terminated

Additional info:
Setting OOMPolicy=continue in httpd.service to prevent this seems reasonable.
Comment 1 Pavel Raiskup 2021-04-08 15:19:30 UTC 
Reproducible using mod_oom written by Joe, packaged here:
https://copr.fedorainfracloud.org/coprs/praiskup/mod_oom/
Comment 2 Joe Orton 2021-04-09 07:16:00 UTC 
My hesitation about this is that when the child is killed by SIGKILL it is otherwise not obvious from the httpd logs that the OOM condition took out a process (and terminated a bunch of active threads).  Since the parent will terminate a child via SIGKILL internally, a SIGKILL-killed child is reaped via waitpid() is not logged as an abnormal condition.  It is possible we could tweak that logic but not sure.

The OOM condition is logged in the journal for the unit, so shows up in "systemctl status httpd" as well as in dmesg etc.

Apr 08 15:21:08 systemd[1]: httpd.service: A process of this unit has been killed by the OOM killer.
Apr 08 15:22:53 systemd[1]: httpd.service: A process of this unit has been killed by the OOM killer.

The question is: is it better for httpd to continue processing requests in other children in an OOM situation, or should it terminate?

I think that "continue" is better.  A vulnerability which triggers OOM is mitigated from a complete DoS to a partial one.  The case Pavel found in production was a intermittent OOM (once per week, for example) and again, it is better in that case for httpd to recover.  That OOM has occurred remains obvious from the system logs so should be picked up in monitoring, or, when investigating performance/reliability issues.
Comment 3 Joe Orton 2021-04-09 08:40:57 UTC 
Commit: https://src.fedoraproject.org/rpms/httpd/c/b4800b58926dd52e3e2a244a1c4dc8cba29b8e00
Comment 6 Joe Orton 2021-07-09 11:10:45 UTC 
Fixed in https://gitlab.com/redhat/centos-stream/rpms/httpd/-/commit/f0962294b0d73a905980cdd15dd902d621402dfa