Bug 235680
Summary: | LSPP: racoon is unable to open files after running for 17 hours. | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Joy Latten <latten> | ||||||||
Component: | ipsec-tools | Assignee: | Steve Conklin <sconklin> | ||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | David Lawrence <dkl> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 5.0 | CC: | eparis, iboverma, joe, krisw, linda.knippers, paul.moore, sgrubb | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | powerpc | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | RHSA-2007-0342 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2007-06-27 14:16:36 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 224041 | ||||||||||
Attachments: |
|
Description
Joy Latten
2007-04-09 15:43:46 UTC
Joy Latten is actively looking at this bug. A labeled ipsec stress test has been running for over 20 hours so far and I do not see this problem occurring. will continue to let run for another 24 hours. I have been checking the amount of opened file/socket descriptors by ls -l /proc/[racoon's pid]/fd and "lsof | grep racoon". On my machine that racoon inititated the negotiation, after 20 hours ls -l in /proc/pid/fd has 129 open socket descriptors. On my machine that was the responder, after 20 hours, ls -l in /proc/pid/fd has 209 open socket descriptors. A netstat -ae accounts for 5 of these sockets. Where in the world are the rest of them coming from?? I also added debug messages for each time racoon opens a socket. I have debug messages to account for the above 5 and 3 more for getting interfaces out of kernel, etc... in grabmyaddrs.c. So again, where are all these other open socket descriptors from? Will query the ipsec-tools mailing list for help. I ran a set of stress tests between 2 machines for over 48 hours and I did not see the above problem. However, after stopping netperf after the 48 hours. I did ls -l on responder's /proc/pid/fd and there were 461 open socket descriptors. Again, only a handful could be accounted for. On inititiating machine, ls -l in /proc/pid/fd listed 129 open socket descriptors. Again, only a handful accounted for. Where are all these descriptors coming from. Just can't help wonder where they are coming from. I noticed clusters of the sockets have same date and time. Like 36 of them have same time. I am currently running stress tests between 2 machines, this time stressing labeled ipsec over both loopback and point-to-point. So far has been running almost 24 hours with no sign of problem of this bug report. I did notice that there were a bunch of open sockets before leaving yesterday. When I looked this morning, they had all been cleaned up and I only saw about 10 open sockets on each machine. Right now I see about 500 on one machine (the on with loopback and eth0 being stressed) and only about 10 on the other (only eth0 being stressed). Created attachment 152625 [details] patch addressing socket leak Based on findings reported by Joe Nall on bz 235475, I created this patch. It calls init_avc during daemon init rather than each SA negotiation. Created attachment 152626 [details]
updated patch
This patch is a little less harsh to nonselinux systems.
Created attachment 152627 [details]
updated patch
avc_init check was backwards. Should be correct now.
Built ipsec-tools-0.6.5-6.5 with the above patch. It could use a re-test to make sure the problem is indeed fixed. Thanks. Ran all night with no increase in number of file descriptors. Looks good. Thanks. Removing LSPP tracker. Also built a new ipsec-tools-0.6.5-6.6 which adds audit system call backs so that racoon can correctly act as a user space object manager. |