Bug 842564

Summary: High CPU and slow response on Red Hat using Kerberos
Product: Red Hat Enterprise Linux 6 Reporter: Jamie Morrison <jamie>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.3CC: dpal, jplans, ksrot
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-09 16:07:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jamie Morrison 2012-07-24 08:48:50 UTC 
Description of problem: When using Kerberos authentication, slow performance and high CPU utilisation may be seen when performing Kerberos operations, such as creating a keytab using the net process or authenticating an NFSv4 mount using rpc.svcgssd. 


Version-Release number of selected component (if applicable):

pam_krb5-2.3.11-9.el6.x86_64
krb5-libs-1.9-33.el6.x86_64
krb5-workstation-1.9-33.el6.x86_64
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
libselinux-2.0.94-5.3.el6.x86_64


How reproducible:

Install and configure kerberos and run the following commands:

 - net ads join
 - net ads keytab create
 - net ads keytab add

or try to authenticate an NFSv4/Kerberos export.

Occurs when /etc/sysconfig/selinux SELINUX= set to enforcing or permissive, but not disabled.


Actual results:

# time net ads keytab add nfs -U username
real    1m50.321s
user    1m29.677s
sys     0m8.704s

Expected results:

# time net ads keytab add nfs -U username
real    0m4.402s
user    0m0.020s
sys     0m0.012s


Additional info:

Seen in top:

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 2176 root      20   0  183m 5872 4612 R 99.9  0.1   2:20.60 net

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 3392 root      20   0  533m 498m 1540 R 99.7  6.4   0:08.55 rpc.svcgssd

This also causes extremely slow boot or non-bootable system.

strace reveals a lot od SELinux traffic.
Comment 2 Karel Srot 2012-08-09 12:12:08 UTC 
I am curious whether this is related to bug 845125. 

Jamie,
are you able to retest it with SELinux disabled?
Comment 3 Jamie Morrison 2012-08-09 12:22:48 UTC 
Looks similar. Could be libkrb5 and its selinux integration.

SELINUX=disabled resolves the issue.

SELINUX=enforcing or even SELINUX=permissive and the issue still exists.
Comment 4 Karel Srot 2012-08-09 16:07:31 UTC 
Thank you. Closing this one as a duplicate.

*** This bug has been marked as a duplicate of bug 845125 ***