Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1326840

Summary: mod_revocator leaks semaphores
Product: Red Hat Enterprise Linux 7 Reporter: Martin Poole <mpoole>
Component: mod_revocatorAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: akasurde, knoha, mharmsen, mpoole, rcritten, tlavigne
Target Milestone: rc   
Target Release: 7.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_revocator-1.0.3-21.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1326841 1364560 (view as bug list) Environment:
Last Closed: 2016-11-04 08:34:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1326841, 1364560, 1364561    
Attachments:
Description Flags
console.log none

Description Martin Poole 2016-04-13 13:54:10 UTC 
Description of problem:

mod_revocator leaks a semaphore every time httpd stops
 
Version-Release number of selected component (if applicable):

mod_revocator-1.0.3-19.el7.x86_64

How reproducible:

always

Steps to Reproduce:
1. restart httpd a few times
2.
3.

Actual results:

number of semaphores owned by apache increases

Expected results:

steady state.

Additional info:

The only instance of marking the semaphore for removal is in the shutdown of crlhelper.  If the helper is not enabled, or even if it is there is no assurance that it will reach the end of the main block before being killed by its parent.

The main code contains the comment

    /* The semaphore is removed in the helper program. This is because that
     * program survives Apache reloads so the semaphore will as well.
     */

but again does not take account of shutdowns.
Comment 2 Rob Crittenden 2016-07-15 15:01:55 UTC 
Am I reading this correctly, the module isn't configured?
Comment 3 Martin Poole 2016-07-15 15:23:46 UTC 
The module is in the default configuration.

    CRLEngine off
    CRLAgeCheck off
    CRLUpdateCritical off
    CRLHelper /usr/libexec/crlhelper


Arguably the code should not be creating the semaphore if the CRLEngine is off.
Comment 4 Rob Crittenden 2016-07-15 15:34:00 UTC 
(In reply to Martin Poole from comment #3)
> Arguably the code should not be creating the semaphore if the CRLEngine is
> off.

Agreed.

It seems a simple workaround is to remove the unused module.
Comment 9 Rob Crittenden 2016-08-08 20:16:24 UTC 
To reproduce:

- yum install mod_revocator (this will pull in all deps)
- ipcs -s (confirm there are no apache semaphores)
- service httpd start
- service httpd stop
- ipcs -s

There will be 2 left-over semaphores. Remove them.

For example:

# ipcs -s
------ Semaphore Arrays --------
key        semid      owner      perms      nsems     
0x00000000 17104896   apache     600        1
0x00000000 17235974   apache     600        1
# ipcrm -s 17104896
# ipcrm -s 17235974
# ipcs -s (confirm there are none)

Install updated mod_nss and mod_revocator packages

- service httpd start
- service httpd stop
- ipcs -s

There should be no semaphores

This is a baseline. You should also enable CRLEngine and configure a CRL and do additional testing to ensure that things are properly cleaned up a shutdown.

Similarly some basic mod_nss testing using some SSL urls would be appropriate as well, particularly with a pin-protected NSS database. This change for mod_nss affects the pin storage helper.
Comment 11 Rob Crittenden 2016-08-09 21:49:34 UTC 
Updated patch to fix segfault issue when shutting down.
Comment 12 Abhijeet Kasurde 2016-09-21 11:46:09 UTC 
Verified using mod_revocator version:
mod_revocator-1.0.3-21.el7

Please find the attachment as verification steps. Marking BZ as verified.
Comment 13 Abhijeet Kasurde 2016-09-21 11:48:07 UTC 
Created attachment 1203239 [details]
console.log
Comment 15 errata-xmlrpc 2016-11-04 08:34:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2562.html