Bug 141048 - ntpd dies with "out of memory" due to misconfiguration
ntpd dies with "out of memory" due to misconfiguration
Product: Fedora
Classification: Fedora
Component: ntp (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Petr Raszyk
Depends On:
  Show dependency treegraph
Reported: 2004-11-28 14:46 EST by Thomas Zehetbauer
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version: ntp-4.2.0.a.20050816 Release 10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-11-10 05:02:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
modified ntpd.init file to allow configuration of max locked memory (3.08 KB, text/plain)
2005-09-01 13:23 EDT, Neil Horman
no flags Details
ntp-4.2.0.a.20050816-10.src.rpm (2.40 MB, application/x-rpm)
2005-11-10 05:00 EST, Petr Raszyk
no flags Details

  None (edit)
Description Thomas Zehetbauer 2004-11-28 14:46:58 EST
ntpd dies with "out of memory" or "Exiting: No more memory!" because
of a combination of the following issues:

The default restrict line allows everyone to set up a bi-directional
association causing peer memory to be allocated. I recommend this line
to be changed to include "nopeer" keyword.

Additional memory for per-client statistics can be saved by using the
"disable monitor" directive, so I recommend to use this as well.

The noquery option does however prevent clients to trace their
synchronization back to it's source. This is bad practice and I
recommend to remove it.

RLIMIT_MEMLOCK defaults to only 32kB, this a far to low for ntpd
trying to lock itself into memory. I suggest this limit to be raised
in /etc/init.d/ntpd or to be configurable via /etc/sysconfig/ntpd.
Comment 1 udo 2004-11-29 12:11:57 EST
tweaking of /etc/security/limits.conf should be the fix?
Comment 2 Thomas Zehetbauer 2004-11-29 13:09:41 EST
This cannot work, the /etc/security/limits.conf file is processed by
/lib/security/pam_limits.so which is only called by pam enabled
applications and only if it is enabled in /etc/pam.d/system-auth. But
like most daemons ntpd does not use pam but direct calls to setuid()
and setgid().
Comment 3 Brian Fahrlander 2005-01-11 11:40:22 EST
I've managed to make it reliably run for 8H, so I'm telling cron to
bounce it every 8H.  At least I can use it, kinda...
Comment 4 Glen Eustace 2005-01-12 16:39:02 EST
I upgraded from FC1 to FC3 yesterday on our two time servers and are 
now getting this error. I have tried reducing the number of servers 
we query but the only thing so far that has enabled me to get the 
daemon to stay running was to add 'disable monitor' to the config. 
Comment 5 Glen Eustace 2005-01-12 17:32:06 EST
Having managed to get the ntpd process to stay running, it now will 
not accept synchronisation from any of the configured servers.  It 
used to only take a couple of minutes. 
ntpq> lpeer 
     remote           refid      st t when poll reach   delay   
offset  jitter 
==============================================================================   .RSTR.          16 u    -   64    0    0.000    
0.000 4000.00 
 timekeeper.isi. .RSTR.          16 u    -  128    0    0.000    
0.000 4000.00 
 tick.usno.navy. .RSTR.          16 u    -  256    0    0.000    
0.000 4000.00 
 ntp1.usno.navy. .RSTR.          16 u    -  512    0    0.000    
0.000 4000.00 
 mu-relay2.masse .INIT.          16 u    - 1024    0    0.000    
0.000 4000.00 
*LOCAL(0)        LOCAL(0)        10 l   51   64  377    0.000    
0.000   0.001 
Comment 6 Glen Eustace 2005-01-12 19:58:08 EST
I got caught out. The meaning of restrict notrust has changed between 
4.1 and 4.2. Removing the notrust from the restrict config line has 
restored the service. 
I have still had to reduce the number of servers we sere attempting 
to sync with in order to not exceed the mem_lock limit. 
Comment 7 Neil Horman 2005-09-01 13:23:40 EDT
Created attachment 118356 [details]
modified ntpd.init file to allow configuration of max locked memory

This is new version of the nptd.init script from the ntp source rpm.  It allows
you to set the locked memory limits for ntpd by setting the NTPD_MEMLOCK
variable in /etc/sysconfig/ntpd.
Comment 8 Enrico Scholz 2005-09-07 03:12:53 EDT
I have already

| ulimit -HS -l 1024

in my /etc/sysconfig/ntpd but the daemon still dies all 1-2 days with

| 7 Sep 09:07:25 ntpd[8298]: receive: fatal error 608 for
| 7 Sep 09:08:10 ntpd[8298]: make_keys error:0306A041:bignum routines:BN_CTX_new:malloc failure
| 7 Sep 09:08:12 ntpd[8298]: Exiting: No more memory!
Comment 9 Enrico Scholz 2005-09-21 02:59:18 EDT
'ulimit' in the initscript will not help as the rlimit will be set by 'ntpd'
itself. Please upgrade to the recent version as it seems to be fixed there:

  1.1196 05/08/15 04:01:26 stenn@whimsy.udel.edu +1 -0
  [Bug 477] Linux needs larger RLIM_MEMLOCK, from Cristoph Gysin

    1.55 05/08/15 04:01:12 stenn@whimsy.udel.edu +12 -0
    [Bug 477] Linux needs larger RLIM_MEMLOCK, from Cristoph Gysin
Comment 10 Petr Raszyk 2005-11-10 05:00:46 EST
Created attachment 120875 [details]

Fixed in ntp-4.2.0.a.20050816-10.src.rpm above.

Note You need to log in before you can comment on or make changes to this bug.