Description of problem: Using mod_auth_kerb (or mod_auth_pam) to authenticate users with kerberos creates some problem in httpd. The kerberos libraries use "nss" for SSL. The nss SSL libraries call "netstat -ni" to initialize their entropy, and usually do not collect its exit status properly. I believe that this is a bug in the safe_pclose() function in mozilla/security/nss/lib/freebl/unix_rand.c in nss, but I've only observed the problem in apache so far. Using strace, I see this: The httpd process executes "netstat -ni", which runs as normal and calls exit_group(0). httpd does not get SIGCHLD immediately, but does get EOF on the output of netstat. It then enters a loop, alternately trying to kill the netstat process and reap its status with waitpid. Most of the time, it will not get SIGCHLD until later, usually when it calls select() on an unrelated operation. Apparently apache has no handler for SIGCHLD, and the netstat process remains in a defunct state. Version-Release number of selected component (if applicable): httpd-2.2.3-7.el5 krb5-libs-1.5-29 nss-3.11.5-3. How reproducible: Most of the time. When apache is configured for kerberos authentication, most requests will leave behind one or more defunct netstat processes.
Hello Gordon, thanks a lot for your report, and sorry for the late reply. Hopefully you have already noticed the bug went away. It should have been fixed since package version nss-3.11.7-1.1 NSS in RHEL 5 should no longer execute netstat at all.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Hello Gordon, would you please be able to give feedback whether this is fixed for you?
Yes, it appears to be fixed.
Thanks a lot Gordon! Resolving as WORKSFORME.