Bug 340141 - defunct netstat processes under httpd (with kerberos auth)
defunct netstat processes under httpd (with kerberos auth)
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss (Show other bugs)
5.0
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Kai Engert (:kaie)
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-19 13:33 EDT by Gordon Messmer
Modified: 2008-07-08 07:57 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-08 07:57:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gordon Messmer 2007-10-19 13:33:34 EDT
Description of problem:
Using mod_auth_kerb (or mod_auth_pam) to authenticate users with kerberos
creates some problem in httpd.  The kerberos libraries use "nss" for SSL.  The
nss SSL libraries call "netstat -ni" to initialize their entropy, and usually do
not collect its exit status properly.  I believe that this is a bug in the
safe_pclose() function in mozilla/security/nss/lib/freebl/unix_rand.c in nss,
but I've only observed the problem in apache so far.

Using strace, I see this:

The httpd process executes "netstat -ni", which runs as normal and calls
exit_group(0).  httpd does not get SIGCHLD immediately, but does get EOF on the
output of netstat.  It then enters a loop, alternately trying to kill the
netstat process and reap its status with waitpid.  Most of the time, it will not
get SIGCHLD until later, usually when it calls select() on an unrelated
operation.  Apparently apache has no handler for SIGCHLD, and the netstat
process remains in a defunct state.

Version-Release number of selected component (if applicable):
httpd-2.2.3-7.el5
krb5-libs-1.5-29
nss-3.11.5-3.

How reproducible:
Most of the time.  When apache is configured for kerberos authentication, most
requests will leave behind one or more defunct netstat processes.
Comment 1 Kai Engert (:kaie) 2008-04-01 15:27:51 EDT
Hello Gordon, thanks a lot for your report, and sorry for the late reply.

Hopefully you have already noticed the bug went away.
It should have been fixed since package version nss-3.11.7-1.1

NSS in RHEL 5 should no longer execute netstat at all.
Comment 2 RHEL Product and Program Management 2008-06-09 18:00:17 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Kai Engert (:kaie) 2008-06-13 13:35:20 EDT
Hello Gordon, would you please be able to give feedback whether this is fixed
for you?
Comment 4 Gordon Messmer 2008-07-07 02:07:17 EDT
Yes, it appears to be fixed.
Comment 5 Kai Engert (:kaie) 2008-07-08 07:57:50 EDT
Thanks a lot Gordon!

Resolving as WORKSFORME.

Note You need to log in before you can comment on or make changes to this bug.