Red Hat Bugzilla – Bug 340141
defunct netstat processes under httpd (with kerberos auth)
Last modified: 2008-07-08 07:57:50 EDT
Description of problem:
Using mod_auth_kerb (or mod_auth_pam) to authenticate users with kerberos
creates some problem in httpd. The kerberos libraries use "nss" for SSL. The
nss SSL libraries call "netstat -ni" to initialize their entropy, and usually do
not collect its exit status properly. I believe that this is a bug in the
safe_pclose() function in mozilla/security/nss/lib/freebl/unix_rand.c in nss,
but I've only observed the problem in apache so far.
Using strace, I see this:
The httpd process executes "netstat -ni", which runs as normal and calls
exit_group(0). httpd does not get SIGCHLD immediately, but does get EOF on the
output of netstat. It then enters a loop, alternately trying to kill the
netstat process and reap its status with waitpid. Most of the time, it will not
get SIGCHLD until later, usually when it calls select() on an unrelated
operation. Apparently apache has no handler for SIGCHLD, and the netstat
process remains in a defunct state.
Version-Release number of selected component (if applicable):
Most of the time. When apache is configured for kerberos authentication, most
requests will leave behind one or more defunct netstat processes.
Hello Gordon, thanks a lot for your report, and sorry for the late reply.
Hopefully you have already noticed the bug went away.
It should have been fixed since package version nss-3.11.7-1.1
NSS in RHEL 5 should no longer execute netstat at all.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Hello Gordon, would you please be able to give feedback whether this is fixed
Yes, it appears to be fixed.
Thanks a lot Gordon!
Resolving as WORKSFORME.