Bug 435329 - [RHEL5.2] audit tests cause oom-kills
[RHEL5.2] audit tests cause oom-kills
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
5.2
All Linux
high Severity high
: rc
: ---
Assigned To: Steve Grubb
Brian Brock
: Regression, TestBlocker
: 436810 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-28 13:55 EST by Don Zickus
Modified: 2008-05-21 10:32 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHEA-2008-0358
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 10:32:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Don Zickus 2008-02-28 13:55:39 EST
Description of problem:
running the standard audit tests against the beta kernels, we noticed oom-kills
that were not present in U1.

Running the tests manually, we can see audispd eats 100% of the cpu and 90% of
memory within seconds of kicking off the tests.

Sample console output.
http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046108
http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046150
http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=2046183

Version-Release number of selected component (if applicable):
RHEL5.2-Server-20080225.2 distro
kernel-2.6.18-83.el5
/kernel/security/audit/audit-test-2088 - audit tests

How reproducible:
very

Steps to Reproduce:
1.grab a RHEL-5 box with U2 installed and run the above audit testsuite
2.run top to notice the adverse cpu/memory conditions
3.check dmesg for the oom-kills after about 10 minutes
  
Actual results:
oom-kills (about 4)

Expected results:
no oom-kills

Additional info:
On the same machine with a U1 distro and the same kernel, we did _not_ see
oom-kills.  Upgrading to a U2 distro causes oom-kills
Comment 1 Steve Grubb 2008-03-03 15:59:22 EST
OK, I think I found the memory leak. I think you hit this when the internal
queue for audispd is max'ed out. From then on you potentially leak memory.
Comment 7 Steve Grubb 2008-03-04 17:54:45 EST
audit-1.6.5-3 was built to resolve this bug.
Comment 9 Eduard Benes 2008-03-05 10:35:59 EST
Observed the oom-kills also in the failed results for these two audit test-
suites:
  /kernel/security/audit/audit-test-1195
  /kernel/security/audit/audit-test-1212

RHTS job:
  http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=16883
Comment 11 Steve Grubb 2008-03-14 11:01:32 EDT
ok, I found the culprit. Audispd was not detecting end of file when auditd
exited, closing the comm pipe, and it was still reading stdin. Each read
allocates memory. audit-1.6.5-4.el5 was built to re-address this problem.
Comment 12 Steve Grubb 2008-03-14 11:03:38 EDT
*** Bug 436810 has been marked as a duplicate of this bug. ***
Comment 13 Jeff Burke 2008-03-14 17:33:44 EDT
Tested with RHEL5.2-Server-20080306.0 + audit-1.6.5-4.el5 and the
audit-test-2088 syscalls test did not report any OOM-Kills.
Comment 16 errata-xmlrpc 2008-05-21 10:32:50 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2008-0358.html

Note You need to log in before you can comment on or make changes to this bug.