771286 – Lastlog file size increases when UIDs are large.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 771286 - Lastlog file size increases when UIDs are large.

Summary: Lastlog file size increases when UIDs are large.

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	shadow-utils
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	782183 827429
TreeView+	depends on / blocked

Reported:	2012-01-03 06:01 UTC by Erinn Looney-Triggs
Modified:	2019-07-11 07:34 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Clones:	951564 (view as bug list)
Environment:
Last Closed:	2014-03-18 14:24:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1385287	0	unspecified	CLOSED	/var/log/lastlog appears to be huge on ipa client	2021-02-22 00:41:40 UTC

Internal Links: 1385287

Description Erinn Looney-Triggs 2012-01-03 06:01:01 UTC

Description of problem:
I will point you to this e-mail for the details of the issue. But the short of it is large UID = large lastlog file (sparse file but still), this creates problems for backups programs and integrity checkers (though of course they should handle sparse files). 

https://www.redhat.com/archives/freeipa-users/2012-January/msg00010.html

This is also occuring in Fedora. 

Simo knows more of the technical details than I by a long shot. 

Thanks,
-Erinn

Comment 2 Peter Vrabec 2012-01-03 15:08:12 UTC

Simo, can you provide more details. What's wrong with shadow-utils? Who write these large UID records into lastlog?

Comment 3 Simo Sorce 2012-01-03 15:18:13 UTC

FreeIPA allocates a random uid range for its use between 200k and 2G.

In my case I have a user with uid 1280000008, if I log in with that user the lastlog file size jumps to almost 400G. The actual file is sparse so it doesn't use all that space.

But normal applications that do not understand sparse will read 400G on copy/backup/etc ...

It seem to me that someone believes that UIDs are still limited to 65k or something and decided to treat the lastlog file as a memory table where the uid number is the index.
When a very high UID logs in a very big index is created so a seek into the file is done to a very high location and then some small value is written there.

This logic is fine when you have only low UIDs in the system, but with very high UIDs it is just a problem as most programs do not really understand sparse files.

I wonder if the lastlog parsing needs to be so fast and can't be changed to be just a list and use a traverse function to write to it.

HTH,
Simo.

Comment 4 Tomas Mraz 2012-01-03 15:40:32 UTC

"someone believes" - lastlog file format as a sparse file was defined at the time when 65k UID numbers were the norm. If we want to redefine the file format we will have to rewrite all the applications that handle it.

Comment 5 Tomas Mraz 2012-01-03 15:47:50 UTC

Additional points for consideration:
The fixed record size format with random access have the nice property that the writes to the individual records do not mess up the other records. This avoids the need to perform the copy+rewrite+rename when updated records are written. An alternative is to do append-only format - such as wtmp - however this requires to read of the whole file to determine the last records for each user and it would probably also require rotation of the file so it would not grow out of bounds.

Third alternative would be to use regular database file however I do not think that many upstreams of utilities such as login, gdm, sshd would be too fond of this dependency.

Comment 6 Simo Sorce 2012-01-03 16:06:15 UTC

(In reply to comment #4)
> "someone believes" - lastlog file format as a sparse file was defined at the
> time when 65k UID numbers were the norm.

Yeah I realize that, but reality has changed now :-)

> If we want to redefine the file format
> we will have to rewrite all the applications that handle it.

I guess you can also close WONTFIX if you think a sparse file is not an issue.
I can turn this bug into a FreeIPA doc bug if you think the effort is not worth it.

It's really too bad applications directly access lastlog instead of going through a helper library that would have abstracted access away so that apps didn't need to know the format.

Comment 7 Peter Vrabec 2012-01-06 15:00:57 UTC

I suppose it is worth fixing this issue. 

First, we had a problem when nfsnobody UID was added to lastlog db. We used a "workaround" to get thru it. Unfortunately we can't use the same trick with IPA users. The problem is back.

Someone could claim that lastlog is a valid sparse file and other tools should start handling it properly. Unfortunately I'm afraid it won't work in all cases. People who use tools will not expect there is >400GB sparse file on the system. :)

Just a quick search in bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=156809
https://bugzilla.redhat.com/show_bug.cgi?id=213450
https://bugzilla.redhat.com/show_bug.cgi?id=192560
https://bugzilla.redhat.com/show_bug.cgi?id=138676
https://bugzilla.redhat.com/show_bug.cgi?id=769601

and there are even more.


This issue is not doable in RHEL-6.3 time frame. I see it more like Fedora Feature first and than we can backport it into RHEL. It's also not task for few days or weeks because it requires changes in other packages too.

Comment 10 RHEL Program Management 2012-07-10 06:22:47 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 11 Erinn Looney-Triggs 2012-07-10 17:44:08 UTC

This also effect abrt, causing it to crash, which is of course ironic,  abrt fails to egrep lastlog and tallylog multiple times because of their size. I am going to open a bug with the abrt folks, but this is something you should be aware of.

-Erinn

Comment 12 RHEL Program Management 2012-07-11 01:57:58 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 15 RHEL Program Management 2012-09-07 05:16:35 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 16 Tomas Mraz 2013-04-12 13:30:49 UTC

I am afraid we cannot change the lastlog format in RHEL-6. That would be too disruptive and it would require changes in multiple packages such as util-linux, coreutils (probably), pam, shadow-utils and maybe even many more.

Comment 18 RHEL Program Management 2013-10-14 00:51:53 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 20 Tomas Mraz 2014-03-18 14:24:00 UTC

This is impossible to fix in released RHEL.

Comment 21 Erinn Looney-Triggs 2014-03-18 14:25:52 UTC

Ok is this fixed in RHEL 7? Or Fedora? Should the bug be moved over there?

-Erinn

Comment 22 Tomas Mraz 2014-03-18 14:49:59 UTC

Unfortunately this is not fixed in RHEL7 either.

The Fedora rawhide bug is bug 951564

Note You need to log in before you can comment on or make changes to this bug.