Bug 842564 - High CPU and slow response on Red Hat using Kerberos
High CPU and slow response on Red Hat using Kerberos
Status: CLOSED DUPLICATE of bug 845125
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5 (Show other bugs)
6.3
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-24 04:48 EDT by Jamie Morrison
Modified: 2012-08-09 12:07 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-09 12:07:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jamie Morrison 2012-07-24 04:48:50 EDT
Description of problem: When using Kerberos authentication, slow performance and high CPU utilisation may be seen when performing Kerberos operations, such as creating a keytab using the net process or authenticating an NFSv4 mount using rpc.svcgssd. 


Version-Release number of selected component (if applicable):

pam_krb5-2.3.11-9.el6.x86_64
krb5-libs-1.9-33.el6.x86_64
krb5-workstation-1.9-33.el6.x86_64
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
libselinux-2.0.94-5.3.el6.x86_64


How reproducible:

Install and configure kerberos and run the following commands:

 - net ads join
 - net ads keytab create
 - net ads keytab add

or try to authenticate an NFSv4/Kerberos export.

Occurs when /etc/sysconfig/selinux SELINUX= set to enforcing or permissive, but not disabled.


Actual results:

# time net ads keytab add nfs -U username
real    1m50.321s
user    1m29.677s
sys     0m8.704s

Expected results:

# time net ads keytab add nfs -U username
real    0m4.402s
user    0m0.020s
sys     0m0.012s


Additional info:

Seen in top:

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 2176 root      20   0  183m 5872 4612 R 99.9  0.1   2:20.60 net

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 3392 root      20   0  533m 498m 1540 R 99.7  6.4   0:08.55 rpc.svcgssd

This also causes extremely slow boot or non-bootable system.

strace reveals a lot od SELinux traffic.
Comment 2 Karel Srot 2012-08-09 08:12:08 EDT
I am curious whether this is related to bug 845125. 

Jamie,
are you able to retest it with SELinux disabled?
Comment 3 Jamie Morrison 2012-08-09 08:22:48 EDT
Looks similar. Could be libkrb5 and its selinux integration.

SELINUX=disabled resolves the issue.

SELINUX=enforcing or even SELINUX=permissive and the issue still exists.
Comment 4 Karel Srot 2012-08-09 12:07:31 EDT
Thank you. Closing this one as a duplicate.

*** This bug has been marked as a duplicate of bug 845125 ***

Note You need to log in before you can comment on or make changes to this bug.