[Bug 1771805] Re: AD keytab renewal task leaks a file descriptor
Łukasz Zemczak
1771805 at bugs.launchpad.net
Thu May 24 14:14:33 UTC 2018
Hello Victor, or anyone else affected,
Accepted sssd into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.11 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, without details of
your testing we will not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
** Changed in: sssd (Ubuntu Xenial)
Status: In Progress => Fix Committed
** Tags added: verification-needed verification-needed-xenial
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1771805
Title:
AD keytab renewal task leaks a file descriptor
Status in sssd package in Ubuntu:
Fix Released
Status in sssd source package in Xenial:
Fix Committed
Bug description:
[Impact]
When SSSD tries to renew the machine password, a write_to_child_fd is
open but never closed, leaking a descriptor per request until it hits
the limit and SSSD stops.
[Test Case]
1. With an AD deployed, and having the machine registered, include the
following option in sssd.conf:
# This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
# seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
# Default: 86400:750 (24h and 15m)
ad_machine_account_password_renewal_opts = 5:5
2. Restart the service and monitor the use of descriptors:
root at sssd-xenial:/home/ubuntu# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
38
50
62
74
86
98
110
122
134
146
158
170
182
194
206
217
229
^C
[Regression potential]
* Small, the fix comes from upstream and it's been present for some time.
* A fd could still leak, or the AD machine password renewal could stop working.
[Other info]
The bug is reported and fixed upstream:
https://pagure.io/SSSD/sssd/issue/3017
Upstream fix commit:
https://pagure.io/SSSD/sssd/c/312d211e03b9f3769a0362f1767cc59792e32746
Trusty is not affected (feat not implemented) and A/B/C already
include the fix :
$ git describe 312d211e03b9f3769a0362f1767cc59792e32746
sssd-1_13_4-10-g312d211e0
$ rmadison sssd
==> sssd | 1.13.4-1ubuntu1.10 | xenial-updates
sssd | 1.15.3-2ubuntu1 | artful
sssd | 1.16.1-1ubuntu1 | bionic
sssd | 1.16.1-1ubuntu1 | cosmic
sssd | 1.16.1-1ubuntu3 | cosmic-proposed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1771805/+subscriptions
More information about the Ubuntu-sponsors
mailing list