You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This behaviour has been observed with package versions xrootd.x86_64 1:3.3.6-5.CERN.el7.cern and xrootd.x86_64 1:3.3.6-4.CERN.slc6.
Using EOS with kerberos authentication for which we activated ticket exportation (-exptkn option), we have experienced a file descriptors leak (files remain opened by the process) server-side (MGM), up to reaching the OS maximum limit of 65K fds per process after several days, causing service unavailability.
Files descriptors were pointing towards file located in /var/tmp directory, most of them were deleted and had a name with pattern krb5_RCxxxxx. The process also keeps several file descriptors toward the same existing file named after the principal used for the authentication.
It appeared that these files are replay cache. If we set KRB5RCACHEDIR, then files are found to this new location. And if we set KRB5RCACHETYPE=none no files are created, and no leak occurs.
We then realized that also when deactivating ticket exportation, the issue also doesn't occur. Since we in fact don't need it (we're not sure what is the role of that), this is what we did as a long term solution. But we still wanted to report the issue in case it makes sense.
Without having any knowledge about kerberos library, we noted that the function krb5_get_server_rcache is used to generate replay cache, but the krb5_rc_close is never mentioned in the code, however it is said to be necessary to clean up the resources.
The text was updated successfully, but these errors were encountered:
Actually, this is a bug in the kerberos library as we really do close the cache but the descriptor may still leak. This is a known issue and has been fixed in various version of kerberos but apparently not in the version being used here. The only mitigation is to not export tickets (which is not necessary).
This behaviour has been observed with package versions
xrootd.x86_64 1:3.3.6-5.CERN.el7.cern
andxrootd.x86_64 1:3.3.6-4.CERN.slc6
.Using EOS with kerberos authentication for which we activated ticket exportation (
-exptkn
option), we have experienced a file descriptors leak (files remain opened by the process) server-side (MGM), up to reaching the OS maximum limit of 65K fds per process after several days, causing service unavailability.Files descriptors were pointing towards file located in
/var/tmp
directory, most of them were deleted and had a name with patternkrb5_RCxxxxx
. The process also keeps several file descriptors toward the same existing file named after the principal used for the authentication.It appeared that these files are replay cache. If we set
KRB5RCACHEDIR
, then files are found to this new location. And if we setKRB5RCACHETYPE=none
no files are created, and no leak occurs.We then realized that also when deactivating ticket exportation, the issue also doesn't occur. Since we in fact don't need it (we're not sure what is the role of that), this is what we did as a long term solution. But we still wanted to report the issue in case it makes sense.
Without having any knowledge about kerberos library, we noted that the function krb5_get_server_rcache is used to generate replay cache, but the
krb5_rc_close
is never mentioned in the code, however it is said to be necessary to clean up the resources.The text was updated successfully, but these errors were encountered: