autofs don't close sockets and stops working when max open files limit reached
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Undecided
|
Lena Voytek | ||
Jammy |
Incomplete
|
Undecided
|
Lena Voytek | ||
Kinetic |
Fix Released
|
Undecided
|
Lena Voytek |
Bug Description
[Impact]
Due to a regression in sssd in Kinetic, when using autofs, client sockets will not be closed properly on exit. This leads to a buildup of leaked sockets until the limit of 1024 is reached. Once this happens, autofs fails with the following errors:
lookup_nss_mount: can't to read name service switch config.
nsswitch_parse:172: couldn't open /etc/nsswitch.conf
This should be backported to Kinetic since the issue causes autofs to fail consistently.
This bug is fixed through a patch from upstream that closes sockets properly on exit in sssd. Locking and cleanup mechanisms are updated in the client library.
[Test Plan]
With an available nfs/openldap server, create a client with the following:
autofs client setup
# sudo apt update && apt dist-upgrade -y
# sudo apt install autofs autofs-ldap sssd-ldap ldap-utils -y
# sudo mkdir -p /etc/sssd
Add sssd config with server domain - /etc/sssd/sssd.conf
[domain/default]
{snip}
ldap_autofs_
ldap_autofs_
ldap_autofs_
ldap_autofs_
ldap_autofs_
ldap_autofs_
[sssd]
services = autofs
Append to /etc/nsswitch.conf:
automount: files sss
Set contents of /etc/default/autofs with domain information:
MASTER_
TIMEOUT=300
BROWSE_MODE="no"
MOUNT_NFS_
LOGGING="none"
LDAP_URI=
SEARCH_
MAP_OBJECT_
ENTRY_OBJECT_
MAP_ATTRIBUTE=
ENTRY_ATTRIBUTE
VALUE_ATTRIBUTE
AUTH_CONF_
USE_MISC_
set usetls to "yes" in /etc/autofs_
# sudo systemctl restart sssd
# sudo systemctl restart autofs
Use automount to mount and unmount an NFS share a few times. Without the fix, multiple sockets will show up for automount when running
# ls -l /proc/$(pidof automount)/fd/ | grep socket
While after the fix only one will show up while connected, and none afterward.
[Where problems could occur]
Regressions from this patch would most likely occour in the management of sssd client sockets. This could include prematurely closing a socket, or mishandling locks on a client process.
[Other Info]
This was fixed through upstream updates in Lunar and is not an issue in Jammy.
[Original Description]
autofs in u22.10:
autofs 5.1.8-1ubuntu3
seems to introduce a regression.
Doing
$ ls -l /proc/$
I see
lrwx------ 1 root root 64 Nov 17 09:45 0 -> /dev/null
lrwx------ 1 root root 64 Nov 17 09:45 1 -> /dev/null
lrwx------ 1 root root 64 Nov 17 09:45 10 -> /run/autofs.
lrwx------ 1 root root 64 Nov 17 09:45 100 -> socket:[4012989]
lrwx------ 1 root root 64 Nov 17 09:45 1000 -> socket:[4277146]
lrwx------ 1 root root 64 Nov 17 09:45 1001 -> socket:[4283734]
lrwx------ 1 root root 64 Nov 17 09:45 1002 -> socket:[4281542]
[snip]
lrwx------ 1 root root 64 Nov 17 09:45 102 -> socket:[4016178]
lrwx------ 1 root root 64 Nov 17 09:45 1020 -> socket:[4286945]
lrwx------ 1 root root 64 Nov 17 09:45 1021 -> socket:[4293742]
lrwx------ 1 root root 64 Nov 17 09:45 1022 -> socket:[4294783]
lrwx------ 1 root root 64 Nov 17 09:45 1023 -> socket:[4260750]
[snip]
and:
$ ls -l /proc/$
1025
so autofs keep opening sockets until limit of 1024 reached.
I then get
automount[1640142]: lookup_nss_mount: can't to read name service switch config.
automount[1640142]: nsswitch_parse:172: couldn't open /etc/nsswitch.conf
so things breaks completely.
U22.04 with autofs 5.1.8-1ubuntu1.2 works fine in the same environment.
Maps are in LDAP, with /usr/libexec/
/etc/nsswitch.conf
Related branches
- git-ubuntu bot: Approve
- Athos Ribeiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 301 lines (+279/-0)3 files modifieddebian/changelog (+10/-0)
debian/patches/fix-client-fd-leak.patch (+268/-0)
debian/patches/series (+1/-0)
tags: | added: server-todo |
Changed in sssd (Ubuntu Kinetic): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in sssd (Ubuntu): | |
status: | New → Fix Released |
Changed in sssd (Ubuntu Kinetic): | |
status: | New → In Progress |
description: | updated |
description: | updated |
Changed in sssd (Ubuntu Jammy): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in sssd (Ubuntu): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in sssd (Ubuntu Jammy): | |
status: | New → Incomplete |
tags: | removed: server-todo |
Root cause seems to be in sssd, most likely the problem is this:
https:/ /github. com/SSSD/ sssd/commit/ 1b2e4760c52b9ab d0d9b9f35b47ed7 2e79922ccc
CLIENT: fix client fd leak
Can sshd please be updated to 2.7.4 to have this fixed.
Thanks in advance.