| 2018-05-17 11:48:47 |
Victor Tapia |
bug |
|
|
added bug |
| 2018-05-17 11:49:11 |
Victor Tapia |
nominated for series |
|
Ubuntu Xenial |
|
| 2018-05-17 11:49:18 |
Victor Tapia |
sssd (Ubuntu): assignee |
|
Victor Tapia (vtapia) |
|
| 2018-05-18 08:03:16 |
Victor Tapia |
attachment added |
|
Xenial debdiff https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1771805/+attachment/5141162/+files/lp1771805-xenial-sssd_1.13.4-1ubuntu1.11.debdiff |
|
| 2018-05-18 08:04:17 |
Victor Tapia |
tags |
sts |
sts sts-sru-needed |
|
| 2018-05-18 08:04:40 |
Victor Tapia |
bug |
|
|
added subscriber STS Sponsors |
| 2018-05-18 08:20:48 |
Ubuntu Foundations Team Bug Bot |
tags |
sts sts-sru-needed |
patch sts sts-sru-needed |
|
| 2018-05-18 08:20:57 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2018-05-18 12:49:24 |
Eric Desrochers |
bug task added |
|
sssd (Ubuntu Xenial) |
|
| 2018-05-18 12:52:24 |
Eric Desrochers |
sssd (Ubuntu Xenial): assignee |
|
Victor Tapia (vtapia) |
|
| 2018-05-18 12:52:28 |
Eric Desrochers |
sssd (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2018-05-18 12:52:31 |
Eric Desrochers |
sssd (Ubuntu Xenial): status |
New |
In Progress |
|
| 2018-05-18 12:56:41 |
Eric Desrochers |
description |
[Impact]
When SSSD tries to renew the machine password, a write_to_child_fd is open but never closed, leaking a descriptor per request until it hits the limit and SSSD stops.
[Test Case]
1. With an AD deployed, and having the machine registered, include the following option in sssd.conf:
# This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
# seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
# Default: 86400:750 (24h and 15m)
ad_machine_account_password_renewal_opts = 5:5
2. Restart the service and monitor the use of descriptors:
root@sssd-xenial:/home/ubuntu# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
38
50
62
74
86
98
110
122
134
146
158
170
182
194
206
217
229
^C
[Other info]
The bug is reported and fixed upstream: https://pagure.io/SSSD/sssd/issue/3017
Trusty is not affected (feat not implemented) and A/B/C already include the fix |
[Impact]
When SSSD tries to renew the machine password, a write_to_child_fd is open but never closed, leaking a descriptor per request until it hits the limit and SSSD stops.
[Test Case]
1. With an AD deployed, and having the machine registered, include the following option in sssd.conf:
# This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
# seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
# Default: 86400:750 (24h and 15m)
ad_machine_account_password_renewal_opts = 5:5
2. Restart the service and monitor the use of descriptors:
root@sssd-xenial:/home/ubuntu# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
38
50
62
74
86
98
110
122
134
146
158
170
182
194
206
217
229
^C
[Other info]
The bug is reported and fixed upstream: https://pagure.io/SSSD/sssd/issue/3017
Upstream fix commit:
https://pagure.io/SSSD/sssd/c/312d211e03b9f3769a0362f1767cc59792e32746
Trusty is not affected (feat not implemented) and A/B/C already include the fix :
$ git describe 312d211e03b9f3769a0362f1767cc59792e32746
sssd-1_13_4-10-g312d211e0
$ rmadison sssd
==> sssd | 1.13.4-1ubuntu1.10 | xenial-updates
sssd | 1.15.3-2ubuntu1 | artful
sssd | 1.16.1-1ubuntu1 | bionic
sssd | 1.16.1-1ubuntu1 | cosmic
sssd | 1.16.1-1ubuntu3 | cosmic-proposed |
|
| 2018-05-18 12:56:46 |
Eric Desrochers |
sssd (Ubuntu): assignee |
Victor Tapia (vtapia) |
|
|
| 2018-05-18 12:56:55 |
Eric Desrochers |
sssd (Ubuntu): status |
New |
Fix Released |
|
| 2018-05-18 14:04:01 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
| 2018-05-18 14:04:05 |
Eric Desrochers |
removed subscriber STS Sponsors |
|
|
|
| 2018-05-24 13:55:47 |
Victor Tapia |
description |
[Impact]
When SSSD tries to renew the machine password, a write_to_child_fd is open but never closed, leaking a descriptor per request until it hits the limit and SSSD stops.
[Test Case]
1. With an AD deployed, and having the machine registered, include the following option in sssd.conf:
# This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
# seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
# Default: 86400:750 (24h and 15m)
ad_machine_account_password_renewal_opts = 5:5
2. Restart the service and monitor the use of descriptors:
root@sssd-xenial:/home/ubuntu# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
38
50
62
74
86
98
110
122
134
146
158
170
182
194
206
217
229
^C
[Other info]
The bug is reported and fixed upstream: https://pagure.io/SSSD/sssd/issue/3017
Upstream fix commit:
https://pagure.io/SSSD/sssd/c/312d211e03b9f3769a0362f1767cc59792e32746
Trusty is not affected (feat not implemented) and A/B/C already include the fix :
$ git describe 312d211e03b9f3769a0362f1767cc59792e32746
sssd-1_13_4-10-g312d211e0
$ rmadison sssd
==> sssd | 1.13.4-1ubuntu1.10 | xenial-updates
sssd | 1.15.3-2ubuntu1 | artful
sssd | 1.16.1-1ubuntu1 | bionic
sssd | 1.16.1-1ubuntu1 | cosmic
sssd | 1.16.1-1ubuntu3 | cosmic-proposed |
[Impact]
When SSSD tries to renew the machine password, a write_to_child_fd is open but never closed, leaking a descriptor per request until it hits the limit and SSSD stops.
[Test Case]
1. With an AD deployed, and having the machine registered, include the following option in sssd.conf:
# This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
# seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
# Default: 86400:750 (24h and 15m)
ad_machine_account_password_renewal_opts = 5:5
2. Restart the service and monitor the use of descriptors:
root@sssd-xenial:/home/ubuntu# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
38
50
62
74
86
98
110
122
134
146
158
170
182
194
206
217
229
^C
[Regression potential]
* Small, the fix comes from upstream and it's been present for some time.
* A fd could still leak, or the AD machine password renewal could stop working.
[Other info]
The bug is reported and fixed upstream: https://pagure.io/SSSD/sssd/issue/3017
Upstream fix commit:
https://pagure.io/SSSD/sssd/c/312d211e03b9f3769a0362f1767cc59792e32746
Trusty is not affected (feat not implemented) and A/B/C already include the fix :
$ git describe 312d211e03b9f3769a0362f1767cc59792e32746
sssd-1_13_4-10-g312d211e0
$ rmadison sssd
==> sssd | 1.13.4-1ubuntu1.10 | xenial-updates
sssd | 1.15.3-2ubuntu1 | artful
sssd | 1.16.1-1ubuntu1 | bionic
sssd | 1.16.1-1ubuntu1 | cosmic
sssd | 1.16.1-1ubuntu3 | cosmic-proposed |
|
| 2018-05-24 14:14:26 |
Łukasz Zemczak |
sssd (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2018-05-24 14:14:28 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2018-05-24 14:14:29 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2018-05-24 14:14:31 |
Łukasz Zemczak |
tags |
patch sts sts-sru-needed |
patch sts sts-sru-needed verification-needed verification-needed-xenial |
|
| 2018-06-06 14:45:10 |
Victor Tapia |
tags |
patch sts sts-sru-needed verification-needed verification-needed-xenial |
patch sts sts-sru-needed verification-done verification-done-xenial |
|
| 2018-06-07 15:24:38 |
Launchpad Janitor |
sssd (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2018-06-07 15:24:47 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
