Bug#1051349: closed by Ryan Tandy <ryan at nardis.ca> (Re: Bug#1051349: slapd: DoS after some 'Too many open files'?)

Patrice Duroux patrice.duroux at gmail.com
Thu Sep 7 18:55:45 BST 2023


Hi Ryan,

Sorry for my fuzzy report.
I have not yet applied for your suggestion but will be back to it very soon.

Many thanks,
Patrice

Le jeu. 7 sept. 2023 à 19:24, Debian Bug Tracking System
<owner at bugs.debian.org> a écrit :
>
> This is an automatic notification regarding your Bug report
> which was filed against the slapd package:
>
> #1051349: slapd: DoS after some 'Too many open files'?
>
> It has been closed by Ryan Tandy <ryan at nardis.ca>.
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Ryan Tandy <ryan at nardis.ca> by
> replying to this email.
>
>
> --
> 1051349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051349
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems
>
>
>
> ---------- Forwarded message ----------
> From: Ryan Tandy <ryan at nardis.ca>
> To: Patrice Duroux <patrice.duroux at gmail.com>
> Cc: 1051349-done at bugs.debian.org
> Bcc:
> Date: Thu, 7 Sep 2023 10:17:59 -0700
> Subject: Re: Bug#1051349: slapd: DoS after some 'Too many open files'?
> Hello Patrice,
>
> On Wed, Sep 06, 2023 at 04:43:16PM +0200, Patrice Duroux wrote:
> >2023-09-06T14:57:22.996591+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.allow: Too many open files
>
> As Quanah said, hitting the open files limit is a common issue on Debian
> because we link the tcp-wrappers library, which unfortunately consumes
> extra file descriptors for each open network connection.
>
> >ulimit is unlimited in the default any root/user env.
> >What about the slapd service that is launched by systemd?
>
> See /proc/$(pidof slapd)/limits. In a systemd-nspawn container, I see a
> default limit of 1024 open files.
>
> >slapd does not have a .service file to change this, right?
>
> Not on disk, but a virtual slapd.service is generated from the init
> script, and can be modified using a drop-in:
>
> mkdir -p /etc/systemd/system/slapd.service.d
> cat > /etc/systemd/system/slapd.service.d/open-files-limit.conf << eof
> [Service]
> LimitNOFILE=524288
> eof
> systemctl daemon-reload
> systemctl restart slapd.service
>
> Now /proc/$(pidof slapd)/limits should reflect the increased limit.
>
> Hope this helps,
> Ryan
>
>
> ---------- Forwarded message ----------
> From: Patrice Duroux <patrice.duroux at gmail.com>
> To: Debian Bug Tracking System <submit at bugs.debian.org>
> Cc:
> Bcc:
> Date: Wed, 06 Sep 2023 16:43:16 +0200
> Subject: slapd: DoS after some 'Too many open files'?
> Package: slapd
> Version: 2.5.13+dfsg-5
> Severity: normal
>
> Dear Maintainer,
>
> This happens on one physical machine using a Debian Bookworm and only dedicated to NFS/LDAP
> services.
> I never faced this before for years with Bulleyes before upgrading to Bookworm.
>
> Looking into log files there are the following messages:
>
> [...]
> 2023-09-06T14:57:22.996591+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.allow: Too many open files
> 2023-09-06T14:57:22.996861+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.deny: Too many open files
> 2023-09-06T14:57:53.823167+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.allow: Too many open files
> 2023-09-06T14:57:53.823810+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.deny: Too many open files
> 2023-09-06T14:59:56.993514+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.allow: Too many open files
> 2023-09-06T14:59:56.994249+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.deny: Too many open files
> 2023-09-06T15:00:15.129483+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.allow: Too many open files
> 2023-09-06T15:00:15.129643+02:00 <HOSTNAME> slapd[2200]: warning: cannot open /etc/hosts.deny: Too many open files
> 2023-09-06T15:00:53.881436+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) failed errno=24 (Too many open files)
> 2023-09-06T15:01:16.878910+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) failed errno=24 (Too many open files)
> 2023-09-06T15:01:16.880305+02:00 <HOSTNAME> slapd[2200]: daemon: accept(8) failed errno=24 (Too many open files)
> [...]
>
> During the DoS, 'systemctl status slapd' did not shown me anything strange.
> Restarting the service solved the trouble.
>
> Are there some possible file closing leaks in slapd it-self?
>
> ulimit is unlimited in the default any root/user env.
> What about the slapd service that is launched by systemd?
>
> # systemctl status slapd
> ● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
>      Loaded: loaded (/etc/init.d/slapd; generated)
>     Drop-In: /usr/lib/systemd/system/slapd.service.d
>              └─slapd-remain-after-exit.conf
>      Active: active (running) since Wed 2023-09-06 15:41:44 CEST; 51min ago
>        Docs: man:systemd-sysv-generator(8)
>     Process: 135002 ExecStart=/etc/init.d/slapd start (code=exited, status=0/SUCCESS)
>       Tasks: 9 (limit: 38189)
>      Memory: 73.9M
>         CPU: 3.444s
>      CGroup: /system.slice/slapd.service
>              └─135008 /usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
>
> Is the 'limit' value (38189) related to the ulimit of its process?
>
> slapd does not have a .service file to change this, right?
>
> Many thanks,
> Patrice
>
> # cat /etc/default/slapd
> # Default location of the slapd.conf file or slapd.d cn=config directory. If
> # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
> # /etc/ldap/slapd.conf).
> SLAPD_CONF=
>
> # System account to run the slapd server under. If empty the server
> # will run as root.
> SLAPD_USER="openldap"
>
> # System group to run the slapd server under. If empty the server will
> # run in the primary group of its user.
> SLAPD_GROUP="openldap"
>
> # Path to the pid file of the slapd server. If not set the init.d script
> # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
> # default)
> SLAPD_PIDFILE=
>
> # slapd normally serves ldap only on all TCP-ports 389. slapd can also
> # service requests on TCP-port 636 (ldaps) and requests via unix
> # sockets.
> # Example usage:
> # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
> SLAPD_SERVICES="ldap:/// ldapi:///"
>
> # If SLAPD_NO_START is set, the init script will not start or restart
> # slapd (but stop will still work).  Uncomment this if you are
> # starting slapd via some other means or if you don't want slapd normally
> # started at boot.
> #SLAPD_NO_START=1
>
> # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
> # the init script will not start or restart slapd (but stop will still
> # work).  Use this for temporarily disabling startup of slapd (when doing
> # maintenance, for example, or through a configuration management system)
> # when you don't want to edit a configuration file.
> SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
>
> # For Kerberos authentication (via SASL), slapd by default uses the system
> # keytab file (/etc/krb5.keytab).  To use a different keytab file,
> # uncomment this line and change the path.
> #export KRB5_KTNAME=/etc/krb5.keytab
>
> # Additional options to pass to slapd
> SLAPD_OPTIONS=""
>
>
>
> -- System Information:
> Debian Release: trixie/sid
>   APT prefers unstable-debug
>   APT policy: (500, 'unstable-debug'), (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 6.4.0-2-amd64 (SMP w/24 CPU threads; PREEMPT)
> Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled



More information about the Pkg-openldap-devel mailing list